Bug#663723: Critical memory leak with mod_rewrite in apache2 using german umlauts

[Patrick Matthäi <pmatthaei@debian.org>]

Package: apache2
Version: 2.2.16-6+squeeze6
Severity: serious
Tags: security

Hello,

I noticed on a customers server, that apache periodical crashes the 
whole system by using the whole available memory until it swaps away.

I have found out that this is caused by a crafted .htaccess where german 
umlauts handled in a wrong way.

I have tested it on:

* Lenny amd64 with apache2-prefork
* Lenny i386 with apache2-prefork
* Squeeze amd64 with apache2-prefork
* Squeeze i386 with apache2-prefork
* Lenny amd64 with apache2-worker
* Lenny i386 with apache2-worker
* Squeeze amd64 with apache2-worker
* Squeeze i386 with apache2-worker

It is reproduced easily on all systems (locale of all systems: de_DE.UTF-8)

Ways to reproduce:

# apt-get install apache2
# a2enmod rewrite

Put the following code to e.g. /var/www/.htaccess:

RewriteEngine on
RewriteBase /
RewriteRule ^(.*)\xC3\x84(.*)$ $1Ä$2 [N,E=utf8_fixed:1]
RewriteRule ^(.*)\xC3\xA4(.*)$ $1ä$2 [N,E=utf8_fixed:1]
RewriteRule ^(.*)\xC3\x96(.*)$ $1Ö$2 [N,E=utf8_fixed:1]
RewriteRule ^(.*)\xC3\xB6(.*)$ $1ö$2 [N,E=utf8_fixed:1]
RewriteRule ^(.*)\xC3\x9C(.*)$ $1Ü$2 [N,E=utf8_fixed:1]
RewriteRule ^(.*)\xC3\xBC(.*)$ $1ü$2 [N,E=utf8_fixed:1]
RewriteRule ^(.*)\xC3\x9F(.*)$ $1ß$2 [N,E=utf8_fixed:1]


Go to your browser and open:
http://localhost/Parf%C3%BCmerie

Now the server runs out of memory very fast!

This is especialy a big problem for shared hosters with mod_rewrite 
enabled (most vhosts require them today) where users could put their own 
.htaccess to the documentroot

--
/*
Mit freundlichem Gruß / With kind regards,
 Patrick Matthäi
 GNU/Linux Debian Developer

E-Mail: pmatthaei@debian.org
        patrick@linux-dev.org
*/