[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#858373: marked as done (apache2: segfaults upon recieving bad request when using worker/event mpm and cgid errordoc)

Your message dated Tue, 8 Aug 2017 02:07:07 +0200 (CEST)
with message-id <alpine.DEB.2.11.1708080204430.20586@manul.sfritsch.de>
and subject line Bug #858373: apache2: segfaults upon recieving bad request when using worker/event mpm and cgid errordoc
has caused the Debian Bug report #858373,
regarding apache2: segfaults upon recieving bad request when using worker/event mpm and cgid errordoc
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

858373: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858373
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: apache2.2-common
Version: 2.2.22-13+deb7u8
Severity: normal
Tags: security

Dear Maintainer,

We have some websites running on Debian Wheezy, so still using Apache 2.2.22, that are configured either in Worker or Event MPM (so are using mod_cgid in what follows), and have a custom "ErrorDocument 400" directive that points at a perl script for providing custom ModSecurity error.

I haven't dug up an older version of the package from snapshots to confirm this, but I think that since the recently backported HttpProtocolOptions directive to that version (BTW, where was that announced - I had to run strings on the binary to find it), I've been seeing a lot of segfault/coredumps registered in the Apache error logs.

After some analysis, I've found that I can reproduce the error with a fairly trivial shell command:

# echo -ne "GET / HTTP/1.0\n" | nc $some_website 80

From the coredump, I was able to find that this line (1371) in the
cgid_handler() code in the modules/generators/mod_cgid.c source file has a null pointer issue on the r->protocol field:

	is_included = !strcmp(r->protocol, "INCLUDED");

Seems like a bit of a security issue to me.

No combination of adjustments to the HttpProtocolOptions directive seemed to help from what I could see.

I also haven't been able to reproduce this issue on a Prefork MPM backend webserver.

Varying the details of the perl ErrorDocument script's implementation don't appear to help either (eg: it still occurs even with a simple hello world script).

The error still occurs if I disable ModSecurity, but leave the ErrorDocument for 400 messages.

Let me know if you need any more details or have any questions.


-- Package-specific info:
List of /etc/apache2/mods-enabled/*.load:
 alias auth_basic authn_file authz_default authz_groupfile
 authz_host authz_user autoindex cgid deflate dir env expires
 headers include info mime mod-security negotiation reqtimeout
 rewrite rpaf setenvif shib2 ssl status unique_id userdir*
 (A * means that the .conf file for that module is not enabled in

-- System Information:
Debian Release: 7.11
 APT prefers oldstable
 APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-0.bpo.4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apache2 depends on:
ii  apache2-mpm-worker  2.2.22-13+deb7u8
ii  apache2.2-common    2.2.22-13+deb7u8

apache2 recommends no packages.

apache2 suggests no packages.

Versions of packages apache2.2-common depends on:
ii  apache2-utils  2.2.22-13+deb7u8
ii  apache2.2-bin  2.2.22-13+deb7u8
ii  lsb-base       4.1+Debian8+deb7u1
ii  mime-support   3.52-1+deb7u1
ii  perl           5.14.2-21+deb7u4
ii  procps         1:3.3.3-3

Versions of packages apache2.2-common recommends:
pn  ssl-cert  <none>

Versions of packages apache2.2-common suggests:
pn  apache2-doc                             <none>
pn  apache2-suexec | apache2-suexec-custom  <none>
ii  lynx-cur [www-browser]                  2.8.8dev.12-2+deb7u1

-- no debconf information

--- End Message ---
--- Begin Message ---
Version: 2.2.22-13+deb7u11

The fix has been released in DLA 841-2. Closing the report.

--- End Message ---

Reply to: