You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Dominic Hargreaves <do...@earth.li> on 2013/03/13 00:51:07 UTC
perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Hello,
When trying to fix this issue in Debian stable, I found that the
patch at
http://svn.apache.org/viewvc?view=revision&revision=1455340
does not stop the test failing when applied to 2.0.4 (as currently
found in Debian stable) and built against the current perl package
in Debian stable (5.10 + the rehashing fix). t/logs/error_log simply says:
[Tue Mar 12 21:09:23 2013] [error] [client 127.0.0.1] Failed to mount the hash collision attack at /home/dom/working/pkg-perl/git/libapache2-mod-perl2/t/response/TestPerl/hash_attack.pm line 112, <fh00003Makefile> line 1.\n
This is the change:
http://perl5.git.perl.org/perl.git/commitdiff/f14269908e5f8b4cab4b55643d7dd9de577e7918
which differs a bit from that applied to 5.14:
http://perl5.git.perl.org/perl.git/commitdiff/d59e31fc729d8a39a774f03bc6bc457029a7aef2
although interestingly both test changes are identical.
Help to pin down this difference in behaviour would be appreciated.
The source for the package in question is at
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libapache2-mod-perl2.git;a=shortlog;h=refs/heads/dom/squeeze-702821
Thanks,
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Re: Bug#702821: perl/hash_attack.t fails with 5.10.1 +
CVE-2013-1667 fix
Posted by Salvatore Bonaccorso <ca...@debian.org>.
Hi all
On Thu, Mar 14, 2013 at 08:54:06AM -0000, Steve Hay wrote:
> Niko Tyni wrote on 2013-03-13:
> > On Wed, Mar 13, 2013 at 09:13:15AM -0000, Steve Hay wrote:
> >> Dominic Hargreaves wrote on 2013-03-12:
> >
> >>> When trying to fix this issue in Debian stable, I found that the
> patch
> >>> at
> >>>
> >>> http://svn.apache.org/viewvc?view=revision&revision=1455340
> >>>
> >>> does not stop the test failing when applied to 2.0.4 (as currently
> >>> found in Debian stable) and built against the current perl package
> >>> in Debian stable (5.10 + the rehashing fix).
> >
> >> I haven't looked at the Debian package, or tried anything with
> >> mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from the
> >> Perl git repo (in fact, I took the snapshot at
> >>
> >>
> http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d
> >> 7d d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and
> mod_perl
> >> from trunk and the tests all pass for me... (This is on Windows 7 x64
> >> with VC++ 2010.)
> >
> > Thanks for checking.
> >
> > FWIW, I can reproduce the failure with the Debian perl 5.10.1 package
> > and mod_perl2 2.0.7 with just the above test fix. So it doesn't seem
> to
> > be a Debian change that breaks it. Maybe -Dusethreads or something
> like
> > that.
> >
> > I'll keep looking and send an update when I know more.
>
>
> The perl I built and tested with was made with ithreads enabled.
>
> There is an alternative patch to fix this test, submitted to mod_perl's
> rt.cpan.org queue after I'd applied the patch from the perl5-security
> queue on rt.perl.org:
>
> https://rt.cpan.org/Ticket/Display.html?id=83916
>
> I haven't tried it myself yet, but is that any better for you?
I tried to rebuild the Squeeze package with the mentioned first patch,
the package builds now. Disclaimer: only did the build but haven't
looked what's actually changing importantly.
Thanky you Steve.
Regards,
Salvatore
Re: Bug#702821: perl/hash_attack.t fails with 5.10.1 +
CVE-2013-1667 fix
Posted by Salvatore Bonaccorso <ca...@debian.org>.
Hi
On Fri, Mar 15, 2013 at 05:56:05PM -0000, Steve Hay wrote:
[...]
> Zefram has now come up with an even better patch (on the same RT
> ticket), after reproducing the Debian 5.10.1 failure himself.
>
> Please take a look (I've also attached it here for your convenience) and
> let me know whether this works for you. If so then I hope to apply it to
> SVN over the weekend.
I can confirm that the new patch works on Debian Squeeze, with Perl
(5.10.1-17squeeze6) including the security fix.
Thank you Steve for keeping us updated!
Regards,
Salvatore
RE: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Posted by Steve Hay <St...@verosoftware.com>.
Steve Hay wrote on 2013-03-14:
> Niko Tyni wrote on 2013-03-13:
>> On Wed, Mar 13, 2013 at 09:13:15AM -0000, Steve Hay wrote:
>>> Dominic Hargreaves wrote on 2013-03-12:
>>
>>>> When trying to fix this issue in Debian stable, I found that the
>>>> patch at
>>>>
>>>> http://svn.apache.org/viewvc?view=revision&revision=1455340
>>>>
>>>> does not stop the test failing when applied to 2.0.4 (as currently
>>>> found in Debian stable) and built against the current perl package
>>>> in Debian stable (5.10 + the rehashing fix).
>>
>>> I haven't looked at the Debian package, or tried anything with
>>> mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from
>>> the Perl git repo (in fact, I took the snapshot at
>>>
>>>
>>>
http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d
>>> 7d d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and
mod_perl
>>> from trunk and the tests all pass for me... (This is on Windows 7
x64
>>> with VC++ 2010.)
>>
>> Thanks for checking.
>>
>> FWIW, I can reproduce the failure with the Debian perl 5.10.1 package
>> and mod_perl2 2.0.7 with just the above test fix. So it doesn't seem
to
>> be a Debian change that breaks it. Maybe -Dusethreads or something
like
>> that.
>>
>> I'll keep looking and send an update when I know more.
>
>
> The perl I built and tested with was made with ithreads enabled.
>
> There is an alternative patch to fix this test, submitted to
> mod_perl's rt.cpan.org queue after I'd applied the patch from the
> perl5-security queue on rt.perl.org:
>
> https://rt.cpan.org/Ticket/Display.html?id=83916
>
> I haven't tried it myself yet, but is that any better for you?
Zefram has now come up with an even better patch (on the same RT
ticket), after reproducing the Debian 5.10.1 failure himself.
Please take a look (I've also attached it here for your convenience) and
let me know whether this works for you. If so then I hope to apply it to
SVN over the weekend.
RE: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Posted by Steve Hay <St...@verosoftware.com>.
Niko Tyni wrote on 2013-03-13:
> On Wed, Mar 13, 2013 at 09:13:15AM -0000, Steve Hay wrote:
>> Dominic Hargreaves wrote on 2013-03-12:
>
>>> When trying to fix this issue in Debian stable, I found that the
patch
>>> at
>>>
>>> http://svn.apache.org/viewvc?view=revision&revision=1455340
>>>
>>> does not stop the test failing when applied to 2.0.4 (as currently
>>> found in Debian stable) and built against the current perl package
>>> in Debian stable (5.10 + the rehashing fix).
>
>> I haven't looked at the Debian package, or tried anything with
>> mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from the
>> Perl git repo (in fact, I took the snapshot at
>>
>>
http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d
>> 7d d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and
mod_perl
>> from trunk and the tests all pass for me... (This is on Windows 7 x64
>> with VC++ 2010.)
>
> Thanks for checking.
>
> FWIW, I can reproduce the failure with the Debian perl 5.10.1 package
> and mod_perl2 2.0.7 with just the above test fix. So it doesn't seem
to
> be a Debian change that breaks it. Maybe -Dusethreads or something
like
> that.
>
> I'll keep looking and send an update when I know more.
The perl I built and tested with was made with ithreads enabled.
There is an alternative patch to fix this test, submitted to mod_perl's
rt.cpan.org queue after I'd applied the patch from the perl5-security
queue on rt.perl.org:
https://rt.cpan.org/Ticket/Display.html?id=83916
I haven't tried it myself yet, but is that any better for you?
Re: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Posted by Niko Tyni <nt...@mappi.helsinki.fi>.
On Wed, Mar 13, 2013 at 09:13:15AM -0000, Steve Hay wrote:
> Dominic Hargreaves wrote on 2013-03-12:
> > When trying to fix this issue in Debian stable, I found that the patch
> at
> >
> > http://svn.apache.org/viewvc?view=revision&revision=1455340
> >
> > does not stop the test failing when applied to 2.0.4 (as currently
> > found in Debian stable) and built against the current perl package in
> > Debian stable (5.10 + the rehashing fix).
> I haven't looked at the Debian package, or tried anything with
> mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from the
> Perl git repo (in fact, I took the snapshot at
> http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d7d
> d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and mod_perl from
> trunk and the tests all pass for me... (This is on Windows 7 x64 with
> VC++ 2010.)
Thanks for checking.
FWIW, I can reproduce the failure with the Debian perl 5.10.1 package and
mod_perl2 2.0.7 with just the above test fix. So it doesn't seem to be
a Debian change that breaks it. Maybe -Dusethreads or something like that.
I'll keep looking and send an update when I know more.
--
Niko Tyni ntyni@debian.org
RE: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Posted by Steve Hay <St...@verosoftware.com>.
Dominic Hargreaves wrote on 2013-03-12:
> Hello,
>
> When trying to fix this issue in Debian stable, I found that the patch
at
>
> http://svn.apache.org/viewvc?view=revision&revision=1455340
>
> does not stop the test failing when applied to 2.0.4 (as currently
> found in Debian stable) and built against the current perl package in
> Debian stable (5.10 + the rehashing fix). t/logs/error_log simply
says:
>
> [Tue Mar 12 21:09:23 2013] [error] [client 127.0.0.1] Failed to mount
> the hash collision attack at
/home/dom/working/pkg-perl/git/libapache2-
> mod-perl2/t/response/TestPerl/hash_attack.pm line 112,
<fh00003Makefile>
> line 1.\n
>
> This is the change:
>
> http://perl5.git.perl.org/perl.git/commitdiff/f14269908e5f8b4cab4b5564
3
> d7dd9de577e7918
>
> which differs a bit from that applied to 5.14:
>
> http://perl5.git.perl.org/perl.git/commitdiff/d59e31fc729d8a39a774f03b
c
> 6bc457029a7aef2
>
> although interestingly both test changes are identical.
>
> Help to pin down this difference in behaviour would be appreciated.
>
> The source for the package in question is at
>
> http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libapache2-mod-
> perl2.git;a=shortlog;h=refs/heads/dom/squeeze-702821
>
> Thanks,
> Dominic.
>
I haven't looked at the Debian package, or tried anything with
mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from the
Perl git repo (in fact, I took the snapshot at
http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d7d
d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and mod_perl from
trunk and the tests all pass for me... (This is on Windows 7 x64 with
VC++ 2010.)