RE: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Dominic Hargreaves wrote on 2013-03-12: Hello, When trying to fix this issue in Debian stable, I found that the patch at http://svn.apache.org/viewvc?view=revisionrevision=1455340 does not stop the test failing when applied to 2.0.4 (as currently found in Debian stable) and built against the current perl package in Debian stable (5.10 + the rehashing fix). t/logs/error_log simply says: [Tue Mar 12 21:09:23 2013] [error] [client 127.0.0.1] Failed to mount the hash collision attack at /home/dom/working/pkg-perl/git/libapache2- mod-perl2/t/response/TestPerl/hash_attack.pm line 112, fh3Makefile line 1.\n This is the change: http://perl5.git.perl.org/perl.git/commitdiff/f14269908e5f8b4cab4b5564 3 d7dd9de577e7918 which differs a bit from that applied to 5.14: http://perl5.git.perl.org/perl.git/commitdiff/d59e31fc729d8a39a774f03b c 6bc457029a7aef2 although interestingly both test changes are identical. Help to pin down this difference in behaviour would be appreciated. The source for the package in question is at http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libapache2-mod- perl2.git;a=shortlog;h=refs/heads/dom/squeeze-702821 Thanks, Dominic. I haven't looked at the Debian package, or tried anything with mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from the Perl git repo (in fact, I took the snapshot at http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d7d d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and mod_perl from trunk and the tests all pass for me... (This is on Windows 7 x64 with VC++ 2010.)
Re: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
On Wed, Mar 13, 2013 at 09:13:15AM -, Steve Hay wrote: Dominic Hargreaves wrote on 2013-03-12: When trying to fix this issue in Debian stable, I found that the patch at http://svn.apache.org/viewvc?view=revisionrevision=1455340 does not stop the test failing when applied to 2.0.4 (as currently found in Debian stable) and built against the current perl package in Debian stable (5.10 + the rehashing fix). I haven't looked at the Debian package, or tried anything with mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from the Perl git repo (in fact, I took the snapshot at http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d7d d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and mod_perl from trunk and the tests all pass for me... (This is on Windows 7 x64 with VC++ 2010.) Thanks for checking. FWIW, I can reproduce the failure with the Debian perl 5.10.1 package and mod_perl2 2.0.7 with just the above test fix. So it doesn't seem to be a Debian change that breaks it. Maybe -Dusethreads or something like that. I'll keep looking and send an update when I know more. -- Niko Tyni nt...@debian.org
