Package: apache2 Version: 2.4.25-3+deb9u4 Severity: normal Tags: patch upstream
While downloading a large (2200 MiB) file via HTTP/2.0, apache2 2.4.33 (Debian unstable) reproducibly segfaults after delivering ~89% (1975 MiB) on 32-bit i386. apache2 2.4.25-3+deb9u4 (Debian stable) exhibits a slightly different failure mode, which is however assumed to originate in the same upstream bug. Steps to reproduce: - Install Debian unstable i386 in the "webserver" configuration, which installs apache2 2.4.33. Install curl. (Firefox or Chrome works as well.) - Enable SSL: * a2enmod ssl * a2ensite default-ssl - Enable HTTP/2.0: * echo 'Protocols h2 h2c http/1.1' > /etc/apache2/mods-available/http2.conf * a2enmod http2 - Restart Apache: systemctl restart apache2 - Create test file in /var/www/html: * dd if=/dev/zero of=/var/www/html/2200Mfile bs=1M count=2200 - Download the test file via curl (--http2 is redundant because curl uses HTTP/2.0 anyways if it's available; --insecure is necessary because the above steps do not install a proper SSL cert): * curl --http2 --insecure -o /dev/null https://localhost/2200Mfile % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 89 2200M 89 1975M 0 0 22.2M 0 0:01:38 0:01:28 0:00:10 25.8M curl: (56) Unexpected EOF - Apache's error.log: [Wed Apr 25 11:17:05.749002 2018] [core:notice] [pid 398:tid 3082986688] AH00052: child pid 646 exit signal Segmentation fault (11) Side note: On 64-bit, everything works as expected. This seems to be a 32-bit related bug. This bug has been reported upstream, where Stefan Eissing already landed a fix in apache2 trunk and suggested a backport to apache2 2.4.x: https://bz.apache.org/bugzilla/show_bug.cgi?id=62325 -- Package-specific info: -- System Information: Debian Release: 9.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 4.9.0-6-686-pae (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2 depends on: ii apache2-bin 2.4.25-3+deb9u4 ii apache2-data 2.4.25-3+deb9u4 ii apache2-utils 2.4.25-3+deb9u4 ii dpkg 1.18.24 ii init-system-helpers 1.48 ii lsb-base 9.20161125 ii mime-support 3.60 ii perl 5.24.1-3+deb9u3 ii procps 2:3.3.12-3 Versions of packages apache2 recommends: ii ssl-cert 1.0.39 Versions of packages apache2 suggests: ii apache2-doc 2.4.25-3+deb9u4 pn apache2-suexec-pristine | apache2-suexec-custom <none> ii lynx [www-browser] 2.8.9dev11-1 ii w3m [www-browser] 0.5.3-34+deb9u1 Versions of packages apache2-bin depends on: ii libapr1 1.5.2-5 ii libaprutil1 1.5.4-3 ii libaprutil1-dbd-sqlite3 1.5.4-3 ii libaprutil1-ldap 1.5.4-3 ii libc6 2.24-11+deb9u3 ii libldap-2.4-2 2.4.44+dfsg-5+deb9u1 ii liblua5.2-0 5.2.4-1.1+b2 ii libnghttp2-14 1.18.1-1 ii libpcre3 2:8.39-3 ii libssl1.0.2 1.0.2l-2+deb9u3 ii libxml2 2.9.4+dfsg1-2.2+deb9u2 ii perl 5.24.1-3+deb9u3 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages apache2-bin suggests: ii apache2-doc 2.4.25-3+deb9u4 pn apache2-suexec-pristine | apache2-suexec-custom <none> ii lynx [www-browser] 2.8.9dev11-1 ii w3m [www-browser] 0.5.3-34+deb9u1 Versions of packages apache2 is related to: ii apache2 2.4.25-3+deb9u4 ii apache2-bin 2.4.25-3+deb9u4 -- Configuration Files: /etc/apache2/apache2.conf changed [not included] /etc/apache2/conf-available/security.conf changed [not included] /etc/apache2/mods-available/ssl.conf changed [not included] /etc/apache2/mods-available/userdir.conf changed [not included] /etc/apache2/ports.conf changed [not included] -- no debconf information