Bug#702821: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Steve Hay wrote on 2013-03-14: Niko Tyni wrote on 2013-03-13: On Wed, Mar 13, 2013 at 09:13:15AM -, Steve Hay wrote: Dominic Hargreaves wrote on 2013-03-12: When trying to fix this issue in Debian stable, I found that the patch at http://svn.apache.org/viewvc?view=revisionrevision=1455340 does not stop the test failing when applied to 2.0.4 (as currently found in Debian stable) and built against the current perl package in Debian stable (5.10 + the rehashing fix). I haven't looked at the Debian package, or tried anything with mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from the Perl git repo (in fact, I took the snapshot at http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d 7d d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and mod_perl from trunk and the tests all pass for me... (This is on Windows 7 x64 with VC++ 2010.) Thanks for checking. FWIW, I can reproduce the failure with the Debian perl 5.10.1 package and mod_perl2 2.0.7 with just the above test fix. So it doesn't seem to be a Debian change that breaks it. Maybe -Dusethreads or something like that. I'll keep looking and send an update when I know more. The perl I built and tested with was made with ithreads enabled. There is an alternative patch to fix this test, submitted to mod_perl's rt.cpan.org queue after I'd applied the patch from the perl5-security queue on rt.perl.org: https://rt.cpan.org/Ticket/Display.html?id=83916 I haven't tried it myself yet, but is that any better for you? Zefram has now come up with an even better patch (on the same RT ticket), after reproducing the Debian 5.10.1 failure himself. Please take a look (I've also attached it here for your convenience) and let me know whether this works for you. If so then I hope to apply it to SVN over the weekend. hattack_synthesis.patch Description: hattack_synthesis.patch
Bug#702821: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Hi On Fri, Mar 15, 2013 at 05:56:05PM -, Steve Hay wrote: [...] Zefram has now come up with an even better patch (on the same RT ticket), after reproducing the Debian 5.10.1 failure himself. Please take a look (I've also attached it here for your convenience) and let me know whether this works for you. If so then I hope to apply it to SVN over the weekend. I can confirm that the new patch works on Debian Squeeze, with Perl (5.10.1-17squeeze6) including the security fix. Thank you Steve for keeping us updated! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702821: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
The patch in svn.apache.org r1455340 is not correct for Perl 5.10 due to a slight difference in hash splitting logic. Full explanation and revised patch now available on the RT ticket. -zefram -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702821: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
On Fri, Mar 15, 2013 at 08:43:58PM +0100, Salvatore Bonaccorso wrote: Hi On Fri, Mar 15, 2013 at 05:56:05PM -, Steve Hay wrote: [...] Zefram has now come up with an even better patch (on the same RT ticket), after reproducing the Debian 5.10.1 failure himself. Please take a look (I've also attached it here for your convenience) and let me know whether this works for you. If so then I hope to apply it to SVN over the weekend. I can confirm that the new patch works on Debian Squeeze, with Perl (5.10.1-17squeeze6) including the security fix. I've pushed this to http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libapache2-mod-perl2.git;a=shortlog;h=refs/heads/squeeze now and will upload over the weekend. Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702821: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Niko Tyni wrote on 2013-03-13: On Wed, Mar 13, 2013 at 09:13:15AM -, Steve Hay wrote: Dominic Hargreaves wrote on 2013-03-12: When trying to fix this issue in Debian stable, I found that the patch at http://svn.apache.org/viewvc?view=revisionrevision=1455340 does not stop the test failing when applied to 2.0.4 (as currently found in Debian stable) and built against the current perl package in Debian stable (5.10 + the rehashing fix). I haven't looked at the Debian package, or tried anything with mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from the Perl git repo (in fact, I took the snapshot at http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d 7d d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and mod_perl from trunk and the tests all pass for me... (This is on Windows 7 x64 with VC++ 2010.) Thanks for checking. FWIW, I can reproduce the failure with the Debian perl 5.10.1 package and mod_perl2 2.0.7 with just the above test fix. So it doesn't seem to be a Debian change that breaks it. Maybe -Dusethreads or something like that. I'll keep looking and send an update when I know more. The perl I built and tested with was made with ithreads enabled. There is an alternative patch to fix this test, submitted to mod_perl's rt.cpan.org queue after I'd applied the patch from the perl5-security queue on rt.perl.org: https://rt.cpan.org/Ticket/Display.html?id=83916 I haven't tried it myself yet, but is that any better for you? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702821: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Hi all On Thu, Mar 14, 2013 at 08:54:06AM -, Steve Hay wrote: Niko Tyni wrote on 2013-03-13: On Wed, Mar 13, 2013 at 09:13:15AM -, Steve Hay wrote: Dominic Hargreaves wrote on 2013-03-12: When trying to fix this issue in Debian stable, I found that the patch at http://svn.apache.org/viewvc?view=revisionrevision=1455340 does not stop the test failing when applied to 2.0.4 (as currently found in Debian stable) and built against the current perl package in Debian stable (5.10 + the rehashing fix). I haven't looked at the Debian package, or tried anything with mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from the Perl git repo (in fact, I took the snapshot at http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d 7d d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and mod_perl from trunk and the tests all pass for me... (This is on Windows 7 x64 with VC++ 2010.) Thanks for checking. FWIW, I can reproduce the failure with the Debian perl 5.10.1 package and mod_perl2 2.0.7 with just the above test fix. So it doesn't seem to be a Debian change that breaks it. Maybe -Dusethreads or something like that. I'll keep looking and send an update when I know more. The perl I built and tested with was made with ithreads enabled. There is an alternative patch to fix this test, submitted to mod_perl's rt.cpan.org queue after I'd applied the patch from the perl5-security queue on rt.perl.org: https://rt.cpan.org/Ticket/Display.html?id=83916 I haven't tried it myself yet, but is that any better for you? I tried to rebuild the Squeeze package with the mentioned first patch, the package builds now. Disclaimer: only did the build but haven't looked what's actually changing importantly. Thanky you Steve. Regards, Salvatore libapache2-mod-perl2_2.0.4-7+squeeze1_amd64.build.gz Description: Binary data
Bug#702821: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Dominic Hargreaves wrote on 2013-03-12: Hello, When trying to fix this issue in Debian stable, I found that the patch at http://svn.apache.org/viewvc?view=revisionrevision=1455340 does not stop the test failing when applied to 2.0.4 (as currently found in Debian stable) and built against the current perl package in Debian stable (5.10 + the rehashing fix). t/logs/error_log simply says: [Tue Mar 12 21:09:23 2013] [error] [client 127.0.0.1] Failed to mount the hash collision attack at /home/dom/working/pkg-perl/git/libapache2- mod-perl2/t/response/TestPerl/hash_attack.pm line 112, fh3Makefile line 1.\n This is the change: http://perl5.git.perl.org/perl.git/commitdiff/f14269908e5f8b4cab4b5564 3 d7dd9de577e7918 which differs a bit from that applied to 5.14: http://perl5.git.perl.org/perl.git/commitdiff/d59e31fc729d8a39a774f03b c 6bc457029a7aef2 although interestingly both test changes are identical. Help to pin down this difference in behaviour would be appreciated. The source for the package in question is at http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libapache2-mod- perl2.git;a=shortlog;h=refs/heads/dom/squeeze-702821 Thanks, Dominic. I haven't looked at the Debian package, or tried anything with mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from the Perl git repo (in fact, I took the snapshot at http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d7d d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and mod_perl from trunk and the tests all pass for me... (This is on Windows 7 x64 with VC++ 2010.) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702821: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
On Wed, Mar 13, 2013 at 09:13:15AM -, Steve Hay wrote: Dominic Hargreaves wrote on 2013-03-12: When trying to fix this issue in Debian stable, I found that the patch at http://svn.apache.org/viewvc?view=revisionrevision=1455340 does not stop the test failing when applied to 2.0.4 (as currently found in Debian stable) and built against the current perl package in Debian stable (5.10 + the rehashing fix). I haven't looked at the Debian package, or tried anything with mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from the Perl git repo (in fact, I took the snapshot at http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d7d d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and mod_perl from trunk and the tests all pass for me... (This is on Windows 7 x64 with VC++ 2010.) Thanks for checking. FWIW, I can reproduce the failure with the Debian perl 5.10.1 package and mod_perl2 2.0.7 with just the above test fix. So it doesn't seem to be a Debian change that breaks it. Maybe -Dusethreads or something like that. I'll keep looking and send an update when I know more. -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702821: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
On Wed, Mar 13, 2013 at 10:24:36PM +0200, Niko Tyni wrote: On Wed, Mar 13, 2013 at 09:13:15AM -, Steve Hay wrote: Dominic Hargreaves wrote on 2013-03-12: When trying to fix this issue in Debian stable, I found that the patch at http://svn.apache.org/viewvc?view=revisionrevision=1455340 does not stop the test failing when applied to 2.0.4 (as currently found in Debian stable) and built against the current perl package in Debian stable (5.10 + the rehashing fix). FWIW, I can reproduce the failure with the Debian perl 5.10.1 package and mod_perl2 2.0.7 with just the above test fix. So it doesn't seem to be a Debian change that breaks it. Maybe -Dusethreads or something like that. (Trimming cc's, switching just to the BTS for now.) With the squeeze package versions, I've narrowed the failure to t/TEST t/directive/perlrequire.t t/modules/apache_status.t t/perl/api.t t/perl/hash_attack.t It looks like t/perl/api.t is generated on the first 'make test' run; bisecting it might help in narrowing the case more. Running t/TEST with -trace=debug gives this output in t/logs/error_log when the test fails: [ debug] starting attack (it may take a long time!) [ debug] mask: 511 (9) [ debug] 1:gg, 6b046200 29/64 [ debug] 2:ne, 3c1dfc00 29/64 [ debug] 3:qz, c17f0400 29/64 [ debug] 4:sp, b886f000 29/64 [ debug] 5: abp, b1672800 29/64 [ debug] 6: bmt, 684fe600 29/64 [ debug] 7: bqy, deb4e000 29/64 [ debug] 8: bsg, 7be61400 29/64 [ debug] 9: bvh, 4be1be00 29/64 [ debug] 10: cfy, abe7f600 29/64 [ debug] 11: elg, 06df9e00 29/64 [ debug] 12: fra, 0001b600 29/64 [ debug] 13: fvi, 95c6e600 29/64 [ debug] 14: hkj, 97ab7000 29/64 [ debug] 15: ifc, a458ee00 29/64 [ debug] 16: ila, aab6e200 29/64 [ debug] pad keys from 56 to 64 and this one when it's OK (for example by excluding t/perlapi.t above): [ debug] starting attack (it may take a long time!) [ debug] mask: 511 (9) [ debug] 1:gg, 6b046200 28/64 [ debug] 2:ne, 3c1dfc00 28/64 [ debug] 3:qz, c17f0400 28/64 [ debug] 4:sp, b886f000 28/64 [ debug] 5: abp, b1672800 28/64 [ debug] 6: bmt, 684fe600 28/64 [ debug] 7: bqy, deb4e000 28/64 [ debug] 8: bsg, 7be61400 28/64 [ debug] 9: bvh, 4be1be00 28/64 [ debug] 10: cfy, abe7f600 28/64 [ debug] 11: elg, 06df9e00 28/64 [ debug] 12: fra, 0001b600 28/64 [ debug] 13: fvi, 95c6e600 28/64 [ debug] 14: hkj, 97ab7000 28/64 [ debug] 15: ifc, a458ee00 28/64 [ debug] 16: ila, aab6e200 28/64 [ debug] pad keys from 55 to 64 [ debug] ending attack Probably we just need a bit more tolerance somewhere in t/response/TestPerl/hash_attack.pm but I'm out of hack time tonight. -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#702821: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Hello, When trying to fix this issue in Debian stable, I found that the patch at http://svn.apache.org/viewvc?view=revisionrevision=1455340 does not stop the test failing when applied to 2.0.4 (as currently found in Debian stable) and built against the current perl package in Debian stable (5.10 + the rehashing fix). t/logs/error_log simply says: [Tue Mar 12 21:09:23 2013] [error] [client 127.0.0.1] Failed to mount the hash collision attack at /home/dom/working/pkg-perl/git/libapache2-mod-perl2/t/response/TestPerl/hash_attack.pm line 112, fh3Makefile line 1.\n This is the change: http://perl5.git.perl.org/perl.git/commitdiff/f14269908e5f8b4cab4b55643d7dd9de577e7918 which differs a bit from that applied to 5.14: http://perl5.git.perl.org/perl.git/commitdiff/d59e31fc729d8a39a774f03bc6bc457029a7aef2 although interestingly both test changes are identical. Help to pin down this difference in behaviour would be appreciated. The source for the package in question is at http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libapache2-mod-perl2.git;a=shortlog;h=refs/heads/dom/squeeze-702821 Thanks, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
