Bug#534712: apache2.2-common: DOS possible with mod_deflate
Package: apache2.2-common
Version: 2.2.9-10+lenny3
Severity: normal
Tags: patch security
There is a bug in mod_deflate that can lead to a DOS with a very small
network traffic.
The problem is the following : when downloading a file with mod_deflate
enabled and aborting the connexion before the end, mod_deflate will take
100% of a CPU and finish to compress the file for nothing.
Even with a not-so-big file (a few dozen of MB), it is possible to
"lock" apache by opening simultaneous request on this file and abort the
connexion very soon, as the
file will be compressed multiple times in parallel, it will make
compression times grow and keep the threads busy for a while.
The problem arises because mod_deflate doesn't check if the connexion is
aborted and goes on whatever happen.
The following patch fixes the problem, but at reading the code, I guess
that the inflate function is also impacted.
Best regards,
François
--- mod_deflate.c 2008-01-04 15:23:50.000000000 +0100
+++ mod_deflate.c.new 2009-06-26 16:50:36.000000000 +0200
@@ -691,6 +691,10 @@
continue;
}
+ if (r->connection->aborted) {
+ return APR_ECONNABORTED;
+ }
+
/* read */
apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
-- Package-specific info:
List of enabled modules from 'apache2 -M':
alias auth_basic authn_file authz_default authz_groupfile
authz_host authz_user autoindex cgi deflate dir env expires headers
mime negotiation perl php5 python setenvif status userdir
-- System Information:
Debian Release: 5.0.1
APT prefers stable
APT policy: (990, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.30 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages apache2.2-common depends on:
ii apache2-utils 2.2.9-10+lenny3 utility programs for webservers
ii libapr1 1.2.12-5 The Apache Portable Runtime
Librar
ii libaprutil1 1.2.12+dfsg-8+lenny2 The Apache Portable Runtime
Utilit
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libmagic1 4.26-1 File type determination
library us
ii libssl0.9.8 0.9.8g-15+lenny1 SSL shared libraries
ii lsb-base 3.2-20 Linux Standard Base 3.2
init scrip
ii mime-support 3.44-1 MIME files 'mime.types' &
'mailcap
ii net-tools 1.60-22 The NET-3 networking toolkit
ii perl 5.10.0-19 Larry Wall's Practical
Extraction
ii procps 1:3.2.7-11 /proc file system utilities
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages apache2.2-common recommends:
ii ssl-cert 1.0.23 simple debconf wrapper for
OpenSSL
Versions of packages apache2.2-common suggests:
ii apache2-doc 2.2.9-10+lenny3 Apache HTTP Server
documentation
pn apache2-suexec | apache2 <none> (no description available)
ii dillo [www-browser] 0.8.6-3 Small and fast web browser
ii elinks [www-browser] 0.11.4-3 advanced text-mode WWW browser
ii epiphany-gecko [www-brow 2.22.3-9 Intuitive GNOME web browser
- Geck
ii iceape-browser [www-brow 1.1.14-1 Iceape Navigator (Internet
browser
ii iceweasel [www-browser] 3.0.6-1 lightweight web browser
based on M
ii w3m [www-browser] 0.5.2-2+b1 WWW browsable pager with
excellent
Versions of packages apache2.2-common is related to:
pn apache2-mpm-event <none> (no description available)
pn apache2-mpm-itk <none> (no description available)
ii apache2-mpm-prefork 2.2.9-10+lenny3 Apache HTTP Server -
traditional n
pn apache2-mpm-worker <none> (no description available)
-- no debconf information
Reply to: