Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 16 Apr 2015 17:15:44 -0400 (EDT)
From: cve-assign@...re.org
To: mprpic@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Potential CVE request: flaw in comment handling

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> we were notified of a flaw in the way Apache's mod_access_compat and
> mod_authz_host handled comments in configuration files. When a comment
> was defined on the same line that contained an "Allow" directive,
> any potential IP ranges in that comment were also allowed to access
> a resource.

> Reproducer:
> ...
> Allow from 127.0.0.1 # not 10

> This flaw was fixed in:
> 
> https://github.com/apache/httpd/commit/5e1affc271a429f267198eee61fce2b209a83c66
> 
> The docs do specify that comments are not allowed on the same line:
> 
> "There must be no other characters or white space between the backslash and the end of the line."
> [https://httpd.apache.org/docs/2.2/configuring.html#syntax]

This doesn't seem to be the applicable documentation for your
reproducer. The documentation says:

   Lines that begin with the hash character "#" are considered
   comments, and are ignored. Comments may not be included on the same
   line as a configuration directive.

> MITRE, does this qualify for a CVE?

We can't make that decision without knowing the perspective of the
upstream vendor. Because the upstream vendor has a process for
assigning CVE IDs, we feel it would be simplest and best here to use
that process, even if it is often not used in cases of publicly known
vulnerabilities. See the security@...che.org address on the
http://www.apache.org/security/committers.html page. It's their
decision on how to proceed; possibilities include:

  - no CVE because the behavior with a # character is undefined

  - a single CVE for both because they intended "Comments may not be
    included" to only mean that a syntax error would be reported

  - a CVE only for mod_authz_host because they had actually wanted to
    support # comments for that one

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVMCXsAAoJEKllVAevmvmsx1AH/ivWmhJm1RAzVk1H8bWQLfio
aNk5M1NI4wV6iS4P3SpK5xd5oahAiQNb25bxFiqQTIVys+Q3dvhDroG6ZsiNxmKJ
SaR2wRYIHsZmsmjkqxqyuH3KATtXsekzYF1kob0PhGvgL8BFbgqtQorZacYUZpjv
yHMXMaSJrSLa8+yMRRcpoLvL7IKZdf8yvh2LUSIp6lvn2qtvNSk7UbB4I23ummiE
2bhUn0EhaVBqoDIOdbMi9uTGj25oJLdzHhHbNvfOxEbKS1hSTCRy5c/PbBxSslC8
J6a0OqCXUJ5zv7jixaLO/jlcJbdrM0YYlK+yZ6wc5W1K887TiJosKKr1Lgo38+U=
=Wu5Y
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.