On Wed, Jun 27, 2007 at 04:42:38PM -0400, Jim Jagielski wrote: > I might be missing this (just did a quick scan) but > what about ap_reclaim_child_processes/reclaim_one_pid()? > Here we "trust" the pid in the scoreboard and > send signals.
I'd said in the other thread that this wasn't an attack vector (and hence 2.0.x wasn't vulnerable), because it already goes through a waitpid() before a kill(). Having looked it again on your prompting there is a cute way to exploit it: using a pid of -1 will have waitpid() wait for any child, which can easily succeed with "not done", and then passing a pid of -1 to kill is... kind of nasty, especially for root. So I fixed that also in the commit to the trunk. I haven't forgotten 1.3, and will submit 2.0/2.2 backports for review shortly! joe
