RE: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Dominic Hargreaves wrote on 2013-03-12: > Hello, > > When trying to fix this issue in Debian stable, I found that the patch at > > http://svn.apache.org/viewvc?view=revision&revision=1455340 > > does not stop the test failing when applied to 2.0.4 (as currently > found in Debian stable) and built against the current perl package in > Debian stable (5.10 + the rehashing fix). t/logs/error_log simply says: > > [Tue Mar 12 21:09:23 2013] [error] [client 127.0.0.1] Failed to mount > the hash collision attack at /home/dom/working/pkg-perl/git/libapache2- > mod-perl2/t/response/TestPerl/hash_attack.pm line 112, > line 1.\n > > This is the change: > > http://perl5.git.perl.org/perl.git/commitdiff/f14269908e5f8b4cab4b5564 3 > d7dd9de577e7918 > > which differs a bit from that applied to 5.14: > > http://perl5.git.perl.org/perl.git/commitdiff/d59e31fc729d8a39a774f03b c > 6bc457029a7aef2 > > although interestingly both test changes are identical. > > Help to pin down this difference in behaviour would be appreciated. > > The source for the package in question is at > > http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libapache2-mod- > perl2.git;a=shortlog;h=refs/heads/dom/squeeze-702821 > > Thanks, > Dominic. > I haven't looked at the Debian package, or tried anything with mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from the Perl git repo (in fact, I took the snapshot at http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d7d d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and mod_perl from trunk and the tests all pass for me... (This is on Windows 7 x64 with VC++ 2010.)
Re: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
On Wed, Mar 13, 2013 at 09:13:15AM -, Steve Hay wrote: > Dominic Hargreaves wrote on 2013-03-12: > > When trying to fix this issue in Debian stable, I found that the patch > at > > > > http://svn.apache.org/viewvc?view=revision&revision=1455340 > > > > does not stop the test failing when applied to 2.0.4 (as currently > > found in Debian stable) and built against the current perl package in > > Debian stable (5.10 + the rehashing fix). > I haven't looked at the Debian package, or tried anything with > mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from the > Perl git repo (in fact, I took the snapshot at > http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d7d > d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and mod_perl from > trunk and the tests all pass for me... (This is on Windows 7 x64 with > VC++ 2010.) Thanks for checking. FWIW, I can reproduce the failure with the Debian perl 5.10.1 package and mod_perl2 2.0.7 with just the above test fix. So it doesn't seem to be a Debian change that breaks it. Maybe -Dusethreads or something like that. I'll keep looking and send an update when I know more. -- Niko Tyni nt...@debian.org
RE: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Niko Tyni wrote on 2013-03-13: > On Wed, Mar 13, 2013 at 09:13:15AM -, Steve Hay wrote: >> Dominic Hargreaves wrote on 2013-03-12: > >>> When trying to fix this issue in Debian stable, I found that the patch >>> at >>> >>> http://svn.apache.org/viewvc?view=revision&revision=1455340 >>> >>> does not stop the test failing when applied to 2.0.4 (as currently >>> found in Debian stable) and built against the current perl package >>> in Debian stable (5.10 + the rehashing fix). > >> I haven't looked at the Debian package, or tried anything with >> mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from the >> Perl git repo (in fact, I took the snapshot at >> >> http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d >> 7d d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and mod_perl >> from trunk and the tests all pass for me... (This is on Windows 7 x64 >> with VC++ 2010.) > > Thanks for checking. > > FWIW, I can reproduce the failure with the Debian perl 5.10.1 package > and mod_perl2 2.0.7 with just the above test fix. So it doesn't seem to > be a Debian change that breaks it. Maybe -Dusethreads or something like > that. > > I'll keep looking and send an update when I know more. The perl I built and tested with was made with ithreads enabled. There is an alternative patch to fix this test, submitted to mod_perl's rt.cpan.org queue after I'd applied the patch from the perl5-security queue on rt.perl.org: https://rt.cpan.org/Ticket/Display.html?id=83916 I haven't tried it myself yet, but is that any better for you?
RE: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Steve Hay wrote on 2013-03-14: > Niko Tyni wrote on 2013-03-13: >> On Wed, Mar 13, 2013 at 09:13:15AM -, Steve Hay wrote: >>> Dominic Hargreaves wrote on 2013-03-12: >> When trying to fix this issue in Debian stable, I found that the patch at http://svn.apache.org/viewvc?view=revision&revision=1455340 does not stop the test failing when applied to 2.0.4 (as currently found in Debian stable) and built against the current perl package in Debian stable (5.10 + the rehashing fix). >> >>> I haven't looked at the Debian package, or tried anything with >>> mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from >>> the Perl git repo (in fact, I took the snapshot at >>> >>> >>> http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d >>> 7d d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and mod_perl >>> from trunk and the tests all pass for me... (This is on Windows 7 x64 >>> with VC++ 2010.) >> >> Thanks for checking. >> >> FWIW, I can reproduce the failure with the Debian perl 5.10.1 package >> and mod_perl2 2.0.7 with just the above test fix. So it doesn't seem to >> be a Debian change that breaks it. Maybe -Dusethreads or something like >> that. >> >> I'll keep looking and send an update when I know more. > > > The perl I built and tested with was made with ithreads enabled. > > There is an alternative patch to fix this test, submitted to > mod_perl's rt.cpan.org queue after I'd applied the patch from the > perl5-security queue on rt.perl.org: > > https://rt.cpan.org/Ticket/Display.html?id=83916 > > I haven't tried it myself yet, but is that any better for you? Zefram has now come up with an even better patch (on the same RT ticket), after reproducing the Debian 5.10.1 failure himself. Please take a look (I've also attached it here for your convenience) and let me know whether this works for you. If so then I hope to apply it to SVN over the weekend. hattack_synthesis.patch Description: hattack_synthesis.patch