Looking at this further:

I can't actually see any exploit path here at all in 2.0.x prefork:

PSNC folks; in your report, "PoC #3 SIGUSR1 killer #1 (Apache 2.x)" 
concerns the "graceful shutdown" code, which is only present in 2.2.x, 
not 2.0.x.

The ap_reclaim_child_processes() path changed in SVN can't be an attack 
vector: all it does, by intent, is kill children of the parent.  The 
implementation guarantees that it will not kill any other process: 
waitpid() fails with ESRCH if passed a non-child pid.  reclaim_one_pid() 
will only kill the pid if waitpid returns zero.

The only kill() call in 2.0 prefork.c itself is in reap_children(), 
which is dead code.

joe

Reply via email to