Tags Tags

Bug#615814: NMUing libapache2-mod-fcgid (DELAYED/5): #615814 fixed in upstream svn, has security implications

March 07th, 2012 - 05:30 pm ET by Daniel Kahn Gillmor | Report spam
Help Create a new topic


tags 615814 + security patch
thanks

#615814 appears to be an opportunity for a denial of service attack,
since explicitly declared process limits are not respected.

Despite not having yet released 2.3.7, upstream is clearly aware of the
bug in 2.3.6, since they committed a fix for it back in November of
2010 (the same fix provided by Miguel Cabeça):

0 dkg@pip:~$ svn diff -r1037726:1037727 https://svn.apache.org/repos/asf/ht...cgid/trunk
Index: CHANGES-FCGID
=
CHANGES-FCGID (revision 1037726)
+++ CHANGES-FCGID (revision 1037727)
@@ -1,6 +1,9 @@
-*- coding: utf-8 -*-
Changes with mod_fcgid 2.3.7

+ *) Fix regression in 2.3.6 which broke process controls when using vhost-
+ specific configuration. [Jeff Trawick]
+
*) Account for first process in class in the spawn score. [Jeff Trawick]

Changes with mod_fcgid 2.3.6
Index: modules/fcgid/fcgid_spawn_ctl.c
=
modules/fcgid/fcgid_spawn_ctl.c (revision 1037726)
+++ modules/fcgid/fcgid_spawn_ctl.c (revision 1037727)
@@ -178,7 +178,7 @@
if (current_node->inode == command->inode
&& current_node->deviceid == command->deviceid
&& !strcmp(current_node->cmdline, command->cmdline)
- && current_node->vhost_id == sconf->vhost_id
+ && current_node->vhost_id == command->vhost_id
&& current_node->uid == command->uid
&& current_node->gid == command->gid)
break;
0 dkg@pip:~$ svn log -r1037727 https://svn.apache.org/repos/asf/ht...cgid/trunk

r1037727 | trawick | 2010-11-22 09:08:29 -0500 (Mon, 22 Nov 2010) | 7 lines

Fix regression in 2.3.6 which broke process controls when using vhost-
specific configuration.

vhost_id was referenced from the wrong structure, and never matched
unless there were no vhost-specific directives in the vhost of the
request.


0 dkg@pip:~$

I've prepared an NMU for unstable and i'm uploading it to DELAYED/5 (see
the attached debdiff).

I'd like to offer the same fix for either the security archive or the
next stable point release, since currently debian stable systems running
mod_fcgid are vulnerable to denial of service attacks by memory
exhaustion where this limit is not respected.

Security folks, would you accept this as a security upload for squeeze,
or should i fall back to the release-team for the next point release? I
don't think i've ever prepared a DSA before, but i'm prepared to learn
if you think that's reasonable.




diff -u libapache2-mod-fcgid-2.3.6/debian/changelog libapache2-mod-fcgid-2.3.6/debian/changelog
libapache2-mod-fcgid-2.3.6/debian/changelog
+++ libapache2-mod-fcgid-2.3.6/debian/changelog
@@ -1,3 +1,11 @@
+libapache2-mod-fcgid (1:2.3.6-1.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * import r1037727 from upstream to fix vhost-specific process controls
+ (Closes: #615814)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 07 Mar 2012 17:00:08 -0500
+
libapache2-mod-fcgid (1:2.3.6-1) unstable; urgency=low

* New upstream release (Closes: #595276)
diff -u libapache2-mod-fcgid-2.3.6/debian/patches/00list libapache2-mod-fcgid-2.3.6/debian/patches/00list
libapache2-mod-fcgid-2.3.6/debian/patches/00list
+++ libapache2-mod-fcgid-2.3.6/debian/patches/00list
@@ -1,0 +2 @@
+20_honor_FcgidMaxProcessesPerClass_setting.dpatch
only in patch2:
unchanged:
libapache2-mod-fcgid-2.3.6.orig/debian/patches/20_honor_FcgidMaxProcessesPerClass_setting.dpatch
+++ libapache2-mod-fcgid-2.3.6/debian/patches/20_honor_FcgidMaxProcessesPerClass_setting.dpatch
@@ -0,0 +1,26 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 20_honor_FcgidMaxProcessesPerClass_setting.dpatch by <cabeca@ist.utl.pt>
+##
+## DP: See r1037727 from https://svn.apache.org/repos/asf/ht...cgid/trunk by trawick:
+## DP:
+## DP: Fix regression in 2.3.6 which broke process controls when using vhost-
+## DP: specific configuration.
+## DP:
+## DP: vhost_id was referenced from the wrong structure, and never matched
+## DP: unless there were no vhost-specific directives in the vhost of the
+## DP: request.
+
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' libapache2-mod-fcgid-2.3.6~/modules/fcgid/fcgid_spawn_ctl.c libapache2-mod-fcgid-2.3.6/modules/fcgid/fcgid_spawn_ctl.c
+ libapache2-mod-fcgid-2.3.6~/modules/fcgid/fcgid_spawn_ctl.c 2011-08-19 17:13:22.982605420 +0100
++++ libapache2-mod-fcgid-2.3.6/modules/fcgid/fcgid_spawn_ctl.c 2011-08-19 17:19:31.859603703 +0100
+@@ -173,7 +173,7 @@
+ if (current_node->inode == command->inode
+ && current_node->deviceid == command->deviceid
+ && !strcmp(current_node->cmdline, command->cmdline)
+- && current_node->vhost_id == sconf->vhost_id
++ && current_node->vhost_id == command->vhost_id
+ && current_node->uid == command->uid
+ && current_node->gid == command->gid)
+ break;






To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
email Follow the discussionReplies 1 replyReplies Make a reply

Replies

#1 Daniel Kahn Gillmor
March 15th, 2012 - 08:10 pm ET | Report spam

On Thu, 15 Mar 2012 16:20:40 -0400, Daniel Kahn Gillmor wrote:
I've reported the issue to oss-security and requested a CVE:

http://www.openwall.com/lists/oss-s...2/03/15/10



This has now been assigned CVE-2012-1181.






To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact

Similar topics

Make your own search :