You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Joe Orton <jo...@redhat.com> on 2009/08/03 12:52:45 UTC
Re: Segfault with fix for CVE-2009-1891
On Tue, Jul 28, 2009 at 07:35:25PM +0200, Stefan Fritsch wrote:
> Hi,
>
> I have backported r791454 to 2.2.3 in Debian 4.0 and have received a
> report [1] about segfaults with mod_deflate and mod_php (5.2.0). As
> far as I understand it, the reason is that mod_php uses ap_rwrite
> which creates transient buckets. When the connection is closed by the
> client, these buckets sometimes stay in the bucket brigade when
> ap_pass_brigade returns an error for the compressed data of an
> earlier bucket. If deflate_out_filter gets called again with the same
> brigade, the memory of the transient buckets is no longer valid,
> causing a segfault.
This sounds exactly like:
https://issues.apache.org/bugzilla/show_bug.cgi?id=36780
I've proposed the fix for backport:
https://issues.apache.org/bugzilla/attachment.cgi?id=24087
Regards, Joe
Re: Segfault with fix for CVE-2009-1891
Posted by Joe Orton <jo...@redhat.com>.
On Mon, Aug 03, 2009 at 01:09:35PM +0200, Ruediger Pluem wrote:
> On 08/03/2009 12:52 PM, Joe Orton wrote:
> > On Tue, Jul 28, 2009 at 07:35:25PM +0200, Stefan Fritsch wrote:
> >> I have backported r791454 to 2.2.3 in Debian 4.0 and have received a
> >> report [1] about segfaults with mod_deflate and mod_php (5.2.0). As
...
> > This sounds exactly like:
> >
> > https://issues.apache.org/bugzilla/show_bug.cgi?id=36780
...
> Yes, but AFAIU Stefan it doesn't happen with 2.2.11 which does not
> contain this patch :-).
PR 36780 is triggered by an output filter returning an error, so, it
doesn't seem surprising (in retrospect!) that r791454 makes it much
easier to trigger - the core output filter will now return errors in
very common cases (an aborted connection).
Regards, Joe
Re: Segfault with fix for CVE-2009-1891
Posted by Ruediger Pluem <rp...@apache.org>.
On 08/03/2009 12:52 PM, Joe Orton wrote:
> On Tue, Jul 28, 2009 at 07:35:25PM +0200, Stefan Fritsch wrote:
>> Hi,
>>
>> I have backported r791454 to 2.2.3 in Debian 4.0 and have received a
>> report [1] about segfaults with mod_deflate and mod_php (5.2.0). As
>> far as I understand it, the reason is that mod_php uses ap_rwrite
>> which creates transient buckets. When the connection is closed by the
>> client, these buckets sometimes stay in the bucket brigade when
>> ap_pass_brigade returns an error for the compressed data of an
>> earlier bucket. If deflate_out_filter gets called again with the same
>> brigade, the memory of the transient buckets is no longer valid,
>> causing a segfault.
>
> This sounds exactly like:
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=36780
>
> I've proposed the fix for backport:
>
> https://issues.apache.org/bugzilla/attachment.cgi?id=24087
Yes, but AFAIU Stefan it doesn't happen with 2.2.11 which does not
contain this patch :-).
Nevertheless backporting this is good.
Regards
RĂ¼diger