Debian Bug report logs - #358689
libapache2-request-perl: Sarge update 2.04-dev-1sarge1 breaks file uploads

version graph

Package: libapache2-request-perl; Maintainer for libapache2-request-perl is Steinar H. Gunderson <sesse@debian.org>; Source for libapache2-request-perl is src:libapreq2.

Reported by: Gunnar Wolf <gwolf@gwolf.org>

Date: Thu, 23 Mar 2006 23:03:01 UTC

Severity: grave

Tags: fixed

Found in version libapache2-request-perl/2.04-dev-1sarge1

Fixed in version 2.04-dev-1sarge2

Done: "Steinar H. Gunderson" <sgunderson@bigfoot.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, sesse@debian.org (Steinar H. Gunderson):
Bug#358689; Package libapache2-request-perl. Full text and rfc822 format available.

Acknowledgement sent to Gunnar Wolf <gwolf@gwolf.org>:
New Bug report received and forwarded. Copy sent to sesse@debian.org (Steinar H. Gunderson). Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Gunnar Wolf <gwolf@gwolf.org>
To: submit@bugs.debian.org
Subject: libapache2-request-perl: Sarge update 2.04-dev-1sarge1 breaks file uploads
Date: Thu, 23 Mar 2006 14:34:06 -0600
Subject: libapache2-request-perl: Sarge update 2.04-dev-1sarge1 breaks file uploads
Package: libapache2-request-perl
Version: 2.04-dev-1sarge1
Severity: important

Since the last update, all the requests that include a file upload fail
with a 500 (Internal Server Error) message. The following gets recorded
in the log file:

[Wed Mar 22 18:01:28 2006] [error] [client 132.248.72.73] Apache::Request::upload: (20014) Error string not specified yet at /home/gwolf/cvs/comas/perl/Apache2/Comas.pm line 343, referer: http://www.proglocode.unam.mx/comas/attendees/account/proposals/file/35

The specific line tha triggers this error is:

    return $upload unless $req->upload;

Please note I have tried to jump over this test, and the same behavior
happens in other modules where I also get uploads. 

The whole module I am reporting this problem about can be found at:

http://gborg.postgresql.org/cgi-bin/cvsweb.cgi/comas/perl/Apache2/Comas.pm?rev=1.10;cvsroot=comas

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.14-lafa
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages libapache2-request-perl depends on:
ii  apache2-common             2.0.54-5      next generation, scalable, extenda
ii  libapache2-mod-perl2       1.999.21-1    Integration of perl with the Apach
ii  libapr0                    2.0.54-5      the Apache Portable Runtime
ii  libc6                      2.3.2.ds1-22  GNU C Library: Shared libraries an
ii  libdb4.2                   4.2.52-18     Berkeley v4.2 Database Libraries [
ii  libexpat1                  1.95.8-3      XML parsing C library - runtime li
ii  libldap2                   2.1.30-8      OpenLDAP libraries
ii  perl                       5.8.4-8sarge3 Larry Wall's Practical Extraction 
ii  perl-base [perlapi-5.8.4]  5.8.4-8sarge3 The Pathologically Eclectic Rubbis

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, sesse@debian.org (Steinar H. Gunderson):
Bug#358689; Package libapache2-request-perl. Full text and rfc822 format available.

Acknowledgement sent to Gunnar Wolf <gwolf@gwolf.org>:
Extra info received and forwarded to list. Copy sent to sesse@debian.org (Steinar H. Gunderson). Full text and rfc822 format available.

Message #10 received at 358689@bugs.debian.org (full text, mbox):

From: Gunnar Wolf <gwolf@gwolf.org>
To: 358689@bugs.debian.org, control@bugs.debian.org, sesse@debian.org
Subject: Re: libapache2-request-perl: Sarge update 2.04-dev-1sarge1 breaks file uploads
Date: Tue, 28 Mar 2006 17:52:24 -0600
severity 358689 grave
thanks

(raised the bug severity by request of the maintainer)

Hi,

As I told the package maintainer by IRC, I tried to search the code
for the possible culprit of this malfunction - I am _way_ too bad in C
(and, of course, working with XS) to come up with a patch for this,
and am unfamiliar with Apache::Request internals, but I think I found
a possible cause. 

The patch between 2.04-dev-1 and 2.04-dev-1sarge1 lies mostly in
putting the 'nlen' and 'vlen' values inside the different ctx
structs - Most of the patch's hunks have this change. I noticed line
541 of apreq_parsers.c reads:

                    s = split_header(t, ctx->bb, ctx->nlen, glen, vlen);

note that it still has vlen as a straight argument, instead of using
ctx->vlen as mostly everywhere else. A couple of lines past it you
will find vlen being used as one of ctx's members, resetting it to
zero: 

                    ctx->vlen = 0;

On the other hand, I found a second possible culprit: The only other
place I found reference to nlen/vlen is in the Perl glue -
Specifically, in glue/perl/xsbuilder/Apache/Upload/Apache__Upload.h
function apreq_xs_upload_make, where both are declared and
used. Probably, if they changed from being independent variables to
becoming members of a structure, they should change as well in the
Perl glue part.

As I said, this is just guesswork, I basically did an eye-based
pattern matching; I think the problem lies in the first hypothesis,
but both are possible.

Thanks for looking into it!

-- 
Gunnar Wolf - gwolf@gwolf.org - (+52-55)5623-0154 / 1451-2244
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973  F800 D80E F35A 8BB5 27AF



Severity set to `grave'. Request was from Gunnar Wolf <gwolf@gwolf.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, sesse@debian.org (Steinar H. Gunderson):
Bug#358689; Package libapache2-request-perl. Full text and rfc822 format available.

Acknowledgement sent to "Steinar H. Gunderson" <sgunderson@bigfoot.com>:
Extra info received and forwarded to list. Copy sent to sesse@debian.org (Steinar H. Gunderson). Full text and rfc822 format available.

Message #17 received at 358689@bugs.debian.org (full text, mbox):

From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>
To: Gunnar Wolf <gwolf@gwolf.org>
Cc: 358689@bugs.debian.org
Subject: Re: libapache2-request-perl: Sarge update 2.04-dev-1sarge1 breaks file uploads
Date: Fri, 31 Mar 2006 16:17:58 +0200
On Tue, Mar 28, 2006 at 05:52:24PM -0600, Gunnar Wolf wrote:
> The patch between 2.04-dev-1 and 2.04-dev-1sarge1 lies mostly in
> putting the 'nlen' and 'vlen' values inside the different ctx
> structs - Most of the patch's hunks have this change. I noticed line
> 541 of apreq_parsers.c reads:
> 
>                     s = split_header(t, ctx->bb, ctx->nlen, glen, vlen);
> 
> note that it still has vlen as a straight argument, instead of using
> ctx->vlen as mostly everywhere else.

That sounds reasonable... I'll give it a try, but it would be a lot simpler
for me if you had a simple script (possibly along with a test site for
/etc/apache2) I could test on.

/* Steinar */
-- 
Homepage: http://www.sesse.net/



Information forwarded to debian-bugs-dist@lists.debian.org, sesse@debian.org (Steinar H. Gunderson):
Bug#358689; Package libapache2-request-perl. Full text and rfc822 format available.

Acknowledgement sent to "Steinar H. Gunderson" <sgunderson@bigfoot.com>:
Extra info received and forwarded to list. Copy sent to sesse@debian.org (Steinar H. Gunderson). Full text and rfc822 format available.

Message #22 received at 358689@bugs.debian.org (full text, mbox):

From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>
To: Gunnar Wolf <gwolf@gwolf.org>
Cc: 358689@bugs.debian.org
Subject: Re: libapache2-request-perl: Sarge update 2.04-dev-1sarge1 breaks file uploads
Date: Fri, 31 Mar 2006 16:40:01 +0200
On Fri, Mar 31, 2006 at 04:17:58PM +0200, Steinar H. Gunderson wrote:
> That sounds reasonable... I'll give it a try, but it would be a lot simpler
> for me if you had a simple script (possibly along with a test site for
> /etc/apache2) I could test on.

Nevermind, I can reproduce it myself here now.

/* Steinar */
-- 
Homepage: http://www.sesse.net/



Information forwarded to debian-bugs-dist@lists.debian.org, sesse@debian.org (Steinar H. Gunderson):
Bug#358689; Package libapache2-request-perl. Full text and rfc822 format available.

Acknowledgement sent to "Steinar H. Gunderson" <sesse@debian.org>:
Extra info received and forwarded to list. Copy sent to sesse@debian.org (Steinar H. Gunderson). Full text and rfc822 format available.

Message #27 received at 358689@bugs.debian.org (full text, mbox):

From: "Steinar H. Gunderson" <sesse@debian.org>
To: Martin Schulze <joey@infodrom.org>
Cc: Debian Security Team <team@security.debian.org>, 358689@bugs.debian.org
Subject: Re: [CVE-2006-0042] Remote DoS in libapreq2-perl
Date: Fri, 31 Mar 2006 16:59:05 +0200
[Message part 1 (text/plain, inline)]
On Mon, Mar 13, 2006 at 12:25:13AM +0100, Martin Schulze wrote:
> An algorithm weakness has been discovered in Apache2::Request, the
> generic request library for Apache2 which can be exploited remotely
> and cause a denial of service via CPU consumption.

Looks like the backport was incomplete, unfortunately; it breaks file uploads
(see #358689). I've made a fix (attached) which seems to fix the problem for
me; Gunnar, could you please test it on your side too?

/* Steinar */
-- 
Homepage: http://www.sesse.net/
[fix-358689.diff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, sesse@debian.org (Steinar H. Gunderson):
Bug#358689; Package libapache2-request-perl. Full text and rfc822 format available.

Acknowledgement sent to Gunnar Wolf <gwolf@gwolf.org>:
Extra info received and forwarded to list. Copy sent to sesse@debian.org (Steinar H. Gunderson). Full text and rfc822 format available.

Message #32 received at 358689@bugs.debian.org (full text, mbox):

From: Gunnar Wolf <gwolf@gwolf.org>
To: "Steinar H. Gunderson" <sgunderson@bigfoot.com>
Cc: 358689@bugs.debian.org
Subject: Re: libapache2-request-perl: Sarge update 2.04-dev-1sarge1 breaks file uploads
Date: Fri, 31 Mar 2006 08:46:59 -0600
Steinar H. Gunderson dijo [Fri, Mar 31, 2006 at 04:40:01PM +0200]:
> On Fri, Mar 31, 2006 at 04:17:58PM +0200, Steinar H. Gunderson wrote:
> > That sounds reasonable... I'll give it a try, but it would be a lot simpler
> > for me if you had a simple script (possibly along with a test site for
> > /etc/apache2) I could test on.
> 
> Nevermind, I can reproduce it myself here now.

Good. Handling uploads is, anyway, a simple task ;-)

thanks a log,

-- 
Gunnar Wolf - gwolf@gwolf.org - (+52-55)5623-0154 / 1451-2244
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973  F800 D80E F35A 8BB5 27AF



Information forwarded to debian-bugs-dist@lists.debian.org, sesse@debian.org (Steinar H. Gunderson):
Bug#358689; Package libapache2-request-perl. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to sesse@debian.org (Steinar H. Gunderson). Full text and rfc822 format available.

Message #37 received at 358689@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: "Steinar H. Gunderson" <sesse@debian.org>
Cc: Debian Security Team <team@security.debian.org>, 358689@bugs.debian.org
Subject: Re: [CVE-2006-0042] Remote DoS in libapreq2-perl
Date: Sat, 1 Apr 2006 10:28:02 +0200
Steinar H. Gunderson wrote:
> On Mon, Mar 13, 2006 at 12:25:13AM +0100, Martin Schulze wrote:
> > An algorithm weakness has been discovered in Apache2::Request, the
> > generic request library for Apache2 which can be exploited remotely
> > and cause a denial of service via CPU consumption.
> 
> Looks like the backport was incomplete, unfortunately; it breaks file uploads
> (see #358689). I've made a fix (attached) which seems to fix the problem for
> me; Gunnar, could you please test it on your side too?

Will provide an update next week.

Regards,

	Joey

-- 
Computers are not intelligent.  They only think they are.

Please always Cc to me when replying to me on the lists.



Tags added: fixed Request was from sesse@debian.org (Steinar H. Gunderson) to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to "Steinar H. Gunderson" <sgunderson@bigfoot.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Gunnar Wolf <gwolf@gwolf.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #44 received at 358689-done@bugs.debian.org (full text, mbox):

From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>
To: 358689-done@bugs.debian.org
Subject: Re: [CVE-2006-0042] Remote DoS in libapreq2-perl
Date: Tue, 4 Apr 2006 17:08:29 +0200
Version: 2.04-dev-1sarge2

On Sat, Apr 01, 2006 at 10:28:02AM +0200, Martin Schulze wrote:
>> Looks like the backport was incomplete, unfortunately; it breaks file uploads
>> (see #358689). I've made a fix (attached) which seems to fix the problem for
>> me; Gunnar, could you please test it on your side too?
> Will provide an update next week.

AFAICS, the update has gone out, so I'm closing this bug. Thanks. :-)

/* Steinar */
-- 
Homepage: http://www.sesse.net/



Information forwarded to debian-bugs-dist@lists.debian.org, sesse@debian.org (Steinar H. Gunderson):
Bug#358689; Package libapache2-request-perl. Full text and rfc822 format available.

Acknowledgement sent to Gunnar Wolf <gwolf@gwolf.org>:
Extra info received and forwarded to list. Copy sent to sesse@debian.org (Steinar H. Gunderson). Full text and rfc822 format available.

Message #49 received at 358689@bugs.debian.org (full text, mbox):

From: Gunnar Wolf <gwolf@gwolf.org>
To: 358689@bugs.debian.org
Subject: Re: libapache2-request-perl: Sarge update 2.04-dev-1sarge1 breaks file uploads
Date: Tue, 4 Apr 2006 13:42:09 -0500
Hi,

Sorry for the delay - Even if the upload has already gone in and the
bug has been marked as closed, I just wanted to confirm: Yes, this
solved the problem.

Thanks a lot!

-- 
Gunnar Wolf - gwolf@gwolf.org - (+52-55)5623-0154 / 1451-2244
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973  F800 D80E F35A 8BB5 27AF



Tags added: fixed Request was from sesse@debian.org (Steinar H. Gunderson) to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 01:50:23 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 07:28:57 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.