On 01/09/2015 09:23 PM, Joe Orton wrote: > Since Jim is talking 2.4.11, I should report this now. We discovered > this week in Fedora: mod_wsgi does some interesting things in daemon > mode, notably that it allocates a request_rec internally which ends up > getting used by httpd. > > Reason is, the fix for CVE-2013-5704 extends the request_rec: > > http://svn.apache.org/r1619884 > > A mod_wsgi built against <= 2.4.10 will allocate a request_rec using the > old, smaller "wrong" size, and hence, if such a build is used with >= > 2.4.11, it passes in the wrong-sized request_rec and that breaks later > when httpd tries to access r->trailers_*. > > It's one of those fuzzy boundaries in the API, you can argue mod_wsgi is > wrong, but, I could argue it back; the struct *is* public, not got a > strong opinion on this personally.
But our rules allow to extend public structs if new members are added to the end. So if we say that mod_wsgi is right we would need to update our backporting rules. If we say it is wrong, we may need to make it clearer that if public structs are allocated directly via a module and handed back to any server functions this requires possible recompilation of the module even for patch releases inside a stable branch. > > Either way, the fix for CVE-2013-5704 ends up breaking backwards > compatibility with existing 2.4.x builds of mod_wsgi, which is kind of > Bad. I don't have a good proposal for how to fix or avoid this. Worst This is bad. Agreed. > case, we make clear the mod_wsgi case is API/ABI abuse and warn binary > distributors they have to handle this by rebuilding. > > Regards, Joe > Regards RĂ¼diger
