[CentOS-devel] may Centos be vulnerable to this bug?

Fri Mar 2 21:12:23 UTC 2007
Roger Peña <orkcu at yahoo.com>

--- Roger Peña <orkcu at yahoo.com> wrote:

> 
> --- Johnny Hughes <mailing-lists at hughesjr.com>
> wrote:
> 
> > On Fri, 2007-03-02 at 09:39 -0800, Roger Peña
> wrote:
> > > --- Roger Peña <orkcu at yahoo.com> wrote:
> > > 
> > > > As this bugtrack say "binaries from redhat"
> are
> > not
> > > > vulnerables but what happen to recompilations?
> > > >
> > >
> >
>
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=200219
> > > > 
> > > > I understand that it is the compilation
> process
> > what
> > > > make this bug not exploitable and not the
> source
> > > > code
> > > > so, the question is:
> > > > is the httpd binary from centos exploitable?
> > > > 
> > > > 
> > > > I could not find any refence in the web about
> > this
> > > > topic.
> > > > maybe I should ask in the centos-user mailling
> > list
> > > > but because it is a compilation thing ..... I
> > guess
> > > > centos developer are the right to anwser 
> > > > 
> > > sorry, I forgot to mention that I do test the
> > > following "proof of concept" test:
> > > 
> > >
> >
>
http://www.securityfocus.com/archive/1/archive/1/443870/100/0/threaded
> > > 
> > > and httpd-2.0.52-28.ent.centos4 give the "302
> > Found"
> > > page so at least with that test I could not
> probe
> > if
> > > it is vulnerable or not
> > > 
> > 
> > If it did do a "302 Found" ... then it is not
> > vulnerable:
> > 
> > from the article:
> > 
> > "If your web server doesn't reply you with a '302
> > Found' page or a
> > Segmentation Fault appears in your error_log, an
> > apache child has
> > crashed and your web server is vulnerable and
> > exploitable."
> > 
> > So a 302 found is good.
> > 
> yes, I know it is good
> 
> but can't see why this is a sufficient condition to
> say "not vulnerable"
> of course, what I can see is that if I got another
> page or make a fault then I can say "it is
> vulnerable"
> 
> but, I am not saying that centos binary are
> vulnerables!!! just that I can't find an explanation
> to say "not vulnerable" because uptreams is not.
> 
> also, I could not had the time yet to verify what is
> the the following fix to mod_rewrite:
> 
> * Tue Jun 20 2006 Joe Orton <jorton at redhat.com>
> 2.0.52-26.ent
> 
> - add mod_rewrite ldap scheme handling fix
> 
> does anybody know if this is the source code fix to
> this vulnerability (back ported)?
> the date of this fix is before the date of the
> redhat
> bugtrack and before the CVS assignation (20060720)
> so it looks not related but I could be wrong...

well, it looks like a patch to the vulnerability,
without see the source code yet, from the release
changelog for httpd-2.0.59:

Changes with Apache 2.0.59

  *) SECURITY: CVE-2006-3747 (cve.mitre.org)
     mod_rewrite: Fix an off-by-one security problem
in the ldap scheme
     handling.  For some RewriteRules this could lead
to a pointer being
     written out of bounds.  Reported by Mark Dowd of
McAfee.
     [Mark Cox]

I guess Joe Orton from redhat release a patch a month
before public disclosure of the vulnerability or just
make a mistake (typo) when write the redhat httpd
changelog ;-)

so, right now I can "rest in peace" knowing that
centos is not vulnerable because it has the fix (until
somebody say the contrary :-) )
;-)

thanks anyway johnny
I was in a hurry tracking down this for a client

cu
roger

__________________________________________
RedHat Certified Engineer ( RHCE )
Cisco Certified Network Associate ( CCNA )


 
____________________________________________________________________________________
Want to start your own business?
Learn how on Yahoo! Small Business.
http://smallbusiness.yahoo.com/r-index