Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 18 Oct 2012 13:13:55 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Breno Silva <breno.silva@...il.com>
CC: Jan Lieskovsky <jlieskov@...hat.com>, oss-security@...ts.openwall.com,
        Matthias Weckbecker <mweckbecker@...e.de>, security@...security.org
Subject: Re: CVE request: Fwd: [Full-disclosure] SEC Consult
 SA-20121017-0 :: ModSecurity multipart/invalid part ruleset bypass

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/18/2012 06:41 AM, Breno Silva wrote:
> Hello Jan,
> 
> Yes i can confirm the issue and the patch.
> 
> Thanks
> 
> Breno
> 
> On Thu, Oct 18, 2012 at 3:58 AM, Jan Lieskovsky
> <jlieskov@...hat.com <mailto:jlieskov@...hat.com>> wrote:
> 
> Hi Kurt, Breno,
> 
> ----- Original Message ----- -----BEGIN PGP SIGNED MESSAGE----- 
> Hash: SHA1
> 
> On 10/17/2012 02:47 AM, Matthias Weckbecker wrote:
>> Hi Steve, Kurt, vendors,
>> 
>> this flaw looks slightly different from the last one and 
>> apparently has not got a CVE yet.
>> 
>> ----------  Forwarded Message  ----------
>> 
>> Subject: [Full-disclosure] SEC Consult SA-20121017-0 :: 
>> ModSecurity multipart/invalid part ruleset bypass Date:
>> Wednesday 17 October 2012 From: SEC Consult Vulnerability Lab 
>> <research@...-consult.com <mailto:research@...-consult.com>> To:
> full-disclosure@...ts.grok.org.uk 
> <mailto:full-disclosure@...ts.grok.org.uk>,
>> bugtraq@...urityfocus.com <mailto:bugtraq@...urityfocus.com>
>> 
>> SEC Consult Vulnerability Lab Security Advisory < 20121017-0 >
>> 
> =======================================================================
>
> 
> 
>> 
>> 
>> title: ModSecurity multipart/invalid part ruleset bypass product:
>> ModSecurity vulnerable version: <= 2.6.8 fixed version: 2.7.0 CVE
>> number: - impact: Depends what you use it for homepage: 
>> http://www.modsecurity.org/ found: 2012-10-12 by: Bernhard
>> Mueller SEC Consult Vulnerability Lab
>> https://www.sec-consult.com
>> 
> =======================================================================
>
> 
> 
>> Looking
>> 
>> 
>> through
>> 
>> 
> https://www.modsecurity.org/tracker/secure/ReleaseNote.jspa?projectId=10000&version=10100
>
> 
> 
>> Is this https://www.modsecurity.org/tracker/browse/MODSEC-155
> 
> I am not sure this is related since it is closed with resolution 
> 'Cannot Reproduce'.

Yeah I was thinking they might have buried it, never thought to check
the source changelog (assumed the online one was sufficient. sigh).

> 
> Based on Changes: [1] 
> http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/branches/2.7.x/CHANGES
>
>  I would say this is: "* Added MULTIPART_INVALID_PART flag. Also
> used in rule id 200002 for multipart strict"
> 
> with relevant upstream commit being: [2] 
> http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=revision&sortby=date&revision=2081
>
>  but Cc-in Breno Silva to definitely confirm this yet.
> 
> Breno, could you please confirm / disprove that the patch [2] is 
> upstream patch for issue: [3]
> http://www.openwall.com/lists/oss-security/2012/10/17/1 ?
> 
> And if it's not the correct one, provide an explicit revision link
> to the proper one?
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team


Please use CVE-2012-4528 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQgFTzAAoJEBYNRVNeJnmTzK8QALJx/zc849kCqf+hFnkLL9kz
oiYQvwRLtNHw3ygEGCsl/VP87ixW+8n1DxQSuL/a3U0jY+4D6woujoJ6S2w0Hreh
7boe+m9AdhrakrsuXZTOSmKZePDuO5xQM3Q+oo2/5z3u8JnPgm1gEB07pzSxfFDa
+nKcaioisXy/VCc9TFtleiie47t2i9ypgajNSNOFjCn3WL3UmO9SBWRveAW+0BAU
XmQuKnH/ZTa5xMRdnu/RvT9uQtMjrwDY/sl7snBGTOVsZ+xHcJ4a4gEJllqPvjHk
NJVNrz5wEXsvfrJt20TW9tP/d1yHfHFinM0KxYswP1GmZ2qhYc2dOqTUFDQunUAo
RsWzp32Bs11o3eiK5v7RFct7mA/SYCjzaj6AfJi07XgY98xRc3ov22PkuTtQ8Sq3
cLM1xeLj89eyBZp5rGrgfj/dtCeuASmWvZDPE4JAz+fKDv5jwXp0cn7JzqYXf+mN
YjszGPX94oDKiih76aylMcp50hYbsdWPaKK/L1tpEV+nzTRLVMFIJ+jgaY/jhBJH
m48sKMPh3F1WE7DdtWYcGD3xLYlk1QjYP1DmkcO9YEH4TT2+qqnkyMBayMCY8Roa
w8dIu6Az/yQQUevmYaJu2+o6v1dUmyBKknWrV6iyA7zqV6YVCXmvQZX9HBkSV84H
bPGFFZBbfOsFX1FGfXNm
=yVSP
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ