Bug#501497: marked as done (apache2-utils: htpasswd may block indefinitely on /dev/random)

To: Stefan Fritsch <sf@debian.org>
Subject: Bug#501497: marked as done (apache2-utils: htpasswd may block indefinitely on /dev/random)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 07 Oct 2008 22:42:07 +0000
Message-id: <[🔎] handler.501497.D501497.122341902231194.ackdone@bugs.debian.org>
References: <E1KnL66-0005lp-He@ries.debian.org> <[🔎] 20081007214653.14485.58901.reportbug@gamma.ifihada.com>

Your message dated Tue, 07 Oct 2008 22:32:06 +0000
with message-id <E1KnL66-0005lp-He@ries.debian.org>
and subject line Bug#501497: fixed in apr 1.2.12-5
has caused the Debian Bug report #501497,
regarding apache2-utils: htpasswd may block indefinitely on /dev/random
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
501497: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=501497
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache2-utils: htpasswd may block indefinitely on /dev/random
From: Joseph Birr-Pixton <jpixton@gmail.com>
Date: Tue, 07 Oct 2008 14:46:53 -0700
Message-id: <[🔎] 20081007214653.14485.58901.reportbug@gamma.ifihada.com>

Package: apache2-utils
Version: 2.2.9-7
Severity: minor

Greetings,

Having recently upgraded from a relatively old apache 1.3-era package I have found
a quick script I wrote to periodically syncronise passwords had become unreliable.
Further investigation reveals that htpasswd invoked from this script around 50 times
blocks for long periods.  It previously took trivial time (very much less than one
second).  Running strace, I see:

  $ strace htpasswd -c -b testfile testuser testpass
  [much output]
  getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
  uname({sys="Linux", node="gamma", ...}) = 0
  brk(0)                                  = 0x804c000
  brk(0x806d000)                          = 0x806d000
  stat64("testfile", 0xbfb4f970)          = -1 ENOENT (No such file or directory)
  open("testfile", O_WRONLY|O_CREAT|O_LARGEFILE, 0666) = 3
  close(3)                                = 0
  open("/dev/random", O_RDONLY)           = 3
  read(3, 

Clearly I'm entropy-starved.  However, I'd question whether a tool such as htpasswd
cannot do with /dev/urandom.  Delving into the code, it uses it to seed rand(3) so
it clearly does not use /dev/random for any purpose where pure entropy is required.  
Previously it had used time(2) -- this change to use a blocking function in the APR
is the source of the regression.

Cheers,
Joseph

-- System Information:
Debian Release: lenny/sid
Architecture: i386 (i686)

Kernel: Linux 2.6.18-6-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages apache2-utils depends on:
ii  libapr1                    1.2.12-4      The Apache Portable Runtime Librar
ii  libaprutil1                1.2.12+dfsg-8 The Apache Portable Runtime Utilit
ii  libc6                      2.7-13        GNU C Library: Shared libraries
ii  libssl0.9.8                0.9.8g-13     SSL shared libraries

apache2-utils recommends no packages.

apache2-utils suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

To: 501497-close@bugs.debian.org
Subject: Bug#501497: fixed in apr 1.2.12-5
From: Stefan Fritsch <sf@debian.org>
Date: Tue, 07 Oct 2008 22:32:06 +0000
Message-id: <E1KnL66-0005lp-He@ries.debian.org>

Source: apr
Source-Version: 1.2.12-5

We believe that the bug you reported is fixed in the latest version of
apr, which is due to be installed in the Debian FTP archive:

apr_1.2.12-5.diff.gz
  to pool/main/a/apr/apr_1.2.12-5.diff.gz
apr_1.2.12-5.dsc
  to pool/main/a/apr/apr_1.2.12-5.dsc
libapr1-dbg_1.2.12-5_i386.deb
  to pool/main/a/apr/libapr1-dbg_1.2.12-5_i386.deb
libapr1-dev_1.2.12-5_i386.deb
  to pool/main/a/apr/libapr1-dev_1.2.12-5_i386.deb
libapr1_1.2.12-5_i386.deb
  to pool/main/a/apr/libapr1_1.2.12-5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 501497@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 08 Oct 2008 00:06:56 +0200
Source: apr
Binary: libapr1 libapr1-dev libapr1-dbg
Architecture: source i386
Version: 1.2.12-5
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description: 
 libapr1    - The Apache Portable Runtime Library
 libapr1-dbg - The Apache Portable Runtime Library - Development Headers
 libapr1-dev - The Apache Portable Runtime Library - Development Headers
Closes: 501497
Changes: 
 apr (1.2.12-5) unstable; urgency=low
 .
   * Actually switch to /dev/urandom instead of only adding a non-functional
     patch. Closes: #501497
Checksums-Sha1: 
 f74c9b1fd1465bdcd0e7359c87bd78a145aeaa72 1256 apr_1.2.12-5.dsc
 c00a2bff9d6879f2796643ec941a95201c5d495f 11632 apr_1.2.12-5.diff.gz
 91d25c895b3a166bfd7b77ed3167f8a80f63913e 108684 libapr1_1.2.12-5_i386.deb
 5e9b7f82629cb788131a47936f23482b4ff70836 806522 libapr1-dev_1.2.12-5_i386.deb
 0cf454c50ec640e8145c3ee448d24a964bebee9c 53736 libapr1-dbg_1.2.12-5_i386.deb
Checksums-Sha256: 
 abea4663470820225fabe5073b352ff6c28934a5327f8cac91b83d5565cc627a 1256 apr_1.2.12-5.dsc
 9df24e00c3ebcfb61715b2f4812e63f2dd1dac932ec67e33f665ed772762d45c 11632 apr_1.2.12-5.diff.gz
 cd8625a27cb11a417b84c4caf9ceaab8b5bdfd829e52f94a11795361ed528ba4 108684 libapr1_1.2.12-5_i386.deb
 c55c5a6ef29f7fb3b10c9dea8f408305700a72c7452167ac77211cb3ddc1745f 806522 libapr1-dev_1.2.12-5_i386.deb
 7904c7f9e07ea1b82c0c296704471b655305e7b8cdc4d09f05146f59f4c8f6a4 53736 libapr1-dbg_1.2.12-5_i386.deb
Files: 
 fe18afa7df72207b93b423b5f525c827 1256 libs optional apr_1.2.12-5.dsc
 92be9f2fe4b4106d3d8fd5809693c41f 11632 libs optional apr_1.2.12-5.diff.gz
 af2f8f8b9aab9bed463054f9515a2a00 108684 libs optional libapr1_1.2.12-5_i386.deb
 b6e2dadd04a3115b53ef6590a526a93a 806522 libdevel optional libapr1-dev_1.2.12-5_i386.deb
 98ff02cc3fcd0df8eee05fa877848efa 53736 libdevel extra libapr1-dbg_1.2.12-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFI6+Ahbxelr8HyTqQRAp/AAKDXFm9vKrzzCDJ+AatE4+k7+9jTVACgjkdq
2D/9jd4dnmVEj2mdc6VLffI=
=tvEO
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#501497: apache2-utils: htpasswd may block indefinitely on /dev/random
  - From: Joseph Birr-Pixton <jpixton@gmail.com>

Prev by Date: apr_1.2.12-5_i386.changes ACCEPTED
Next by Date: Processed: reassign 501403 to libc6
Previous by thread: Bug#501497: apache2-utils: htpasswd may block indefinitely on /dev/random
Next by thread: reassign 501497 to libapr1, severity of 501497 is important
Index(es):
- Date
- Thread