Thanks a lot, Stefan, for pushing this into Debian 9.4 point release! works perfectly.
Cheers, Philip > On 4 Nov 2018, at 12:51, Debian Bug Tracking System <ow...@bugs.debian.org> > wrote: > > This is an automatic notification regarding your Bug report > which was filed against the apache2-bin package: > > #902906: apache2-bin: mod_proxy_fcgi segfault on ap_fcgi_encoded_env_len if > an environment variable value is null > > It has been closed by Stefan Fritsch <s...@debian.org>. > > Their explanation is attached below along with your original report. > If this explanation is unsatisfactory and you have not received a > better one in a separate message then please contact Stefan Fritsch > <s...@debian.org> by > replying to this email. > > > -- > 902906: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902906 > Debian Bug Tracking System > Contact ow...@bugs.debian.org with problems > > From: Stefan Fritsch <s...@debian.org> > Subject: Bug#902906: fixed in apache2 2.4.25-3+deb9u6 > Date: 4 November 2018 at 12:47:09 CET > To: 902906-cl...@bugs.debian.org > > > Source: apache2 > Source-Version: 2.4.25-3+deb9u6 > > We believe that the bug you reported is fixed in the latest version of > apache2, which is due to be installed in the Debian FTP archive. > > A summary of the changes between this version and the previous one is > attached. > > Thank you for reporting the bug, which will now be closed. If you > have further comments please address them to 902...@bugs.debian.org, > and the maintainer will reopen the bug report if appropriate. > > Debian distribution maintenance software > pp. > Stefan Fritsch <s...@debian.org> (supplier of updated apache2 package) > > (This message was generated automatically at their request; if you > believe that there is a problem with it please contact the archive > administrators by mailing ftpmas...@ftp-master.debian.org) > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Format: 1.8 > Date: Sat, 03 Nov 2018 19:46:19 +0100 > Source: apache2 > Binary: apache2 apache2-data apache2-bin apache2-utils > apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev > apache2-ssl-dev apache2-dbg > Architecture: source amd64 all > Version: 2.4.25-3+deb9u6 > Distribution: stretch > Urgency: medium > Maintainer: Debian Apache Maintainers <debian-apa...@lists.debian.org> > Changed-By: Stefan Fritsch <s...@debian.org> > Description: > apache2 - Apache HTTP Server > apache2-bin - Apache HTTP Server (modules and other binary files) > apache2-data - Apache HTTP Server (common files) > apache2-dbg - Apache debugging symbols > apache2-dev - Apache HTTP Server (development headers) > apache2-doc - Apache HTTP Server (on-site documentation) > apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers) > apache2-suexec-custom - Apache HTTP Server configurable suexec program for > mod_suexec > apache2-suexec-pristine - Apache HTTP Server standard suexec program for > mod_suexec > apache2-utils - Apache HTTP Server (utility programs for web servers) > Closes: 902906 904106 909591 > Changes: > apache2 (2.4.25-3+deb9u6) stretch; urgency=medium > . > * CVE-2018-1333: mod_http2: Fix DoS by worker exhaustion. Closes: #904106 > * CVE-2018-11763: mod_http2: Fix DoS by continuous SETTINGS. > Closes: #909591 > * mod_proxy_fcgi: Fix segfault. Closes: #902906 > Checksums-Sha1: > c3590ec3ab4fb75affb8b238a711a5ce17ab27d9 2986 apache2_2.4.25-3+deb9u6.dsc > ed7c894bcf537c64e69ae288a02977b7d6f6352a 790172 > apache2_2.4.25-3+deb9u6.debian.tar.xz > eeb4ed3ae730ad36c22eed16b8c1bbc057ebd5d5 1186420 > apache2-bin_2.4.25-3+deb9u6_amd64.deb > f8c7f84f2fa3e57dc5367738a976951b185af26c 162112 > apache2-data_2.4.25-3+deb9u6_all.deb > 356bd128d69835a7dab11f9cab5a18e3f54b3b64 4017542 > apache2-dbg_2.4.25-3+deb9u6_amd64.deb > 6f01daf4d7b79da8edfea8eccc6b7b018d5a261c 313942 > apache2-dev_2.4.25-3+deb9u6_amd64.deb > d8d7f824aef5eb4bd5a5c8be2d204686122ec2df 3770774 > apache2-doc_2.4.25-3+deb9u6_all.deb > 4068de545c6fa1356e70a144062b6372b2313a50 2268 > apache2-ssl-dev_2.4.25-3+deb9u6_amd64.deb > 55ebadbf1dc57bfb400bec5a6768d790d3600966 155210 > apache2-suexec-custom_2.4.25-3+deb9u6_amd64.deb > d0d29a6e4142c9749bbd5608bb64262eb3d9e76b 153732 > apache2-suexec-pristine_2.4.25-3+deb9u6_amd64.deb > c945f226d0b62fc36ac1f2f0cc1050534f456f4f 217058 > apache2-utils_2.4.25-3+deb9u6_amd64.deb > fb61405e424a0c0770fd7de0df872f7e74a0ae6e 10163 > apache2_2.4.25-3+deb9u6_amd64.buildinfo > 1f45b6c2a344a0745f4fb267f4b0ca8bc7435b59 235974 > apache2_2.4.25-3+deb9u6_amd64.deb > Checksums-Sha256: > b0bc6bc5c1daf4d542e2016f36e3c19d1a839d73543c025f7bafa9920ab371b5 2986 > apache2_2.4.25-3+deb9u6.dsc > 5fd9d307b0550e919ef03516e8fd0ce4366f20d2ffb349e6a0fd957dce853f3f 790172 > apache2_2.4.25-3+deb9u6.debian.tar.xz > 26ff2bc1b0d7dbe5b08d71f23633c4f9decf980fcfd0aa348ecf41cfc709ad7b 1186420 > apache2-bin_2.4.25-3+deb9u6_amd64.deb > c947d3889d33cfbb4b1e7c64f703c979830f4d53061d2966c0925e5e565d608f 162112 > apache2-data_2.4.25-3+deb9u6_all.deb > 4eb1c252b7efbb9f9d3254da546729a564f6eb5aa751662526347a776989b16e 4017542 > apache2-dbg_2.4.25-3+deb9u6_amd64.deb > b23d03dea9bcfa7c8f0f8534d193fa92837444e6d98d974d9858520707b52941 313942 > apache2-dev_2.4.25-3+deb9u6_amd64.deb > e87ecf4173d13aed62efce16521ac5f32ed5316f57ed7161470f5ccaa5b7a62f 3770774 > apache2-doc_2.4.25-3+deb9u6_all.deb > 53c2b3fe58ed0f232574a437f25302c052f798e9a3eec3ac8d7b617fddb65b22 2268 > apache2-ssl-dev_2.4.25-3+deb9u6_amd64.deb > 8901fea6f314719cd975e854c077f342f45d5143fe57082f969906f8667f68b4 155210 > apache2-suexec-custom_2.4.25-3+deb9u6_amd64.deb > 305a64e1a1871ca1e430dc2e164dc34c91581015540e8de71b758d07b848cf90 153732 > apache2-suexec-pristine_2.4.25-3+deb9u6_amd64.deb > 4c557dccd216f4c319a01b0d20e6315bd483999a1bbcca6488bd2e59990b046f 217058 > apache2-utils_2.4.25-3+deb9u6_amd64.deb > 8bde42135512e310cc1de367ae9375bb4e39625f2bb36dd14aff03a85284a18a 10163 > apache2_2.4.25-3+deb9u6_amd64.buildinfo > 42bbfcabaa49fcc458ec20569229adde1a8662aacd69b2e8107cfee69d5f9b59 235974 > apache2_2.4.25-3+deb9u6_amd64.deb > Files: > 0d89b47aef7b19975ae8387cb7d323d3 2986 httpd optional > apache2_2.4.25-3+deb9u6.dsc > 96fe0be15c776db7710d473acb7872b2 790172 httpd optional > apache2_2.4.25-3+deb9u6.debian.tar.xz > c36fee808ccdac5ec0cd2faae758bf14 1186420 httpd optional > apache2-bin_2.4.25-3+deb9u6_amd64.deb > dcfaef6cb1024be84c2f9be07b54fb4d 162112 httpd optional > apache2-data_2.4.25-3+deb9u6_all.deb > f0c4416e5244bab112201761a4f32d55 4017542 debug extra > apache2-dbg_2.4.25-3+deb9u6_amd64.deb > 1a0ae2576a3ba6b9e72b5a1432c38eee 313942 httpd optional > apache2-dev_2.4.25-3+deb9u6_amd64.deb > 7e6df0368dff1ee78c0232d8f9670262 3770774 doc optional > apache2-doc_2.4.25-3+deb9u6_all.deb > 94e03d511df7909bcd92a7a03073149c 2268 httpd optional > apache2-ssl-dev_2.4.25-3+deb9u6_amd64.deb > e159c61f9c7a050844852bc9ca056e77 155210 httpd extra > apache2-suexec-custom_2.4.25-3+deb9u6_amd64.deb > 4597c9c7e7733f8fd26712f57c125dfe 153732 httpd optional > apache2-suexec-pristine_2.4.25-3+deb9u6_amd64.deb > 2d3ac31dd972cf078b5493167e149839 217058 httpd optional > apache2-utils_2.4.25-3+deb9u6_amd64.deb > 8e16239cc29939450aa2af0cd22e2b9a 10163 httpd optional > apache2_2.4.25-3+deb9u6_amd64.buildinfo > 7fed7d6f182385772fbba22e615dcba2 235974 httpd optional > apache2_2.4.25-3+deb9u6_amd64.deb > > -----BEGIN PGP SIGNATURE----- > > iQIzBAEBCgAdFiEEOpiNza8JqByyYYsxxodfNUHO/eAFAlvd794ACgkQxodfNUHO > /eCtiw/+IHqUZt7sc/+RGQBeBbk8b7c9MSUJHhow+Eh03GIXbHZtY6gRqylH4tBA > EBcuLXpxbdevh8OiQhby9DCaqFmURZ434pd39EDgf2+mAPrwiIw93dkD1DBBSRvK > Z87/TaYRT7lI1CYPQBvyk4dZgKdrmAJfua5WXBCqLZNBknDgbq2dZ9M0OLbCsZSY > fdz96WVxhTopdug4Yu6T6nwmnFebsV90DtTQvdvPJdDumDoMp9docGx80ypkj/zE > fDJchBn2lb2x4m8+M8kcnlm/5+/yPyjMOd0Tlk3XdJxUQX6+/Dod/cqk4ooB+hdy > 7pjgFqBkDBu0fSktMFe2nfedTM4PUqy1BXLb42u3a3/FWaoCNK4HXsN7vbUgQQcN > FagHrjJ1dk/GqWgoYKeE4DOsdStJxZLL7ueSvl8x49DcQnZHYEtem0DXDrRKICOD > bK45JpDFcO8gwaGQFNhcnwBS4tBKdLBbID+Zj4+KI9fLmPBOO7XJIWznYrM8aXh6 > ePdhLKarksw4zUKYdFFVRDlAKLBcxo8hjS7SY82bwnMJ6AKGxwnj6myzhxNOGT7F > iVtFUKrruQ4j0lHQWEjhlPy11kWxcFGbV/4hADzOSyk0t8Ox4aGiHyC/dV45vfyj > TewDaFwqzBMbRGrfZLXY2H7ISQ2MRnPrbIZ7oZDTnpHetTUjekE= > =QKQK > -----END PGP SIGNATURE----- > > > From: Philip Iezzi <deb...@onlime.ch> > Subject: apache2-bin: mod_proxy_fcgi segfault on ap_fcgi_encoded_env_len if > an environment variable value is null > Date: 3 July 2018 at 11:53:41 CEST > To: Debian Bug Tracking System <sub...@bugs.debian.org> > > > Package: apache2-bin > Version: 2.4.25-3+deb9u4 > Severity: important > Tags: patch upstream > > Dear Maintainer, > > We got a lot of such segfaults in error.log, provoked by mod_proxy_fcgi: > > [core:notice] [pid 43086:tid 139897736885440] AH00051: child pid 43114 exit > signal Segmentation fault (11) > > As recommended on https://wiki.apache.org/httpd/PHP-FPM, we use the following > PHP-FPM invocation with SetHandler (running mpm_event): > > ``` > <FilesMatch "\.ph(p[3-5]?|tml)$"> > <If "-f %{REQUEST_FILENAME}"> > SetHandler > "proxy:unix:/run/fpm-pool-web999-php72.socket|fcgi://localhost" > </If> > </FilesMatch> > ``` > > Analyzing coredump: > > ``` > $ gdb /usr/sbin/apache2 /tmp/coredump-apache2-11-33-33-43114-1530368206 > (...) > [Thread debugging using libthread_db enabled] > Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". > Core was generated by `/usr/sbin/apache2 -k start'. > Program terminated with signal SIGSEGV, Segmentation fault. > #0 strlen () at ../sysdeps/x86_64/strlen.S:106 > 106 ../sysdeps/x86_64/strlen.S: No such file or directory. > [Current thread is 1 (Thread 0x7f3c54ff9700 (LWP 43741))] > (gdb) bt > #0 strlen () at ../sysdeps/x86_64/strlen.S:106 > #1 0x000055b25cef8e57 in ap_fcgi_encoded_env_len (env=<optimized out>, > maxlen=maxlen@entry=16384, starting_elem=starting_elem@entry=0x7f3c54ff8ae0) > at util_fcgi.c:156 > #2 0x00007f3c74f4871d in send_environment (request_id=1, > temp_pool=0x7f3c49e1c028, r=0x7f3c49e196c0, conn=0x7f3c72bbb0a0) at > mod_proxy_fcgi.c:321 > #3 fcgi_do_request (p=<optimized out>, origin=0x0, uri=<optimized out>, > url=<optimized out>, server_portstr=0x7f3c54ff8b40 "", conf=0x7f3c7ae24490, > conn=0x7f3c72bbb0a0, r=0x7f3c49e196c0) at mod_proxy_fcgi.c:848 > #4 proxy_fcgi_handler (r=0x7f3c49e196c0, worker=<optimized out>, > conf=<optimized out>, url=<optimized out>, proxyname=<optimized out>, > proxyport=<optimized out>) at mod_proxy_fcgi.c:968 > #5 0x00007f3c751562bc in proxy_run_scheme_handler (r=r@entry=0x7f3c49e196c0, > worker=0x7f3c7ad7abf0, conf=conf@entry=0x7f3c7ae2bdd0, > url=0x7f3c49e13b08 "fcgi://localhost/var/www/shared/error_docs/400.php", > proxyhost=proxyhost@entry=0x0, proxyport=proxyport@entry=0) at > mod_proxy.c:2880 > #6 0x00007f3c75157231 in proxy_handler (r=0x7f3c49e196c0) at mod_proxy.c:1230 > #7 0x000055b25cef1c40 in ap_run_handler (r=r@entry=0x7f3c49e196c0) at > config.c:170 > #8 0x000055b25cef21d6 in ap_invoke_handler (r=r@entry=0x7f3c49e196c0) at > config.c:434 > #9 0x000055b25cf090bc in ap_internal_redirect (new_uri=<optimized out>, > r=<optimized out>) at http_request.c:765 > #10 0x000055b25cedc5b5 in ap_read_request (conn=conn@entry=0x7f3c49e28348) at > protocol.c:1285 > #11 0x000055b25cf0604d in ap_process_http_async_connection (c=0x7f3c49e28348) > at http_core.c:146 > #12 ap_process_http_connection (c=0x7f3c49e28348) at http_core.c:248 > #13 0x000055b25cefba70 in ap_run_process_connection > (c=c@entry=0x7f3c49e28348) at connection.c:42 > #14 0x00007f3c755786e8 in process_socket (my_thread_num=<optimized out>, > my_child_num=<optimized out>, cs=0x7f3c49e282b8, sock=<optimized out>, > p=0x7f3c49e28028, thd=<optimized out>) at event.c:1099 > #15 worker_thread (thd=<optimized out>, dummy=<optimized out>) at event.c:2003 > #16 0x00007f3c7a3a4494 in start_thread (arg=0x7f3c54ff9700) at > pthread_create.c:333 > #17 0x00007f3c7a0e6acf in clone () at > ../sysdeps/unix/sysv/linux/x86_64/clone.S:97 > ``` > > The issue was reported upstream, Apache Bug 60275, including a patch: > https://bz.apache.org/bugzilla/show_bug.cgi?id=60275 > The patch made it into upstream Apache 2.4.26 (see > https://www.apache.org/dist/httpd/CHANGES_2.4): > > *) mod_proxy_fcgi, mod_fcgid: Fix crashes in ap_fcgi_encoded_env_len() when > modules add empty environment variables to the request. PR 60275. > [<alex2grad AT gmail.com>] > > I have applied the provided patch on apache2_2.4.25-3+deb9u4_amd64 and > installed apache2-bin. This resolved the issue 100% (Apache was previously > crashing on avg 15 times/h over months, since installing patched apache2-bin > no more single segfault!). > > apache2-2.4.25-pr60275.patch: > > ```diff > diff -ur apache2-2.4.25/server/util_fcgi.c > apache2-2.4.25-patched/server/util_fcgi.c > --- apache2-2.4.25/server/util_fcgi.c 2015-07-20 12:28:13.000000000 +0200 > +++ apache2-2.4.25-patched/server/util_fcgi.c 2018-07-01 09:16:08.122664970 > +0200 > @@ -153,7 +153,11 @@ > > envlen += keylen; > > - vallen = strlen(elts[i].val); > + if (!elts[i].val) { > + vallen = 0; > + } else { > + vallen = strlen(elts[i].val); > + } > > if (vallen >> 7 == 0) { > envlen += 1; > @@ -226,7 +230,11 @@ > buflen -= 4; > } > > - vallen = strlen(elts[i].val); > + if (!elts[i].val) { > + vallen = 0; > + } else { > + vallen = strlen(elts[i].val); > + } > > if (vallen >> 7 == 0) { > if (buflen < 1) { > @@ -262,8 +270,10 @@ > rv = APR_ENOSPC; /* overflow */ > break; > } > - memcpy(itr, elts[i].val, vallen); > - itr += vallen; > + if (elts[i].val) { > + memcpy(itr, elts[i].val, vallen); > + itr += vallen; > + } > > if (buflen == vallen) { > (*starting_elem)++; > ``` > > Please try to get this into the next Debian Stretch point release. It seems > to be critical as this bug renders mod_proxy_fcgi unusable for most. > > Thanks, > Philip > > > -- Package-specific info: > > -- System Information: > Debian Release: 9.4 > Architecture: amd64 (x86_64) > > Kernel: Linux 4.15.17-3-pve (SMP w/2 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set > to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to > en_US.UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages apache2-bin depends on: > ii libapr1 1.5.2-5 > ii libaprutil1 1.5.4-3 > ii libaprutil1-dbd-sqlite3 1.5.4-3 > ii libaprutil1-ldap 1.5.4-3 > ii libc6 2.24-11+deb9u3 > ii libldap-2.4-2 2.4.44+dfsg-5+deb9u1 > ii liblua5.2-0 5.2.4-1.1+b2 > ii libnghttp2-14 1.18.1-1 > ii libpcre3 2:8.39-3 > ii libssl1.0.2 1.0.2l-2+deb9u3 > ii libxml2 2.9.4+dfsg1-2.2+deb9u2 > ii perl 5.24.1-3+deb9u4 > ii zlib1g 1:1.2.8.dfsg-5 > > apache2-bin recommends no packages. > > Versions of packages apache2-bin suggests: > pn apache2-doc <none> > pn apache2-suexec-pristine | apache2-suexec-custom <none> > pn www-browser <none> > > Versions of packages apache2-bin is related to: > pn apache2 <none> > ii apache2-bin 2.4.25-3+deb9u4 > > -- no debconf information > >
