[Bug 1272857] Re: Double free in libapache2-mod-auth-pgsql causes Apache to crash
This bug was fixed in the package libapache2-mod-auth-pgsql - 2.0.3-6ubuntu0.1 --- libapache2-mod-auth-pgsql (2.0.3-6ubuntu0.1) trusty; urgency=medium * d/p/fixdoublefree.patch: set freed pointers to NULL before subsequent checks against NULL. (LP: #1272857) * d/p/crypt-check-null-1698758.patch: check for a NULL return from crypt(3) (LP: #1698758) -- Andreas Hasenack Thu, 22 Jun 2017 16:54:09 -0300 ** Changed in: libapache2-mod-auth-pgsql (Ubuntu Trusty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1272857 Title: Double free in libapache2-mod-auth-pgsql causes Apache to crash To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1272857/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1272857] Re: Double free in libapache2-mod-auth-pgsql causes Apache to crash
(it doesn't look like there is anything left to review/upload so unsubscribing sponsors) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1272857 Title: Double free in libapache2-mod-auth-pgsql causes Apache to crash To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1272857/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1272857] Re: Double free in libapache2-mod-auth-pgsql causes Apache to crash
Trusty verification Confirmed the segfault with libapache2-mod-auth-pgsql 2.0.3-6: ubuntu@trusty-mod-auth-pgsql-double-free-1272857:~$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl Hello, World! ubuntu@trusty-mod-auth-pgsql-double-free-1272857:~$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl Hello, World! ubuntu@trusty-mod-auth-pgsql-double-free-1272857:~$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl curl: (52) Empty reply from server logs: *** Error in `/usr/sbin/apache2': free(): invalid pointer: 0x7effd80007c8 *** [Thu Aug 03 14:03:55.357288 2017] [core:notice] [pid 6943:tid 139637886596992] AH00051: child pid 6947 exit signal Aborted (6), possible coredump in /etc/apache2 Installing the version from proposed: (...) Get:1 http://br.archive.ubuntu.com/ubuntu/ trusty-proposed/main libapache2-mod-auth-pgsql amd64 2.0.3-6ubuntu0.1 [18.6 kB] Fetched 18.6 kB in 0s (1,000 kB/s) (Reading database ... 26196 files and directories currently installed.) Preparing to unpack .../libapache2-mod-auth-pgsql_2.0.3-6ubuntu0.1_amd64.deb ... Unpacking libapache2-mod-auth-pgsql (2.0.3-6ubuntu0.1) over (2.0.3-6) ... Setting up libapache2-mod-auth-pgsql (2.0.3-6ubuntu0.1) ... apache2_invoke 000_auth_pgsql: already enabled * Restarting web server apache2 Repeating the test several times, no crash: ubuntu@trusty-mod-auth-pgsql-double-free-1272857:~$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl Hello, World! ubuntu@trusty-mod-auth-pgsql-double-free-1272857:~$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl Hello, World! ubuntu@trusty-mod-auth-pgsql-double-free-1272857:~$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl Hello, World! ubuntu@trusty-mod-auth-pgsql-double-free-1272857:~$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl Hello, World! ubuntu@trusty-mod-auth-pgsql-double-free-1272857:~$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl Hello, World! ** Tags removed: verification-needed ** Tags added: verification-done-xenial ** Tags removed: verification-done-xenial ** Tags added: verification-done-trusty ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1272857 Title: Double free in libapache2-mod-auth-pgsql causes Apache to crash To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1272857/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1272857] Re: Double free in libapache2-mod-auth-pgsql causes Apache to crash
Hello mubm, or anyone else affected, Accepted libapache2-mod-auth-pgsql into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/libapache2-mod-auth- pgsql/2.0.3-6ubuntu0.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: libapache2-mod-auth-pgsql (Ubuntu Trusty) Status: In Progress => Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1272857 Title: Double free in libapache2-mod-auth-pgsql causes Apache to crash To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1272857/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1272857] Re: Double free in libapache2-mod-auth-pgsql causes Apache to crash
** Description changed:
[Impact]
+ The libapache2-mod-auth-pgsql module will trigger frequent segfaults in
apache if used in conjunction with a CGI script.
- * An explanation of the effects of the bug on users and
-
- * justification for backporting the fix to the stable release.
-
- * In addition, it is helpful, but not required, to include an
-explanation of how the upload fixes this bug.
[Test Case]
* install the packages on the Ubuntu release you are testing:
$ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql
* create the database and populate it with the test user:
$ sudo -u postgres -H createdb userdb
$ sudo -u postgres -H psql userdb -c "CREATE TABLE UserLogin (Username text,
ApachePassword text);"
$ sudo -u postgres -H psql userdb -c "INSERT INTO UserLogin VALUES ('ubuntu',
'secret');"
* Create the DB user the module will use and grant access to the user table:
$ sudo -u postgres -H psql postgres -c "CREATE ROLE www UNENCRYPTED PASSWORD
'password' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;"
$ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;"
* Create /etc/apache2/conf-available/authpgtest.conf with the following
content:
Alias /authpgtest /export/scratch/authpgtest
- Options +ExecCGI +FollowSymLinks
- AddHandler cgi-script .pl
- AuthType basic
- AuthName "My Auth"
- Require valid-user
- AuthBasicProvider pgsql
- Auth_PG_authoritative On
- Auth_PG_host 127.0.0.1
- Auth_PG_port 5432
- Auth_PG_user www
- Auth_PG_pwd password
- Auth_PG_database userdb
- Auth_PG_encrypted off
- Auth_PG_pwd_table UserLogin
- Auth_PG_uid_field Username
- Auth_PG_pwd_field ApachePassword
+ Options +ExecCGI +FollowSymLinks
+ AddHandler cgi-script .pl
+ AuthType basic
+ AuthName "My Auth"
+ Require valid-user
+ AuthBasicProvider pgsql
+ Auth_PG_authoritative On
+ Auth_PG_host 127.0.0.1
+ Auth_PG_port 5432
+ Auth_PG_user www
+ Auth_PG_pwd password
+ Auth_PG_database userdb
+ Auth_PG_encrypted off
+ Auth_PG_pwd_table UserLogin
+ Auth_PG_uid_field Username
+ Auth_PG_pwd_field ApachePassword
* Enable this new configuration:
$ sudo a2enconf authpgtest.conf
* Enable the auth-pgsql and cgi modules and then restart apache:
$ for n in 000_auth_pgsql cgi; do sudo a2enmod $n; done
$ sudo service apache2 restart
* Create the CGI directory for our script:
$ sudo mkdir -p /export/scratch/authpgtest
* Create the CGI script /export/scratch/authpgtest/hw.pl with the following
contents:
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "Hello, World!\n";
* Make it executable:
$ sudo chmod 0755 /export/scratch/authpgtest/hw.pl
-
* Access the http://ubuntu:secret@localhost/authpgtest/hw.pl URL a few times
while tailing /var/log/apache/error.log. After a few tries it will fail, and
apache will log a segfault:
$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
Hello, World!
$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
Hello, World!
$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
curl: (52) Empty reply from server
In /var/log/apache2/error.log:
*** Error in `/usr/sbin/apache2': free(): invalid pointer: 0x7fa9340007c8
***
[Wed Jul 19 20:43:57.077960 2017] [core:notice] [pid 10926:tid
140365262006144] AH00051: child pid 10930 exit signal Aborted (6), possible
coredump in /etc/apache2
-
- After installing the fixed libapache2-mod-auth-pgsql package, all attempts
will work.
+ After installing the fixed libapache2-mod-auth-pgsql package, all
+ attempts will work.
- [Regression Potential]
+ [Regression Potential]
+ This patch is already being used in Ubuntu releases higher than trusty, all
the way to artful, and also in Debian.
- * discussion of how regressions are most likely to manifest as a result
- of this change.
+ This is a very old module that hasn't been built in a while (see [other
+ info] below. It's possible that just by rebuilding it with the new
+ environment available in Trusty could introduce unknowns. Hopefully, if
+ that happens, it will be immediately noticed by the people who use it
+ and will test this SRU.
- * It is assumed that any SRU candidate patch is well-tested before
-upload and has a low overall risk of regression, but it's important
-to make the effort to think about what ''could'' happen in the
-event of a regression.
-
- * This both shows the SRU team that the risks have been considered,
-and provides guidance to testers in regression-testing the SRU.
[Other Info]
-
- * Anything else you think is useful to include
- * Anticipate questions from users, SRU, +1 maintenance, security teams and
the Technical Board
- * and address these questions in advance
+ This module hasn't been rebuilt since vivid and seems unmaintained, being at
version 2.0.3 since the precise days:
+ libapache2-mod
[Bug 1272857] Re: Double free in libapache2-mod-auth-pgsql causes Apache to crash
** Description changed:
- Ubuntu Trusty Tahr 14.04
+ [Impact]
- apache2:
- Installed: 2.4.7-1ubuntu1
- Candidate: 2.4.7-1ubuntu1
- Version table:
- *** 2.4.7-1ubuntu1 0
- 500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
- 100 /var/lib/dpkg/status
+ * An explanation of the effects of the bug on users and
- Just maked a following steps:
- - sudo apt-get update
- - sudo apt-get upgrade
+ * justification for backporting the fix to the stable release.
- ProblemType: Crash
- DistroRelease: Ubuntu 14.04
- Package: apache2-bin 2.4.7-1ubuntu1
- ProcVersionSignature: Ubuntu 3.13.0-4.19-generic 3.13.0-rc8
- Uname: Linux 3.13.0-4-generic x86_64
- NonfreeKernelModules: nvidia
- ApportVersion: 2.13.1-0ubuntu2
- Architecture: amd64
- Date: Sun Jan 26 00:07:10 2014
- ExecutablePath: /usr/sbin/apache2
- InstallationDate: Installed on 2012-12-19 (402 days ago)
- InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64+mac
(20111012)
- ProcCmdline: /usr/sbin/apache2 -k start
- ProcEnviron:
- PATH=(custom, no user)
- LANG=C
- SegvAnalysis:
- Segfault happened at: 0x7f197ce45bb2:and%al,(%rax)
- PC (0x7f197ce45bb2) ok
- source "%al" ok
- destination "(%rax)" (0x) not located in a known VMA region (needed
writable region)!
- SegvReason: writing NULL VMA
- Signal: 11
- SourcePackage: apache2
- StacktraceTop:
- ?? () from /usr/lib/apache2/modules/mod_cgid.so
-
- __accept_nocancel () at ../sysdeps/unix/syscall-template.S:81
- ?? () from /usr/lib/apache2/modules/mod_cgid.so
- ?? () from /usr/lib/apache2/modules/mod_cgid.so
- Title: apache2 crashed with SIGSEGV in ()
- UpgradeStatus: Upgraded to trusty on 2013-11-10 (76 days ago)
- UserGroups:
+ * In addition, it is helpful, but not required, to include an
+explanation of how the upload fixes this bug.
+
+ [Test Case]
+
+ * install the packages on the Ubuntu release you are testing:
+ $ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql
+
+ * create the database and populate it with the test user:
+ $ sudo -u postgres -H createdb userdb
+ $ sudo -u postgres -H psql userdb -c "CREATE TABLE UserLogin (Username text,
ApachePassword text);"
+ $ sudo -u postgres -H psql userdb -c "INSERT INTO UserLogin VALUES ('ubuntu',
'secret');"
+
+ * Create the DB user the module will use and grant access to the user table:
+ $ sudo -u postgres -H psql postgres -c "CREATE ROLE www UNENCRYPTED PASSWORD
'password' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;"
+ $ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;"
+
+ * Create /etc/apache2/conf-available/authpgtest.conf with the following
content:
+ Alias /authpgtest /export/scratch/authpgtest
+
+ Options +ExecCGI +FollowSymLinks
+ AddHandler cgi-script .pl
+ AuthType basic
+ AuthName "My Auth"
+ Require valid-user
+ AuthBasicProvider pgsql
+ Auth_PG_authoritative On
+ Auth_PG_host 127.0.0.1
+ Auth_PG_port 5432
+ Auth_PG_user www
+ Auth_PG_pwd password
+ Auth_PG_database userdb
+ Auth_PG_encrypted off
+ Auth_PG_pwd_table UserLogin
+ Auth_PG_uid_field Username
+ Auth_PG_pwd_field ApachePassword
+
+
+ * Enable this new configuration:
+ $ sudo a2enconf authpgtest.conf
+
+ * Enable the auth-pgsql and cgi modules and then restart apache:
+ $ for n in 000_auth_pgsql cgi; do sudo a2enmod $n; done
+ $ sudo service apache2 restart
+
+ * Create the CGI directory for our script:
+ $ sudo mkdir -p /export/scratch/authpgtest
+
+ * Create the CGI script /export/scratch/authpgtest/hw.pl with the following
contents:
+ #!/usr/bin/perl
+ print "Content-type: text/html\n\n";
+ print "Hello, World!\n";
+
+ * Make it executable:
+ $ sudo chmod 0755 /export/scratch/authpgtest/hw.pl
+
+
+ * Access the http://ubuntu:secret@localhost/authpgtest/hw.pl URL a few times
while tailing /var/log/apache/error.log. After a few tries it will fail, and
apache will log a segfault:
+ $ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
+ Hello, World!
+ $ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
+ Hello, World!
+ $ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
+ curl: (52) Empty reply from server
+
+ In /var/log/apache2/error.log:
+ *** Error in `/usr/sbin/apache2': free(): invalid pointer: 0x7fa9340007c8
***
+ [Wed Jul 19 20:43:57.077960 2017] [core:notice] [pid 10926:tid
140365262006144] AH00051: child pid 10930 exit signal Aborted (6), possible
coredump in /etc/apache2
+
+
+ After installing the fixed libapache2-mod-auth-pgsql package, all attempts
will work.
+
+
+ [Regression Potential]
+
+ * discussion of how regressions are most likely to manifest as a result
+ of this change.
+
+ * It is assumed that any SRU candidate patch is well-tested before
+upload and has a low overall risk of regression, but it's important
+to make the effort to think about what ''could'' happen in the
+event of a regression.
+
+ * This both shows the SRU t
[Bug 1272857] Re: Double free in libapache2-mod-auth-pgsql causes Apache to crash
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/libapache2-mod-auth-pgsql/+git/libapache2-mod-auth-pgsql/+merge/327657 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1272857 Title: Double free in libapache2-mod-auth-pgsql causes Apache to crash To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1272857/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1272857] Re: Double free in libapache2-mod-auth-pgsql causes Apache to crash
debdiff for trusty ** Patch added: "trusty-libapache2-mod-auth-pgsql.debdiff" https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1272857/+attachment/4917186/+files/trusty-libapache2-mod-auth-pgsql.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1272857 Title: Double free in libapache2-mod-auth-pgsql causes Apache to crash To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1272857/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1272857] Re: Double free in libapache2-mod-auth-pgsql causes Apache to crash
I have a branch (https://code.launchpad.net/~ahasenack/ubuntu/+source/libapache2-mod- auth-pgsql/+git/libapache2-mod-auth-pgsql/+ref/trusty-check-null-double- free-1698758-1272857) to SRU this fix and bug #1698758 at the same time. Just waiting on the latter to land in artful, then the SRU floodgates can open. ** Changed in: libapache2-mod-auth-pgsql (Ubuntu Trusty) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: libapache2-mod-auth-pgsql (Ubuntu Trusty) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1272857 Title: Double free in libapache2-mod-auth-pgsql causes Apache to crash To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1272857/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1272857] Re: Double free in libapache2-mod-auth-pgsql causes Apache to crash
** Tags added: server-next -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1272857 Title: Double free in libapache2-mod-auth-pgsql causes Apache to crash To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1272857/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1272857] Re: Double free in libapache2-mod-auth-pgsql causes Apache to crash
Still no build for Trusty. I would really appreciate if someone could fix that. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1272857 Title: Double free in libapache2-mod-auth-pgsql causes Apache to crash To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1272857/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1272857] Re: Double free in libapache2-mod-auth-pgsql causes Apache to crash
** Changed in: libapache2-mod-auth-pgsql (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1272857 Title: Double free in libapache2-mod-auth-pgsql causes Apache to crash To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1272857/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
