[Bug 1698758] Re: Encrypted password causes segmentation fault

2024-05-01 Thread Bug Watch Updater
** Changed in: libapache2-mod-auth-pgsql (Debian)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1698758] Re: Encrypted password causes segmentation fault

2020-06-09 Thread Robie Basak
** Tags removed: server-next

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-08-10 Thread Launchpad Bug Tracker
This bug was fixed in the package libapache2-mod-auth-pgsql -
2.0.3-6.1ubuntu0.16.04.1

---
libapache2-mod-auth-pgsql (2.0.3-6.1ubuntu0.16.04.1) xenial; urgency=medium

  * d/p/crypt-check-null-1698758.patch: check for a NULL return from crypt(3)
(LP: #1698758)

 -- Andreas Hasenack   Thu, 22 Jun 2017 16:35:37
-0300

** Changed in: libapache2-mod-auth-pgsql (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

** Changed in: libapache2-mod-auth-pgsql (Ubuntu Zesty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-08-10 Thread Launchpad Bug Tracker
This bug was fixed in the package libapache2-mod-auth-pgsql -
2.0.3-6ubuntu0.1

---
libapache2-mod-auth-pgsql (2.0.3-6ubuntu0.1) trusty; urgency=medium

  * d/p/fixdoublefree.patch: set freed pointers to NULL before subsequent
checks against NULL. (LP: #1272857)
  * d/p/crypt-check-null-1698758.patch: check for a NULL return from crypt(3)
(LP: #1698758)

 -- Andreas Hasenack   Thu, 22 Jun 2017 16:54:09
-0300

** Changed in: libapache2-mod-auth-pgsql (Ubuntu Trusty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-08-10 Thread Launchpad Bug Tracker
This bug was fixed in the package libapache2-mod-auth-pgsql -
2.0.3-6.1ubuntu0.17.04.1

---
libapache2-mod-auth-pgsql (2.0.3-6.1ubuntu0.17.04.1) zesty; urgency=medium

  * d/p/crypt-check-null-1698758.patch: check for a NULL return from crypt(3)
(LP: #1698758)

 -- Andreas Hasenack   Thu, 22 Jun 2017 16:08:38
-0300

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-08-08 Thread Andreas Hasenack
** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-08-03 Thread Andreas Hasenack
Trusty verification

Crash confirmed with libapache2-mod-auth-pgsql  2.0.3-6. Curiously, with more 
than just the "ubuntu-invalidhash" user:
ubuntu@trust-mod-auth-pgsql-crypt-segfault-1698758:~$ for u in 
ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 ubuntu-des; do echo 
-n "Testing $u... "; curl -f http://$u:secret@localhost/ -o /dev/null -s; echo 
$?; done
Testing ubuntu-invalidhash... 52
Testing ubuntu-md5... 0
Testing ubuntu-sha256... 52
Testing ubuntu-sha512... 0
Testing ubuntu-des... 52

The invalidhash user produced a segfault:
[Thu Aug 03 14:36:27.775572 2017] [core:notice] [pid 6989:tid 140610926643072] 
AH00051: child pid 8101 exit signal Segmentation fault (11), possible coredump 
in /etc/apache2


The sha256 and des ones died because of something else:
*** Error in `/usr/sbin/apache2': free(): invalid pointer: 0x7fe2680007c8 
***
[Thu Aug 03 14:36:59.810618 2017] [core:notice] [pid 6989:tid 140610926643072] 
AH00051: child pid 8670 exit signal Aborted (6), possible coredump in 
/etc/apache2

Maybe this is the double free bug #1272857 happening in a non-CGI context, 
because if I try it multiple times, it works sometimes:
ubuntu@trust-mod-auth-pgsql-crypt-segfault-1698758:~$ curl -f 
http://ubuntu-sha256:secret@localhost/ -o /dev/null -s;echo $?
0
ubuntu@trust-mod-auth-pgsql-crypt-segfault-1698758:~$ curl -f 
http://ubuntu-sha256:secret@localhost/ -o /dev/null -s;echo $?
52
ubuntu@trust-mod-auth-pgsql-crypt-segfault-1698758:~$ curl -f 
http://ubuntu-sha256:secret@localhost/ -o /dev/null -s;echo $?
0
ubuntu@trust-mod-auth-pgsql-crypt-segfault-1698758:~$ curl -f 
http://ubuntu-sha256:secret@localhost/ -o /dev/null -s;echo $?
52
ubuntu@trust-mod-auth-pgsql-crypt-segfault-1698758:~$ curl -f 
http://ubuntu-sha256:secret@localhost/ -o /dev/null -s;echo $?
0


Moving on. Let's install the package from proposed:
(...)
Get:1 http://br.archive.ubuntu.com/ubuntu/ trusty-proposed/main 
libapache2-mod-auth-pgsql amd64 2.0.3-6ubuntu0.1 [18.6 kB]
Fetched 18.6 kB in 0s (0 B/s)  
(Reading database ... 26196 files and directories currently installed.)
Preparing to unpack .../libapache2-mod-auth-pgsql_2.0.3-6ubuntu0.1_amd64.deb ...
Unpacking libapache2-mod-auth-pgsql (2.0.3-6ubuntu0.1) over (2.0.3-6) ...
Setting up libapache2-mod-auth-pgsql (2.0.3-6ubuntu0.1) ...
apache2_invoke 000_auth_pgsql: already enabled
 * Restarting web server apache2
   ...done.


No crash now with the auth loop, even if run multiple times:
ubuntu@trust-mod-auth-pgsql-crypt-segfault-1698758:~$ for u in 
ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 ubuntu-des; do echo 
-n "Testing $u... "; curl -f http://$u:secret@localhost/ -o /dev/null -s; echo 
$?; done
Testing ubuntu-invalidhash... 22
Testing ubuntu-md5... 0
Testing ubuntu-sha256... 0
Testing ubuntu-sha512... 0
Testing ubuntu-des... 0

And the apache error logs show just the expected unsupported crypt format:
ubuntu@trust-mod-auth-pgsql-crypt-segfault-1698758:~$ tail -n 2 
/var/log/apache2/error.log 
[Thu Aug 03 14:39:30.464138 2017] [auth_pgsql:error] [pid 10843:tid 
140107864598272] [client 127.0.0.1:42120] [mod_auth_pgsql.c] - ERROR - PG user 
ubuntu-invalidhash: unsupported CRYPT format
[Thu Aug 03 14:39:30.464252 2017] [auth_basic:error] [pid 10843:tid 
140107864598272] [client 127.0.0.1:42120] AH01617: user ubuntu-invalidhash: 
authentication failure for "/": Password Mismatch


** Tags added: verification-done-trusty

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-08-03 Thread Andreas Hasenack
Xenial verification:

Crash confirmed with libapache2-mod-auth-pgsql  2.0.3-6.1:
ubuntu@xenial-mod-auth-pgsql-crypt-segfault-1698758:~$ for u in 
ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 ubuntu-des; do echo 
-n "Testing $u... "; curl -f http://$u:secret@localhost/ -o /dev/null -s; echo 
$?; done
Testing ubuntu-invalidhash... 52
Testing ubuntu-md5... 0
Testing ubuntu-sha256... 0
Testing ubuntu-sha512... 0
Testing ubuntu-des... 0


apache error log:
ubuntu@xenial-mod-auth-pgsql-crypt-segfault-1698758:~$ tail -n 1 
/var/log/apache2/error.log 
[Thu Aug 03 14:25:13.785006 2017] [core:notice] [pid 4260:tid 139737623807872] 
AH00051: child pid 4263 exit signal Segmentation fault (11), possible coredump 
in /etc/apache2


Installing the package from proposed:
(...)
Get:1 http://br.archive.ubuntu.com/ubuntu xenial-proposed/main amd64 
libapache2-mod-auth-pgsql amd64 2.0.3-6.1ubuntu0.16.04.1 [18.5 kB]
Fetched 18.5 kB in 0s (266 kB/s) 
(Reading database ... 26956 files and directories currently installed.)
Preparing to unpack 
.../libapache2-mod-auth-pgsql_2.0.3-6.1ubuntu0.16.04.1_amd64.deb ...
Unpacking libapache2-mod-auth-pgsql (2.0.3-6.1ubuntu0.16.04.1) over (2.0.3-6.1) 
...
Setting up libapache2-mod-auth-pgsql (2.0.3-6.1ubuntu0.16.04.1) ...
apache2_invoke 000_auth_pgsql: already enabled

Retrying the loop, this time we get just the auth error:
ubuntu@xenial-mod-auth-pgsql-crypt-segfault-1698758:~$ for u in 
ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 ubuntu-des; do echo 
-n "Testing $u... "; curl -f http://$u:secret@localhost/ -o /dev/null -s; echo 
$?; done
Testing ubuntu-invalidhash... 22
Testing ubuntu-md5... 0
Testing ubuntu-sha256... 0
Testing ubuntu-sha512... 0
Testing ubuntu-des... 0

apache error log shows the unsupported hash format and no crash:
ubuntu@xenial-mod-auth-pgsql-crypt-segfault-1698758:~$ tail -n 2 
/var/log/apache2/error.log 
[Thu Aug 03 14:26:49.400099 2017] [auth_pgsql:error] [pid 4747:tid 
140520391177984] [client 127.0.0.1:41554] [mod_auth_pgsql.c] - ERROR - PG user 
ubuntu-invalidhash: unsupported CRYPT format
[Thu Aug 03 14:26:49.400440 2017] [auth_basic:error] [pid 4747:tid 
140520391177984] [client 127.0.0.1:41554] AH01617: user ubuntu-invalidhash: 
authentication failure for "/": Password Mismatch


** Tags added: verification-done-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-08-03 Thread Andreas Hasenack
Zesty verification

Crash reproduced with libapache2-mod-auth-pgsql 2.0.3-6.1:

ubuntu@zesty-mod-auth-pgsql-crypt-segfault-1698758:~$ for u in 
ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 ubuntu-des; do echo 
-n "Testing $u... "; curl -f http://$u:secret@localhost/ -o /dev/null -s; echo 
$?; done
Testing ubuntu-invalidhash... 52
Testing ubuntu-md5... 0
Testing ubuntu-sha256... 0
Testing ubuntu-sha512... 0
Testing ubuntu-des... 0

error log:
ubuntu@zesty-mod-auth-pgsql-crypt-segfault-1698758:~$ tail 
/var/log/apache2/error.log  -n 1
[Thu Aug 03 14:16:55.592332 2017] [core:notice] [pid 4331:tid 139808776572416] 
AH00051: child pid 4333 exit signal Segmentation fault (11), possible coredump 
in /etc/apache2


Upgrading to the proposed package:
(...)
Get:1 http://br.archive.ubuntu.com/ubuntu zesty-proposed/main amd64 
libapache2-mod-auth-pgsql amd64 2.0.3-6.1ubuntu0.17.04.1 [18.4 kB]
Fetched 18.4 kB in 0s (236 kB/s) 
(Reading database ... 28157 files and directories currently installed.)
Preparing to unpack 
.../libapache2-mod-auth-pgsql_2.0.3-6.1ubuntu0.17.04.1_amd64.deb ...
Unpacking libapache2-mod-auth-pgsql (2.0.3-6.1ubuntu0.17.04.1) over (2.0.3-6.1) 
...
Setting up libapache2-mod-auth-pgsql (2.0.3-6.1ubuntu0.17.04.1) ...
apache2_invoke 000_auth_pgsql: already enabled


Retrying the loop:
ubuntu@zesty-mod-auth-pgsql-crypt-segfault-1698758:~$ for u in 
ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 ubuntu-des; do echo 
-n "Testing $u... "; curl -f http://$u:secret@localhost/ -o /dev/null -s; echo 
$?; done
Testing ubuntu-invalidhash... 22
Testing ubuntu-md5... 0
Testing ubuntu-sha256... 0
Testing ubuntu-sha512... 0
Testing ubuntu-des... 0


Server error logs show no crash, and the unsupported hash format:
[Thu Aug 03 14:20:52.401265 2017] [auth_pgsql:error] [pid 4786:tid 
140649768675072] [client 127.0.0.1:41358] [mod_auth_pgsql.c] - ERROR - PG user 
ubuntu-invalidhash: unsupported CRYPT format
[Thu Aug 03 14:20:52.401536 2017] [auth_basic:error] [pid 4786:tid 
140649768675072] [client 127.0.0.1:41358] AH01617: user ubuntu-invalidhash: 
authentication failure for "/": Password Mismatch


** Tags added: verification-done-zesty

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-08-02 Thread Chris J Arges
Hello John, or anyone else affected,

Accepted libapache2-mod-auth-pgsql into xenial-proposed. The package
will build now and be available at
https://launchpad.net/ubuntu/+source/libapache2-mod-auth-
pgsql/2.0.3-6.1ubuntu0.16.04.1 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: libapache2-mod-auth-pgsql (Ubuntu Xenial)
   Status: In Progress => Fix Committed

** Tags added: verification-needed

** Changed in: libapache2-mod-auth-pgsql (Ubuntu Trusty)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-07-19 Thread Andreas Hasenack
** Description changed:

  [Impact]
  The libapache2-mod-auth-pgsql module will cause a segfault error in apache if 
its encrypted support is enabled ("Auth_PG_encrypted on") and a hash format not 
supported by crypt(3) is used.
  
  Since this is an apache module, users might be tempted to use
  htpasswd(1) to generate such hashes. The option to generate SHA hashes
  (-s) in particular will generate a hash incompatible with crypt(3),
  which will then return NULL and cause the segfault in unpatched versions
  of this apache module.
  
  The fix catches the situation when crypt(3) returns NULL and logs the
  event as an unsupported hash type being found, and denies the login.
  
  [Test Case]
  
  * install the packages on the Ubuntu release you are testing:
  $ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql
  
  * create the database and populate it with the test users from the attached 
test-users.sql file:
  $ sudo -u postgres -H createdb userdb
  $ sudo -u postgres -H psql userdb -f test-users.sql
  
  * Create the DB user we will use:
  $ sudo -u postgres -H psql postgres -c "CREATE ROLE www UNENCRYPTED PASSWORD 
'password' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;"
  
  * Grant access:
  $ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;"
  
  * Create the /var/www/html/.htaccess file with this content:
  AuthType basic
  AuthName "My Auth"
  Require valid-user
  AuthBasicProvider pgsql
  Auth_PG_authoritative On
  Auth_PG_host 127.0.0.1
  Auth_PG_port 5432
  Auth_PG_user www
  Auth_PG_pwd password
  Auth_PG_database userdb
  Auth_PG_encrypted on
  Auth_PG_pwd_table UserLogin
  Auth_PG_uid_field Username
  Auth_PG_pwd_field ApachePassword
  
  * Setup access in apache by editing /etc/apache2/sites-
  enabled/000-default.conf and adding these lines somewhere inside the
   section:
  
  
  AllowOverride AuthConfig
  
  
  * Enable the mod-auth-pgsql module:
  $ sudo a2enmod 000_auth_pgsql
  
  * Restart apache:
  $ sudo service apache2 restart
  
  To try each test login, use a loop like this:
  
  $ for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 
ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o 
/dev/null -s; result=$?; echo $result; done
  Testing ubuntu-invalidhash... 52
  Testing ubuntu-md5... 0
  Testing ubuntu-sha256... 0
  Testing ubuntu-sha512... 0
  Testing ubuntu-des... 0
  
  Error 52 means "empty reply from server". That's when apache segfaulted:
  [Wed Jul 19 19:28:13.808711 2017] [core:notice] [pid 9499:tid 
140330145511296] AH00051: child pid 9677 exit signal Segmentation fault (11), 
possible coredump in /etc/apache2
  
  With the fixed version of libapache2-mod-auth-pgsql, the test loop will
  just record a normal authentication problem for the ubuntu-invalidhash
  user (since the hash is not supported) instead of an "empty reply from
  server":
  
  $ for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 
ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o 
/dev/null -s; result=$?; echo $result; done
  Testing ubuntu-invalidhash... 22
  Testing ubuntu-md5... 0
  Testing ubuntu-sha256... 0
  Testing ubuntu-sha512... 0
  Testing ubuntu-des... 0
  
  And we get this fact logged:
  [Wed Jul 19 19:38:56.547337 2017] [auth_pgsql:error] [pid 10035:tid 
140550732678912] [client 127.0.0.1:56946] [mod_auth_pgsql.c] - ERROR - PG user 
ubuntu-invalidhash: unsupported CRYPT format
  
  [Regression Potential]
+ The patch seems pretty straight forward and uses a well documented crypt(3) 
return value in the case of errors.
  
-  * discussion of how regressions are most likely to manifest as a result
- of this change.
+ This is a very old module that hasn't been built in a while (see [other
+ info] below. It's possible that just by rebuilding it with the new
+ environment available in each ubuntu release since vivid could introduce
+ unknowns. Hopefully, if that happens, it will be immediately noticed by
+ the people who use it and will test this SRU.
  
-  * It is assumed that any SRU candidate patch is well-tested before
-    upload and has a low overall risk of regression, but it's important
-    to make the effort to think about what ''could'' happen in the
-    event of a regression.
- 
-  * This both shows the SRU team that the risks have been considered,
-    and provides guidance to testers in regression-testing the SRU.
  
  [Other Info]
  
-  * Anything else you think is useful to include
-  * Anticipate questions from users, SRU, +1 maintenance, security teams and 
the Technical Board
-  * and address these questions in advance
+ Upstream doesn't have a bugtracker or public code hosting that I could
+ find, so I forwarded the patch via email. No response so far.
+ 
+ This module hasn't been rebuilt since vivid and seems unmaintained, being at 
version 2.0.3 since the precise days:
+  libapache2-mod-auth-pgsql | 2.0.3-5build2| precise
+  liba

[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-07-19 Thread Andreas Hasenack
** Description changed:

  [Impact]
  
   * An explanation of the effects of the bug on users and
  
   * justification for backporting the fix to the stable release.
  
   * In addition, it is helpful, but not required, to include an
     explanation of how the upload fixes this bug.
  
  [Test Case]
  
  * install the packages on the Ubuntu release you are testing:
  $ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql
  
  * create the database and populate it with the test users from the attached 
test-users.sql file:
  $ sudo -u postgres -H createdb userdb
  $ sudo -u postgres -H psql userdb -f test-users.sql
  
  * Create the DB user we will use:
  $ sudo -u postgres -H psql postgres -c "CREATE ROLE www UNENCRYPTED PASSWORD 
'password' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;"
  
  * Grant access:
  $ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;"
  
  * Create the /var/www/html/.htaccess file with this content:
  AuthType basic
  AuthName "My Auth"
  Require valid-user
  AuthBasicProvider pgsql
  Auth_PG_authoritative On
  Auth_PG_host 127.0.0.1
  Auth_PG_port 5432
  Auth_PG_user www
  Auth_PG_pwd password
  Auth_PG_database userdb
  Auth_PG_encrypted on
  Auth_PG_pwd_table UserLogin
  Auth_PG_uid_field Username
  Auth_PG_pwd_field ApachePassword
  
  * Setup access in apache by editing /etc/apache2/sites-
  enabled/000-default.conf and adding these lines somewhere inside the
   section:
  
  
  AllowOverride AuthConfig
  
  
  * Enable the mod-auth-pgsql module:
  $ sudo a2enmod 000_auth_pgsql
  
  * Restart apache:
  $ sudo service apache2 restart
  
  This is now ready for testing. The database was populated with the following 
usernames, all with the same password "secret":
   ubuntu-invalidhash
   ubuntu-md5
   ubuntu-sha256
   ubuntu-sha512
   ubuntu-des
  
- The username that will cause a segfault is "ubuntu-invalidhash". To test each 
login, use a loop like this:
- for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 
ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o 
/dev/null -s && echo OK || echo FAIL; done
- Testing ubuntu-invalidhash... FAIL
- Testing ubuntu-md5... OK
- Testing ubuntu-sha256... OK
- Testing ubuntu-sha512... OK
- Testing ubuntu-des... OK
+ To test each login, use a loop like this:
  
- The fixed version must have all tests with the result OK.
+ $ for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 
ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o 
/dev/null -s; result=$?; echo $result; done
+ Testing ubuntu-invalidhash... 52
+ Testing ubuntu-md5... 0
+ Testing ubuntu-sha256... 0
+ Testing ubuntu-sha512... 0
+ Testing ubuntu-des... 0
+ 
+ The apache logs will show the segfault when ubuntu-invalidhash is tried:
+ [Wed Jul 19 19:28:13.808711 2017] [core:notice] [pid 9499:tid 
140330145511296] AH00051: child pid 9677 exit signal Segmentation fault (11), 
possible coredump in /etc/apache2
+ 
+ Trying just that one manually:
+ $ curl http://ubuntu-invalidhash:secret@localhost -o /dev/null -f
+   % Total% Received % Xferd  Average Speed   TimeTime Time  
Current
+  Dload  Upload   Total   SpentLeft  Speed
+   0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 0
+ curl: (52) Empty reply from server
+ 
+ With the fixed version of libapache2-mod-auth-pgsql, the test loop will
+ just record a normal authentication problem for the ubuntu-invalidhash
+ user (since the hash is not supported) instead of an "empty reply from
+ server":
+ 
+ $ curl http://ubuntu-invalidhash:secret@localhost -o /dev/null -f
+   % Total% Received % Xferd  Average Speed   TimeTime Time  
Current
+  Dload  Upload   Total   SpentLeft  Speed
+   0   4560 00 0  0  0 --:--:-- --:--:-- --:--:-- 0
+ curl: (22) The requested URL returned error: 401
+ 
+ And the test loop will return 22 for that user, and no errors for the rest:
+ $ for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 
ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o 
/dev/null -s; result=$?; echo $result; done
+ Testing ubuntu-invalidhash... 22
+ Testing ubuntu-md5... 0
+ Testing ubuntu-sha256... 0
+ Testing ubuntu-sha512... 0
+ Testing ubuntu-des... 0
+ 
  
  [Regression Potential]
  
   * discussion of how regressions are most likely to manifest as a result
  of this change.
  
   * It is assumed that any SRU candidate patch is well-tested before
     upload and has a low overall risk of regression, but it's important
     to make the effort to think about what ''could'' happen in the
     event of a regression.
  
   * This both shows the SRU team that the risks have been considered,
     and provides guidance to testers in regression-testing the SRU.
  
  [Other Info]
  
   * Anything else you think is useful to 

[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-07-19 Thread Andreas Hasenack
** Description changed:

  [Impact]
  
   * An explanation of the effects of the bug on users and
  
   * justification for backporting the fix to the stable release.
  
   * In addition, it is helpful, but not required, to include an
     explanation of how the upload fixes this bug.
  
  [Test Case]
  
  * install the packages on the Ubuntu release you are testing:
  $ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql
  
  * create the database and populate it with the test users from the attached 
test-users.sql file:
  $ sudo -u postgres -H createdb userdb
  $ sudo -u postgres -H psql userdb -f test-users.sql
  
  * Create the DB user we will use:
  $ sudo -u postgres -H psql postgres -c "CREATE ROLE www UNENCRYPTED PASSWORD 
'password' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;"
  
  * Grant access:
  $ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;"
  
  * Create the /var/www/html/.htaccess file with this content:
  AuthType basic
  AuthName "My Auth"
  Require valid-user
  AuthBasicProvider pgsql
  Auth_PG_authoritative On
  Auth_PG_host 127.0.0.1
  Auth_PG_port 5432
  Auth_PG_user www
  Auth_PG_pwd password
  Auth_PG_database userdb
  Auth_PG_encrypted on
  Auth_PG_pwd_table UserLogin
  Auth_PG_uid_field Username
  Auth_PG_pwd_field ApachePassword
  
  * Setup access in apache by editing /etc/apache2/sites-
  enabled/000-default.conf and adding these lines somewhere inside the
   section:
  
  
  AllowOverride AuthConfig
  
  
  * Enable the mod-auth-pgsql module:
  $ sudo a2enmod 000_auth_pgsql
  
  * Restart apache:
  $ sudo service apache2 restart
  
- This is now ready for testing. The database was populated with the following 
usernames, all with the same password "secret":
-  ubuntu-invalidhash
-  ubuntu-md5
-  ubuntu-sha256
-  ubuntu-sha512
-  ubuntu-des
  
- To test each login, use a loop like this:
+ To try each test login, use a loop like this:
  
  $ for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 
ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o 
/dev/null -s; result=$?; echo $result; done
  Testing ubuntu-invalidhash... 52
  Testing ubuntu-md5... 0
  Testing ubuntu-sha256... 0
  Testing ubuntu-sha512... 0
  Testing ubuntu-des... 0
  
- The apache logs will show the segfault when ubuntu-invalidhash is tried:
+ Error 52 means "empty reply from server". That's when apache segfaulted:
  [Wed Jul 19 19:28:13.808711 2017] [core:notice] [pid 9499:tid 
140330145511296] AH00051: child pid 9677 exit signal Segmentation fault (11), 
possible coredump in /etc/apache2
- 
- Trying just that one manually:
- $ curl http://ubuntu-invalidhash:secret@localhost -o /dev/null -f
-   % Total% Received % Xferd  Average Speed   TimeTime Time  
Current
-  Dload  Upload   Total   SpentLeft  Speed
-   0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 0
- curl: (52) Empty reply from server
  
  With the fixed version of libapache2-mod-auth-pgsql, the test loop will
  just record a normal authentication problem for the ubuntu-invalidhash
  user (since the hash is not supported) instead of an "empty reply from
  server":
  
- $ curl http://ubuntu-invalidhash:secret@localhost -o /dev/null -f
-   % Total% Received % Xferd  Average Speed   TimeTime Time  
Current
-  Dload  Upload   Total   SpentLeft  Speed
-   0   4560 00 0  0  0 --:--:-- --:--:-- --:--:-- 0
- curl: (22) The requested URL returned error: 401
- 
- And the test loop will return 22 for that user, and no errors for the rest:
  $ for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 
ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o 
/dev/null -s; result=$?; echo $result; done
  Testing ubuntu-invalidhash... 22
  Testing ubuntu-md5... 0
  Testing ubuntu-sha256... 0
  Testing ubuntu-sha512... 0
  Testing ubuntu-des... 0
- 
  
  [Regression Potential]
  
   * discussion of how regressions are most likely to manifest as a result
  of this change.
  
   * It is assumed that any SRU candidate patch is well-tested before
     upload and has a low overall risk of regression, but it's important
     to make the effort to think about what ''could'' happen in the
     event of a regression.
  
   * This both shows the SRU team that the risks have been considered,
     and provides guidance to testers in regression-testing the SRU.
  
  [Other Info]
  
   * Anything else you think is useful to include
   * Anticipate questions from users, SRU, +1 maintenance, security teams and 
the Technical Board
   * and address these questions in advance

** Description changed:

  [Impact]
+ The libapache2-mod-auth-pgsql module will cause a segfault error in apache if 
its encrypted support is enabled ("Auth_PG_encrypted on") and a hash format not 
supported by crypt(3) is used.
  
-  * An 

[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-07-19 Thread Andreas Hasenack
** Description changed:

  [Impact]
  
   * An explanation of the effects of the bug on users and
  
   * justification for backporting the fix to the stable release.
  
   * In addition, it is helpful, but not required, to include an
     explanation of how the upload fixes this bug.
  
  [Test Case]
  
  * install the packages on the Ubuntu release you are testing:
  $ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql
  
  * create the database and populate it with the test users from the attached 
test-users.sql file:
  $ sudo -u postgres -H createdb userdb
  $ sudo -u postgres -H psql userdb -f test-users.sql
  
  * Create the DB user we will use:
  $ sudo -u postgres -H psql postgres -c "CREATE ROLE www UNENCRYPTED PASSWORD 
'password' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;"
- CREATE ROLE
  
  * Grant access:
  $ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;"
- GRANT
  
  * Create the /var/www/html/.htaccess with this content:
  AuthType basic
  AuthName "My Auth"
  Require valid-user
  AuthBasicProvider pgsql
  Auth_PG_authoritative On
  Auth_PG_host 127.0.0.1
  Auth_PG_port 5432
  Auth_PG_user www
  Auth_PG_pwd password
  Auth_PG_database userdb
  Auth_PG_encrypted on
  Auth_PG_pwd_table UserLogin
  Auth_PG_uid_field Username
  Auth_PG_pwd_field ApachePassword
  
- 
- * Setup access in apache by editing 
/etc/apache2/sites-enabled/000-default.conf and adding these lines somewhere 
inside the  section:
+ * Setup access in apache by editing /etc/apache2/sites-
+ enabled/000-default.conf and adding these lines somewhere inside the
+  section:
  
  
  AllowOverride AuthConfig
  
  
  * Enable the mod-auth-pgsql module:
  $ sudo a2enmod 000_auth_pgsql
  
  * Restart apache:
  $ sudo service apache2 restart
  
  This is now ready for testing. The database was populated with the following 
usernames, all with the same password "secret":
   ubuntu-invalidhash
   ubuntu-md5
   ubuntu-sha256
   ubuntu-sha512
   ubuntu-des
  
  The username that will cause a segfault is "ubuntu-invalidhash". To test each 
login, use a loop like this:
  for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 
ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o 
/dev/null -s && echo OK || echo FAIL; done
  Testing ubuntu-invalidhash... FAIL
  Testing ubuntu-md5... OK
  Testing ubuntu-sha256... OK
  Testing ubuntu-sha512... OK
  Testing ubuntu-des... OK
  
  The fixed version must have all tests with the result OK.
  
  [Regression Potential]
  
   * discussion of how regressions are most likely to manifest as a result
  of this change.
  
   * It is assumed that any SRU candidate patch is well-tested before
     upload and has a low overall risk of regression, but it's important
     to make the effort to think about what ''could'' happen in the
     event of a regression.
  
   * This both shows the SRU team that the risks have been considered,
     and provides guidance to testers in regression-testing the SRU.
  
  [Other Info]
  
   * Anything else you think is useful to include
   * Anticipate questions from users, SRU, +1 maintenance, security teams and 
the Technical Board
   * and address these questions in advance

** Description changed:

  [Impact]
  
   * An explanation of the effects of the bug on users and
  
   * justification for backporting the fix to the stable release.
  
   * In addition, it is helpful, but not required, to include an
     explanation of how the upload fixes this bug.
  
  [Test Case]
  
  * install the packages on the Ubuntu release you are testing:
  $ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql
  
  * create the database and populate it with the test users from the attached 
test-users.sql file:
  $ sudo -u postgres -H createdb userdb
  $ sudo -u postgres -H psql userdb -f test-users.sql
  
  * Create the DB user we will use:
  $ sudo -u postgres -H psql postgres -c "CREATE ROLE www UNENCRYPTED PASSWORD 
'password' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;"
  
  * Grant access:
  $ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;"
  
- * Create the /var/www/html/.htaccess with this content:
+ * Create the /var/www/html/.htaccess file with this content:
  AuthType basic
  AuthName "My Auth"
  Require valid-user
  AuthBasicProvider pgsql
  Auth_PG_authoritative On
  Auth_PG_host 127.0.0.1
  Auth_PG_port 5432
  Auth_PG_user www
  Auth_PG_pwd password
  Auth_PG_database userdb
  Auth_PG_encrypted on
  Auth_PG_pwd_table UserLogin
  Auth_PG_uid_field Username
  Auth_PG_pwd_field ApachePassword
  
  * Setup access in apache by editing /etc/apache2/sites-
  enabled/000-default.conf and adding these lines somewhere inside the
   section:
  
  
  AllowOverride AuthConfig
  
  
  * Enable the mod-auth-pgsql module:
  $ sudo a2enmod 000_auth_pgsql
  
  * Restart apache:
  $ sudo service apache2 restart
  
  This is now ready for testing. The databas

[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-07-19 Thread Andreas Hasenack
test users

** Description changed:

- I have configured a .htaccess to use libapache2-mod-auth-pgsql to
- authenticate a user against a postgres database. The settings are as
- follows:
+ [Impact]
  
+  * An explanation of the effects of the bug on users and
+ 
+  * justification for backporting the fix to the stable release.
+ 
+  * In addition, it is helpful, but not required, to include an
+explanation of how the upload fixes this bug.
+ 
+ [Test Case]
+ 
+ * install the packages:
+ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql
+ 
+ * create the database and populate it:
+ $ sudo -u postgres -H createdb userdb
+ $ cat > /tmp/prepare.sql  /tmp/prepare.sql < lines:
  
  
- AllowOverride AuthConfig
+ AllowOverride AuthConfig
  
  
  * Enable the mod-auth-pgsql module:
  $ sudo a2enmod 000_auth_pgsql
  
  * Restart apache:
  $ sudo service apache2 restart
  
  This is now ready for testing. The database was populated with the following 
usernames, all with the same password "secret":
-  ubuntu-invalidhash
-  ubuntu-md5
-  ubuntu-sha256
-  ubuntu-sha512
-  ubuntu-des
+  ubuntu-invalidhash
+  ubuntu-md5
+  ubuntu-sha256
+  ubuntu-sha512
+  ubuntu-des
  
  The username that will cause a segfault is "ubuntu-invalidhash". To test each 
login, use a loop like this:
  for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 
ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o 
/dev/null -s && echo OK || echo FAIL; done
  Testing ubuntu-invalidhash... FAIL
  Testing ubuntu-md5... OK
  Testing ubuntu-sha256... OK
  Testing ubuntu-sha512... OK
  Testing ubuntu-des... OK
  
  The fixed version must have all tests with the result OK.
  
  [Regression Potential]
  
-  * discussion of how regressions are most likely to manifest as a result
+  * discussion of how regressions are most likely to manifest as a result
  of this change.
  
-  * It is assumed that any SRU candidate patch is well-tested before
-upload and has a low overall risk of regression, but it's important
-to make the effort to think about what ''could'' happen in the
-event of a regression.
+  * It is assumed that any SRU candidate patch is well-tested before
+    upload and has a low overall risk of regression, but it's important
+    to make the effort to think about what ''could'' happen in the
+    event of a regression.
  
-  * This both shows the SRU team that the risks have been considered,
-and provides guidance to testers in regression-testing the SRU.
+  * This both shows the SRU team that the risks have been considered,
+    and provides guidance to testers in regression-testing the SRU.
  
  [Other Info]
-  
-  * Anything else you think is useful to include
-  * Anticipate questions from users, SRU, +1 maintenance, security teams and 
the Technical Board
-  * and address these questions in advance
+ 
+  * Anything else you think is useful to include
+  * Anticipate questions from users, SRU, +1 maintenance, security teams 

[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-07-19 Thread Launchpad Bug Tracker
** Merge proposal linked:
   
https://code.launchpad.net/~ahasenack/ubuntu/+source/libapache2-mod-auth-pgsql/+git/libapache2-mod-auth-pgsql/+merge/327729

** Merge proposal linked:
   
https://code.launchpad.net/~ahasenack/ubuntu/+source/libapache2-mod-auth-pgsql/+git/libapache2-mod-auth-pgsql/+merge/327730

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-07-19 Thread Andreas Hasenack
** Changed in: libapache2-mod-auth-pgsql (Ubuntu Trusty)
 Assignee: (unassigned) => Andreas Hasenack (ahasenack)

** Changed in: libapache2-mod-auth-pgsql (Ubuntu Xenial)
 Assignee: (unassigned) => Andreas Hasenack (ahasenack)

** Changed in: libapache2-mod-auth-pgsql (Ubuntu Zesty)
 Assignee: (unassigned) => Andreas Hasenack (ahasenack)

** Changed in: libapache2-mod-auth-pgsql (Ubuntu Trusty)
   Status: New => In Progress

** Changed in: libapache2-mod-auth-pgsql (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: libapache2-mod-auth-pgsql (Ubuntu Zesty)
   Status: New => In Progress

** Changed in: libapache2-mod-auth-pgsql (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: libapache2-mod-auth-pgsql (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: libapache2-mod-auth-pgsql (Ubuntu Zesty)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-07-19 Thread Robie Basak
** Also affects: libapache2-mod-auth-pgsql (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: libapache2-mod-auth-pgsql (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: libapache2-mod-auth-pgsql (Ubuntu Zesty)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-07-18 Thread Andreas Hasenack
Sorry, I need to rework that debdiff to get the same patch that is
already applied in the other ubuntu releases. I had updated the dep3
header.

** Patch removed: "trusty-libapache2-mod-auth-pgsql.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+attachment/4917187/+files/trusty-libapache2-mod-auth-pgsql.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-07-18 Thread Launchpad Bug Tracker
** Merge proposal linked:
   
https://code.launchpad.net/~ahasenack/ubuntu/+source/libapache2-mod-auth-pgsql/+git/libapache2-mod-auth-pgsql/+merge/327657

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-07-18 Thread Andreas Hasenack
debdiff for trusty

** Patch added: "trusty-libapache2-mod-auth-pgsql.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+attachment/4917187/+files/trusty-libapache2-mod-auth-pgsql.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-07-13 Thread Launchpad Bug Tracker
This bug was fixed in the package libapache2-mod-auth-pgsql -
2.0.3-6.1ubuntu1

---
libapache2-mod-auth-pgsql (2.0.3-6.1ubuntu1) artful; urgency=medium

  * d/p/crypt-check-null-1698758.patch: check for a NULL return from crypt(3)
(LP: #1698758)

 -- Andreas Hasenack   Thu, 22 Jun 2017 14:34:03
-0300

** Changed in: libapache2-mod-auth-pgsql (Ubuntu)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-07-13 Thread LocutusOfBorg
** Changed in: libapache2-mod-auth-pgsql (Ubuntu)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-07-13 Thread Andreas Hasenack
Here is a debdiff for artful

** Patch added: "artful-mod-auth-pgsql-null-check-1698758.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+attachment/4914083/+files/artful-mod-auth-pgsql-null-check-1698758.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-06-22 Thread Bug Watch Updater
** Changed in: libapache2-mod-auth-pgsql (Debian)
   Status: Unknown => New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-06-22 Thread Andreas Hasenack
** Bug watch added: Debian Bug tracker #865553
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865553

** Also affects: libapache2-mod-auth-pgsql (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865553
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-06-22 Thread Launchpad Bug Tracker
** Merge proposal linked:
   
https://code.launchpad.net/~ahasenack/ubuntu/+source/libapache2-mod-auth-pgsql/+git/libapache2-mod-auth-pgsql/+merge/326173

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-06-22 Thread Andreas Hasenack
One can use mkpasswd(1) from the "whois" package (!) to generate these hashes 
supported by crypt(3):
$ mkpasswd -5 secret
$1$0UiJQbpc$QoJQqJIT1DCHtQYGwJHZh0

$ mkpasswd -m sha-256 secret
$5$.oyALiVLtCvfBa$cvNlH7IxsirDkBN/vIvHB54p0MPwqxSyiulqnYVMxt/

$ mkpasswd -m sha-512 secret
$6$mbXQ/gDvUCn$Hs6sz8LAWN3fX1I/MoaJjsYSIYs8tqOUjgoQnXLY4X1dTSlBhbyiJYpTZZDEALXw.hRL97e7l/.xI7qZi0Phe.

and of course plain DES:
$ mkpasswd  secret
CYwwQkoOVS3oE


All of the above are supported by libapache2-mod-auth-pgsql's 
"Auth_PG_hash_type CRYPT".

** Package changed: apache2 (Ubuntu) => libapache2-mod-auth-pgsql
(Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-06-22 Thread Andreas Hasenack
Ok, got a better hang of it. crypt(3) can indeed be used like that, but the 
code needs to check for it returning NULL in the case of errors:
diff --git a/mod_auth_pgsql.c b/mod_auth_pgsql.c
index 0a16e05..4f80917 100644
--- a/mod_auth_pgsql.c
+++ b/mod_auth_pgsql.c
@@ -868,6 +868,12 @@ static authn_status check_password(request_rec *r, const 
char *user,
break;
case AUTH_PG_HASH_TYPE_CRYPT:
sent_pw = (char *) crypt(sent_pw, real_pw);
+   if (!sent_pw) {
+   apr_snprintf(pg_errstr, MAX_STRING_LEN,
+"PG user %s: password 
mismatch", user);
+   ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 
"[mod_auth_pgsql.c] - ERROR - %s", pg_errstr);
+   return AUTH_DENIED;
+   }
break;
case AUTH_PG_HASH_TYPE_BASE64:
sent_pw = auth_pg_base64(sent_pw);


What happened is that the hash format you used, 
"{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=", is not the type of input crypt(3) expects 
for the salt argument, hence the NULL return value (and the crash since that 
wasn't checked for).

The salt argument (the second argument) should either be:
- 2 characters for standard DES from the range [a-zA-Z0-9./]. Note how "{" or 
"}" are not there
- $id$salt$encrypted, where id means:
  ID  | Method
  ─
  1   | MD5
  2a  | Blowfish (not in mainline glibc; added in some
  | Linux distributions)
  5   | SHA-256 (since glibc 2.7)
  6   | SHA-512 (since glibc 2.7)

So the above patch fixes the crash, but you should use a different type
of hash format. {SHA} is not supported. It is supported by apache's
apr_password_validate(), but that is not used in this code.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-06-21 Thread Andreas Hasenack
It's segfaulting because of this odd usage of crypt(3):
sent_pw = (char *) crypt(sent_pw, real_pw);

That returns NULL, because in the SHA case the real_pw contains the {
character which is invalid for the second parameter which is meant to be
the salt.

Later on strcmp is used and that's what causes the segfault.

I can't reach the upstream website:
http://www.giuseppetanzilli.it/mod_auth_pgsql2/

I wonder if it's abandoned, or just a temporary issue.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-06-21 Thread Andreas Hasenack
** Changed in: apache2 (Ubuntu)
 Assignee: (unassigned) => Andreas Hasenack (ahasenack)

** Changed in: apache2 (Ubuntu)
   Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1698758] Re: Encrypted password causes segmentation fault

2017-06-20 Thread Andreas Hasenack
Confirmed in my xenial testing:

==> /var/log/apache2/error.log <==
[Tue Jun 20 18:44:20.612899 2017] [core:notice] [pid 7038:tid 140431534086016] 
AH00051: child pid 7041 exit signal Segmentation fault (11), possible coredump 
in /etc/apache2


** Changed in: apache2 (Ubuntu)
   Importance: Undecided => High

** Changed in: apache2 (Ubuntu)
   Status: New => Triaged

** Tags added: server-next

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1698758

Title:
  Encrypted password causes segmentation fault

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1698758/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs