Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 04 Aug 2015 22:56:12 +0000
From: Jason Buberel <jbuberel@...gle.com>
To: Florian Weimer <fweimer@...hat.com>
Cc: oss-security@...ts.openwall.com, 
	"cve-assign@...re.org" <cve-assign@...re.org>
Subject: Re: CVE Request - Go net/http library - HTTP smuggling

Florian,

We believe that this is a potentially exploitable issue.  We would like a
CVE-ID in order to release a 1.4.3 build that has the fixes applied to the
current stable release (1.4.2) for linux distro coordination.

Commits have been made to the Go master branch to fix the problem:

https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9
https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f
https://github.com/golang/go/commit/143822585e32449860e624cace9d2e521deee62e

Additional background on the exploit, as provided by the reporter:

net/http problems
------------------

* Double Content-length headers in a request does not generate a 400 error,
the second Content-length is ignored
* Invalid headers are parsed as valid headers (like "Content Length:" with a
space in the middle)

Exploitations
--------------

In a situation where the net/http agent HTTP communication with the final
http clients is using some reverse proxy (reverse proxy cache, SSL
terminators, etc), some requests can be made exploiting the net/http HTTP
protocol violations.

The goal of theses requests will be either:
 * to bypass security controls on theses previous elements
 * to perform some cache poisoning on these elements
 * to alter the request/response map on these previous elements (for DOS),
see for example this apache 2.4 issue:
https://bz.apache.org/bugzilla/show_bug.cgi?id=57832


On Wed, Jul 29, 2015 at 12:51 PM Jason Buberel <jbuberel@...gle.com> wrote:

> Forian,
>
> We do have a security@...ang.org alias, and a proposal for a more formal
> security review process <https://github.com/golang/go/issues/11502>, but
> I agree that the process isn't clear enough currently.
>
> In this particular case, the reporter sent a messages to go-dev@...ang.org.
> That was then forwarded to me for handling.
>
> And I agree on the bundling. Is there another specific issue that you're
> tracking? Feel free to contact me directly - jbuberel@...gle.com.
>
> -jason
>
> On Wed, Jul 29, 2015 at 12:16 PM Florian Weimer <fweimer@...hat.com>
> wrote:
>
>> On 07/29/2015 05:15 PM, Jason Buberel wrote:
>> > Hello OSS Security Community,
>> >
>> > The Go open source project has received notification of an HTTP request
>> > smuggling vulnerability in the net/http library (
>> > http://golang.org/pkg/net/http/). The vulnerability was identified in
>> the
>> > 1.4.2 release version (http://golang.org/dl) and in the 1.5 release
>> branch.
>>
>> How does one report such things?
>>
>> Due to lack of published security contact information, I contacted the
>> de-facto subsystem maintainer about the issue, but I have been ignored.
>>
>> (It would be nice to be able to bundle such security updates as far as
>> possible, to avoid recompiling everything constantly.)
>>
>> --
>> Florian Weimer / Red Hat Product Security
>>
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ