Bug#920235: Reading from /dev/urandom hangs from an Apache2 cgi-bin, but not from the shell
Package: apache2
Version: 2.4.25-3+deb9u6
OS details:
Debian GNU/Linux 9 (stretch)
Linux debian 4.18.16-x86_64-linode118 #1 SMP PREEMPT Mon Oct 29 15:38:25 UTC 2018 x86_64 GNU/Linux
Apache details:
Server version: Apache/2.4.25 (Debian)
Server built: 2018-11-03T18:46:19
Steps to reproduce:
1. Install apache2, configure it to enable cgi scripts. (a2enmod cgi, etc.)
2. Create an executable file in /usr/lib/cgi-bin called, for example, "test", containing the following four lines:
#!/bin/bash
echo "Content-Type: text/plain"
echo ""
tr -dc 'a-z0-9' </dev/urandom | fold -w 8 | head -n 1
3. Attempt to execute the script from a web browser by visiting http://<ip of server>/cgi-bin/test
Expected results:
A plain text web page containing an 8 character random string.
Actual results:
"tr" consumes 100% CPU and hangs. If you "kill" tr, a correct web page is returned, containing the string.
Notes:
This *used* to work. An update in past few weeks has broken it. Unfortunately I failed to notice precisely which update.
If you run "tr -dc 'a-z0-9' </dev/urandom | fold -w 8 | head -n 1" from a shell, even as the www-data user, it works as expected. Excuting the cgi script from a shell also works as expected.
I've reproduced this on two separate, unrelated Debian 9 systems.
(I formatted this report by hand because the systems in question don't have internet access, so I couldn't use "reportbug". Apologies for any mistakes.)
Reply to: