[CentOS-devel] may Centos be vulnerable to this bug?

Fri Mar 2 20:33:18 UTC 2007
Roger Peña <orkcu at yahoo.com>

--- Johnny Hughes <mailing-lists at hughesjr.com> wrote:

> On Fri, 2007-03-02 at 09:39 -0800, Roger Peña wrote:
> > --- Roger Peña <orkcu at yahoo.com> wrote:
> > 
> > > As this bugtrack say "binaries from redhat" are
> not
> > > vulnerables but what happen to recompilations?
> > >
> >
>
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200219
> > > 
> > > I understand that it is the compilation process
> what
> > > make this bug not exploitable and not the source
> > > code
> > > so, the question is:
> > > is the httpd binary from centos exploitable?
> > > 
> > > 
> > > I could not find any refence in the web about
> this
> > > topic.
> > > maybe I should ask in the centos-user mailling
> list
> > > but because it is a compilation thing ..... I
> guess
> > > centos developer are the right to anwser 
> > > 
> > sorry, I forgot to mention that I do test the
> > following "proof of concept" test:
> > 
> >
>
http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded
> > 
> > and httpd-2.0.52-28.ent.centos4 give the "302
> Found"
> > page so at least with that test I could not probe
> if
> > it is vulnerable or not
> > 
> 
> If it did do a "302 Found" ... then it is not
> vulnerable:
> 
> from the article:
> 
> "If your web server doesn't reply you with a '302
> Found' page or a
> Segmentation Fault appears in your error_log, an
> apache child has
> crashed and your web server is vulnerable and
> exploitable."
> 
> So a 302 found is good.
> 
yes, I know it is good

but can't see why this is a sufficient condition to
say "not vulnerable"
of course, what I can see is that if I got another
page or make a fault then I can say "it is vulnerable"

do you see my point? ;-)
I think it is not a two way relation: if A imply B do
not meant B imply A

but, I am not saying that centos binary are
vulnerables!!! just that I can't find an explanation
to say "not vulnerable" because uptreams is not.

also, I could not had the time yet to verify what is
the the following fix to mod_rewrite:

* Tue Jun 20 2006 Joe Orton <jorton at redhat.com>
2.0.52-26.ent

- add mod_rewrite ldap scheme handling fix

does anybody know if this is the source code fix to
this vulnerability (back ported)?
the date of this fix is before the date of the redhat
bugtrack and before the CVS assignation (20060720)
so it looks not related but I could be wrong...


thanks
roger
PD: I guess this is the first time I can see the
difference that some people try to stress when they
say  : "they are not RHEL clones, they are recompilations"

__________________________________________
RedHat Certified Engineer ( RHCE )
Cisco Certified Network Associate ( CCNA )



 
____________________________________________________________________________________
Need Mail bonding?
Go to the Yahoo! Mail Q&A for great tips from Yahoo! Answers users.
http://answers.yahoo.com/dir/?link=list&sid=396546091