Bug#915642: AuthBasicProvider PAM crashes apache

2018-12-10 Thread Bernhard Übelacker 
Dear Maintainer,
I just tried to reproduce and found it crash on service startup when
using the given /etc/apache2/sites-enabled/default.conf.

It looks like here the apache2 process wants to fork and calls the
fork_handlers. Unfortunately one of them belongs to an unloaded module.
Therefore we end up trying to execute unmapped memory.

>From the similar offset I would expect that the first fork_handler belong
to function deinit from libcap-ng.so.0.
The first one 0x7f50c8e0e660 points to the current location of libcap-ng.so.0.
But the second 0x7f50c8e12660 looks like pointing to an unloaded location of 
libcap-ng.so.0.

This situation looks quite similar to what I tried to collect in bug #914565.
And now that I looked up the bugs for libcap-ng0 this one seems related: 
#904808.

Kind regards,
Bernhard


#914565 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914565
#904808 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904808


(gdb) bt
#0  0x7f50c8e12660 in ?? ()
#1  0x7f50c921470e in __libc_fork () at ../sysdeps/nptl/fork.c:204
#2  0x7f50c9357875 in apr_proc_detach (daemonize=daemonize@entry=1) at 
./threadproc/unix/procsup.c:31
#3  0x7f50c8b93fc5 in event_pre_config (pconf=0x7f50c90b8028, 
plog=0x7f50c908c028, ptemp=) at event.c:3416
#4  0x55e968fd81be in ap_run_pre_config (pconf=0x7f50c90b8028, 
plog=0x7f50c908c028, ptemp=0x7f50c9090028) at config.c:89
#5  0x55e968fb3e5f in main (argc=, argv=) at 
main.c:775

(gdb) up
#2  0x7f50c9357875 in apr_proc_detach (daemonize=daemonize@entry=1) at 
./threadproc/unix/procsup.c:31
31  if ((x = fork()) > 0) {

(gdb) print *__fork_handlers
$1 = {next = 0x7f50c9309998 , prepare_handler = 0x0, 
parent_handler = 0x0, child_handler = 0x7f50c8e0e660 , dso_handle = 
0x7f50c93282a0, refcntr = 2, need_signal = 0}
(gdb) print *__fork_handlers->next
$2 = {next = 0x7f50c9309968 , prepare_handler = 0x0, 
parent_handler = 0x0, child_handler = 0x7f50c8e12660, dso_handle = 
0x7f50c93282a0, refcntr = 2, need_signal = 0}
(gdb) print *__fork_handlers->next->next
$3 = {next = 0x0, prepare_handler = 0x0, parent_handler = 0x0, child_handler = 
0x7f50c93133d0 <__reclaim_stacks>, dso_handle = 0x0, refcntr = 1, need_signal = 
0}

(gdb) info share
>FromTo  Syms Read   Shared Object Library
...
0x7f50c8e0e560  0x7f50c8e10419  Yes 
/lib/x86_64-linux-gnu/libcap-ng.so.0
...

Bug#915642: AuthBasicProvider PAM crashes apache

2018-12-05 Thread Christoph Berg 
Package: libapache2-mod-authnz-pam
Version: 1.2.0-1
Severity: grave

Hi,

we were using libapache2-mod-authnz-pam for apache2 basic
authentication in the elephant-shed.io project, but some time ago,
apache2 started crashing when it is used. (Could be related to the
1.2.0-1 upload, not sure.)

I can reproduce it with this /etc/apache2/sites-enabled/default.conf:


# The ServerName directive sets the request scheme, hostname and port 
that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf


AuthType Basic
AuthName "PAM Authentication"
AuthBasicProvider PAM




# vim: syntax=apache ts=4 sw=4 sts=4 sr noet


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (700, 'testing'), (600, 'unstable'), (150, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), 
LANGUAGE=de:en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libapache2-mod-authnz-pam depends on:
ii  apache2-bin [apache2-api-20120211]  2.4.37-1
ii  libc6   2.27-8
ii  libpam0g1.1.8-3.8

libapache2-mod-authnz-pam recommends no packages.

libapache2-mod-authnz-pam suggests no packages.

-- no debconf information

Christoph