Bug 51219

Summary: apr_fnmatch infinite loop on pattern "/*/WEB-INF/"
Product: APR Reporter: Chris <christian.roue>
Component: APRAssignee: Apache Portable Runtime bugs mailinglist <bugs>
Status: RESOLVED FIXED    
Severity: regression    
Priority: P1    
Version: HEAD   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
URL: http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/fnmatch.c.diff?r1=text&tr1=1.22&r2=text&tr2=1.24

Description Chris 2011-05-18 13:07:04 UTC
After last apr update on Debian 5&6 / i386 for CVE-2011-0419 we observed multiple of our apache servers running 100%+ CPU randomely.

We identified function going into an infinite loop to be  apr_fnmatch trying to match pattern '/*/WEB-INF/' against any non matching uri.

This pattern is matched due to following directive in our .conf:

<Location "/*/WEB-INF/">
  deny from all
</Location> 

Problem was reproduced with Apache apr-1.4.4 recompiled from sources adding the extra testcase (testfnmatch.c):

    {"/*/WEB-INF/", "/wontmatch",       FAIL},

Problem daesn't exist in apr-1.3.12.

Debian patch is apparently a back port of new code in 1.2/1.4 for Deb 5/6

Debian patch info: http://packetstormsecurity.org/files/view/101435/dsa-2237-1.txt

Chris
Comment 1 Chris 2011-05-19 10:22:27 UTC
Bug reported to debian:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627182
Comment 2 Maksymilian 2011-05-21 07:06:15 UTC
Instead of changing the algorithm, it is better to add recursion limit and set 64 (not bigger). I see only one recursion call inside apr_fnmatch

457 	while (apr_dir_read(&finfo, APR_FINFO_NAME, dir) == APR_SUCCESS) {
458 	if (apr_fnmatch(pattern, finfo.name, 0) == APR_SUCCESS) { 

so better limit this call, than change the algorithm.
Comment 3 Stefan Fritsch 2013-03-24 07:46:56 UTC
This is fixed in 1.4.5