Thanks a lot, Stefan, for pushing this into Debian 9.4 point release! works 
perfectly.

Cheers,
Philip

> On 4 Nov 2018, at 12:51, Debian Bug Tracking System <ow...@bugs.debian.org> 
> wrote:
> 
> This is an automatic notification regarding your Bug report
> which was filed against the apache2-bin package:
> 
> #902906: apache2-bin: mod_proxy_fcgi segfault on ap_fcgi_encoded_env_len if 
> an environment variable value is null
> 
> It has been closed by Stefan Fritsch <s...@debian.org>.
> 
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Stefan Fritsch 
> <s...@debian.org> by
> replying to this email.
> 
> 
> -- 
> 902906: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902906
> Debian Bug Tracking System
> Contact ow...@bugs.debian.org with problems
> 
> From: Stefan Fritsch <s...@debian.org>
> Subject: Bug#902906: fixed in apache2 2.4.25-3+deb9u6
> Date: 4 November 2018 at 12:47:09 CET
> To: 902906-cl...@bugs.debian.org
> 
> 
> Source: apache2
> Source-Version: 2.4.25-3+deb9u6
> 
> We believe that the bug you reported is fixed in the latest version of
> apache2, which is due to be installed in the Debian FTP archive.
> 
> A summary of the changes between this version and the previous one is
> attached.
> 
> Thank you for reporting the bug, which will now be closed.  If you
> have further comments please address them to 902...@bugs.debian.org,
> and the maintainer will reopen the bug report if appropriate.
> 
> Debian distribution maintenance software
> pp.
> Stefan Fritsch <s...@debian.org> (supplier of updated apache2 package)
> 
> (This message was generated automatically at their request; if you
> believe that there is a problem with it please contact the archive
> administrators by mailing ftpmas...@ftp-master.debian.org)
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Sat, 03 Nov 2018 19:46:19 +0100
> Source: apache2
> Binary: apache2 apache2-data apache2-bin apache2-utils 
> apache2-suexec-pristine apache2-suexec-custom apache2-doc apache2-dev 
> apache2-ssl-dev apache2-dbg
> Architecture: source amd64 all
> Version: 2.4.25-3+deb9u6
> Distribution: stretch
> Urgency: medium
> Maintainer: Debian Apache Maintainers <debian-apa...@lists.debian.org>
> Changed-By: Stefan Fritsch <s...@debian.org>
> Description:
> apache2    - Apache HTTP Server
> apache2-bin - Apache HTTP Server (modules and other binary files)
> apache2-data - Apache HTTP Server (common files)
> apache2-dbg - Apache debugging symbols
> apache2-dev - Apache HTTP Server (development headers)
> apache2-doc - Apache HTTP Server (on-site documentation)
> apache2-ssl-dev - Apache HTTP Server (mod_ssl development headers)
> apache2-suexec-custom - Apache HTTP Server configurable suexec program for 
> mod_suexec
> apache2-suexec-pristine - Apache HTTP Server standard suexec program for 
> mod_suexec
> apache2-utils - Apache HTTP Server (utility programs for web servers)
> Closes: 902906 904106 909591
> Changes:
> apache2 (2.4.25-3+deb9u6) stretch; urgency=medium
> .
>   * CVE-2018-1333: mod_http2: Fix DoS by worker exhaustion. Closes: #904106
>   * CVE-2018-11763: mod_http2: Fix DoS by continuous SETTINGS.
>     Closes: #909591
>   * mod_proxy_fcgi: Fix segfault. Closes: #902906
> Checksums-Sha1:
> c3590ec3ab4fb75affb8b238a711a5ce17ab27d9 2986 apache2_2.4.25-3+deb9u6.dsc
> ed7c894bcf537c64e69ae288a02977b7d6f6352a 790172 
> apache2_2.4.25-3+deb9u6.debian.tar.xz
> eeb4ed3ae730ad36c22eed16b8c1bbc057ebd5d5 1186420 
> apache2-bin_2.4.25-3+deb9u6_amd64.deb
> f8c7f84f2fa3e57dc5367738a976951b185af26c 162112 
> apache2-data_2.4.25-3+deb9u6_all.deb
> 356bd128d69835a7dab11f9cab5a18e3f54b3b64 4017542 
> apache2-dbg_2.4.25-3+deb9u6_amd64.deb
> 6f01daf4d7b79da8edfea8eccc6b7b018d5a261c 313942 
> apache2-dev_2.4.25-3+deb9u6_amd64.deb
> d8d7f824aef5eb4bd5a5c8be2d204686122ec2df 3770774 
> apache2-doc_2.4.25-3+deb9u6_all.deb
> 4068de545c6fa1356e70a144062b6372b2313a50 2268 
> apache2-ssl-dev_2.4.25-3+deb9u6_amd64.deb
> 55ebadbf1dc57bfb400bec5a6768d790d3600966 155210 
> apache2-suexec-custom_2.4.25-3+deb9u6_amd64.deb
> d0d29a6e4142c9749bbd5608bb64262eb3d9e76b 153732 
> apache2-suexec-pristine_2.4.25-3+deb9u6_amd64.deb
> c945f226d0b62fc36ac1f2f0cc1050534f456f4f 217058 
> apache2-utils_2.4.25-3+deb9u6_amd64.deb
> fb61405e424a0c0770fd7de0df872f7e74a0ae6e 10163 
> apache2_2.4.25-3+deb9u6_amd64.buildinfo
> 1f45b6c2a344a0745f4fb267f4b0ca8bc7435b59 235974 
> apache2_2.4.25-3+deb9u6_amd64.deb
> Checksums-Sha256:
> b0bc6bc5c1daf4d542e2016f36e3c19d1a839d73543c025f7bafa9920ab371b5 2986 
> apache2_2.4.25-3+deb9u6.dsc
> 5fd9d307b0550e919ef03516e8fd0ce4366f20d2ffb349e6a0fd957dce853f3f 790172 
> apache2_2.4.25-3+deb9u6.debian.tar.xz
> 26ff2bc1b0d7dbe5b08d71f23633c4f9decf980fcfd0aa348ecf41cfc709ad7b 1186420 
> apache2-bin_2.4.25-3+deb9u6_amd64.deb
> c947d3889d33cfbb4b1e7c64f703c979830f4d53061d2966c0925e5e565d608f 162112 
> apache2-data_2.4.25-3+deb9u6_all.deb
> 4eb1c252b7efbb9f9d3254da546729a564f6eb5aa751662526347a776989b16e 4017542 
> apache2-dbg_2.4.25-3+deb9u6_amd64.deb
> b23d03dea9bcfa7c8f0f8534d193fa92837444e6d98d974d9858520707b52941 313942 
> apache2-dev_2.4.25-3+deb9u6_amd64.deb
> e87ecf4173d13aed62efce16521ac5f32ed5316f57ed7161470f5ccaa5b7a62f 3770774 
> apache2-doc_2.4.25-3+deb9u6_all.deb
> 53c2b3fe58ed0f232574a437f25302c052f798e9a3eec3ac8d7b617fddb65b22 2268 
> apache2-ssl-dev_2.4.25-3+deb9u6_amd64.deb
> 8901fea6f314719cd975e854c077f342f45d5143fe57082f969906f8667f68b4 155210 
> apache2-suexec-custom_2.4.25-3+deb9u6_amd64.deb
> 305a64e1a1871ca1e430dc2e164dc34c91581015540e8de71b758d07b848cf90 153732 
> apache2-suexec-pristine_2.4.25-3+deb9u6_amd64.deb
> 4c557dccd216f4c319a01b0d20e6315bd483999a1bbcca6488bd2e59990b046f 217058 
> apache2-utils_2.4.25-3+deb9u6_amd64.deb
> 8bde42135512e310cc1de367ae9375bb4e39625f2bb36dd14aff03a85284a18a 10163 
> apache2_2.4.25-3+deb9u6_amd64.buildinfo
> 42bbfcabaa49fcc458ec20569229adde1a8662aacd69b2e8107cfee69d5f9b59 235974 
> apache2_2.4.25-3+deb9u6_amd64.deb
> Files:
> 0d89b47aef7b19975ae8387cb7d323d3 2986 httpd optional 
> apache2_2.4.25-3+deb9u6.dsc
> 96fe0be15c776db7710d473acb7872b2 790172 httpd optional 
> apache2_2.4.25-3+deb9u6.debian.tar.xz
> c36fee808ccdac5ec0cd2faae758bf14 1186420 httpd optional 
> apache2-bin_2.4.25-3+deb9u6_amd64.deb
> dcfaef6cb1024be84c2f9be07b54fb4d 162112 httpd optional 
> apache2-data_2.4.25-3+deb9u6_all.deb
> f0c4416e5244bab112201761a4f32d55 4017542 debug extra 
> apache2-dbg_2.4.25-3+deb9u6_amd64.deb
> 1a0ae2576a3ba6b9e72b5a1432c38eee 313942 httpd optional 
> apache2-dev_2.4.25-3+deb9u6_amd64.deb
> 7e6df0368dff1ee78c0232d8f9670262 3770774 doc optional 
> apache2-doc_2.4.25-3+deb9u6_all.deb
> 94e03d511df7909bcd92a7a03073149c 2268 httpd optional 
> apache2-ssl-dev_2.4.25-3+deb9u6_amd64.deb
> e159c61f9c7a050844852bc9ca056e77 155210 httpd extra 
> apache2-suexec-custom_2.4.25-3+deb9u6_amd64.deb
> 4597c9c7e7733f8fd26712f57c125dfe 153732 httpd optional 
> apache2-suexec-pristine_2.4.25-3+deb9u6_amd64.deb
> 2d3ac31dd972cf078b5493167e149839 217058 httpd optional 
> apache2-utils_2.4.25-3+deb9u6_amd64.deb
> 8e16239cc29939450aa2af0cd22e2b9a 10163 httpd optional 
> apache2_2.4.25-3+deb9u6_amd64.buildinfo
> 7fed7d6f182385772fbba22e615dcba2 235974 httpd optional 
> apache2_2.4.25-3+deb9u6_amd64.deb
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQIzBAEBCgAdFiEEOpiNza8JqByyYYsxxodfNUHO/eAFAlvd794ACgkQxodfNUHO
> /eCtiw/+IHqUZt7sc/+RGQBeBbk8b7c9MSUJHhow+Eh03GIXbHZtY6gRqylH4tBA
> EBcuLXpxbdevh8OiQhby9DCaqFmURZ434pd39EDgf2+mAPrwiIw93dkD1DBBSRvK
> Z87/TaYRT7lI1CYPQBvyk4dZgKdrmAJfua5WXBCqLZNBknDgbq2dZ9M0OLbCsZSY
> fdz96WVxhTopdug4Yu6T6nwmnFebsV90DtTQvdvPJdDumDoMp9docGx80ypkj/zE
> fDJchBn2lb2x4m8+M8kcnlm/5+/yPyjMOd0Tlk3XdJxUQX6+/Dod/cqk4ooB+hdy
> 7pjgFqBkDBu0fSktMFe2nfedTM4PUqy1BXLb42u3a3/FWaoCNK4HXsN7vbUgQQcN
> FagHrjJ1dk/GqWgoYKeE4DOsdStJxZLL7ueSvl8x49DcQnZHYEtem0DXDrRKICOD
> bK45JpDFcO8gwaGQFNhcnwBS4tBKdLBbID+Zj4+KI9fLmPBOO7XJIWznYrM8aXh6
> ePdhLKarksw4zUKYdFFVRDlAKLBcxo8hjS7SY82bwnMJ6AKGxwnj6myzhxNOGT7F
> iVtFUKrruQ4j0lHQWEjhlPy11kWxcFGbV/4hADzOSyk0t8Ox4aGiHyC/dV45vfyj
> TewDaFwqzBMbRGrfZLXY2H7ISQ2MRnPrbIZ7oZDTnpHetTUjekE=
> =QKQK
> -----END PGP SIGNATURE-----
> 
> 
> From: Philip Iezzi <deb...@onlime.ch>
> Subject: apache2-bin: mod_proxy_fcgi segfault on ap_fcgi_encoded_env_len if 
> an environment variable value is null
> Date: 3 July 2018 at 11:53:41 CEST
> To: Debian Bug Tracking System <sub...@bugs.debian.org>
> 
> 
> Package: apache2-bin
> Version: 2.4.25-3+deb9u4
> Severity: important
> Tags: patch upstream
> 
> Dear Maintainer,
> 
> We got a lot of such segfaults in error.log, provoked by mod_proxy_fcgi:
> 
> [core:notice] [pid 43086:tid 139897736885440] AH00051: child pid 43114 exit 
> signal Segmentation fault (11)
> 
> As recommended on https://wiki.apache.org/httpd/PHP-FPM, we use the following 
> PHP-FPM invocation with SetHandler (running mpm_event):
> 
> ```
> <FilesMatch "\.ph(p[3-5]?|tml)$">
>   <If "-f %{REQUEST_FILENAME}">
>       SetHandler 
> "proxy:unix:/run/fpm-pool-web999-php72.socket|fcgi://localhost"
>   </If>
> </FilesMatch>
> ```
> 
> Analyzing coredump:
> 
> ```
> $ gdb /usr/sbin/apache2 /tmp/coredump-apache2-11-33-33-43114-1530368206
> (...)
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> Core was generated by `/usr/sbin/apache2 -k start'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  strlen () at ../sysdeps/x86_64/strlen.S:106
> 106   ../sysdeps/x86_64/strlen.S: No such file or directory.
> [Current thread is 1 (Thread 0x7f3c54ff9700 (LWP 43741))]
> (gdb) bt
> #0  strlen () at ../sysdeps/x86_64/strlen.S:106
> #1  0x000055b25cef8e57 in ap_fcgi_encoded_env_len (env=<optimized out>, 
> maxlen=maxlen@entry=16384, starting_elem=starting_elem@entry=0x7f3c54ff8ae0) 
> at util_fcgi.c:156
> #2  0x00007f3c74f4871d in send_environment (request_id=1, 
> temp_pool=0x7f3c49e1c028, r=0x7f3c49e196c0, conn=0x7f3c72bbb0a0) at 
> mod_proxy_fcgi.c:321
> #3  fcgi_do_request (p=<optimized out>, origin=0x0, uri=<optimized out>, 
> url=<optimized out>, server_portstr=0x7f3c54ff8b40 "", conf=0x7f3c7ae24490, 
> conn=0x7f3c72bbb0a0, r=0x7f3c49e196c0) at mod_proxy_fcgi.c:848
> #4  proxy_fcgi_handler (r=0x7f3c49e196c0, worker=<optimized out>, 
> conf=<optimized out>, url=<optimized out>, proxyname=<optimized out>, 
> proxyport=<optimized out>) at mod_proxy_fcgi.c:968
> #5  0x00007f3c751562bc in proxy_run_scheme_handler (r=r@entry=0x7f3c49e196c0, 
> worker=0x7f3c7ad7abf0, conf=conf@entry=0x7f3c7ae2bdd0, 
>    url=0x7f3c49e13b08 "fcgi://localhost/var/www/shared/error_docs/400.php", 
> proxyhost=proxyhost@entry=0x0, proxyport=proxyport@entry=0) at 
> mod_proxy.c:2880
> #6  0x00007f3c75157231 in proxy_handler (r=0x7f3c49e196c0) at mod_proxy.c:1230
> #7  0x000055b25cef1c40 in ap_run_handler (r=r@entry=0x7f3c49e196c0) at 
> config.c:170
> #8  0x000055b25cef21d6 in ap_invoke_handler (r=r@entry=0x7f3c49e196c0) at 
> config.c:434
> #9  0x000055b25cf090bc in ap_internal_redirect (new_uri=<optimized out>, 
> r=<optimized out>) at http_request.c:765
> #10 0x000055b25cedc5b5 in ap_read_request (conn=conn@entry=0x7f3c49e28348) at 
> protocol.c:1285
> #11 0x000055b25cf0604d in ap_process_http_async_connection (c=0x7f3c49e28348) 
> at http_core.c:146
> #12 ap_process_http_connection (c=0x7f3c49e28348) at http_core.c:248
> #13 0x000055b25cefba70 in ap_run_process_connection 
> (c=c@entry=0x7f3c49e28348) at connection.c:42
> #14 0x00007f3c755786e8 in process_socket (my_thread_num=<optimized out>, 
> my_child_num=<optimized out>, cs=0x7f3c49e282b8, sock=<optimized out>, 
> p=0x7f3c49e28028, thd=<optimized out>) at event.c:1099
> #15 worker_thread (thd=<optimized out>, dummy=<optimized out>) at event.c:2003
> #16 0x00007f3c7a3a4494 in start_thread (arg=0x7f3c54ff9700) at 
> pthread_create.c:333
> #17 0x00007f3c7a0e6acf in clone () at 
> ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
> ```
> 
> The issue was reported upstream, Apache Bug 60275, including a patch:
> https://bz.apache.org/bugzilla/show_bug.cgi?id=60275
> The patch made it into upstream Apache 2.4.26 (see 
> https://www.apache.org/dist/httpd/CHANGES_2.4):
> 
> *) mod_proxy_fcgi, mod_fcgid: Fix crashes in ap_fcgi_encoded_env_len() when
>    modules add empty environment variables to the request. PR 60275.
>    [<alex2grad AT gmail.com>]
> 
> I have applied the provided patch on apache2_2.4.25-3+deb9u4_amd64 and 
> installed apache2-bin. This resolved the issue 100% (Apache was previously 
> crashing on avg 15 times/h over months, since installing patched apache2-bin 
> no more single segfault!).
> 
> apache2-2.4.25-pr60275.patch:
> 
> ```diff
> diff -ur apache2-2.4.25/server/util_fcgi.c 
> apache2-2.4.25-patched/server/util_fcgi.c
> --- apache2-2.4.25/server/util_fcgi.c 2015-07-20 12:28:13.000000000 +0200
> +++ apache2-2.4.25-patched/server/util_fcgi.c 2018-07-01 09:16:08.122664970 
> +0200
> @@ -153,7 +153,11 @@
> 
>         envlen += keylen;
> 
> -        vallen = strlen(elts[i].val);
> +     if (!elts[i].val) {
> +         vallen = 0;
> +     } else {
> +         vallen = strlen(elts[i].val);
> +     }
> 
>         if (vallen >> 7 == 0) {
>             envlen += 1;
> @@ -226,7 +230,11 @@
>             buflen -= 4;
>         }
> 
> -        vallen = strlen(elts[i].val);
> +        if (!elts[i].val) {
> +            vallen = 0;
> +        } else {
> +         vallen = strlen(elts[i].val);
> +     }
> 
>         if (vallen >> 7 == 0) {
>             if (buflen < 1) {
> @@ -262,8 +270,10 @@
>             rv = APR_ENOSPC; /* overflow */
>             break;
>         }
> -        memcpy(itr, elts[i].val, vallen);
> -        itr += vallen;
> +     if (elts[i].val) {
> +         memcpy(itr, elts[i].val, vallen);
> +         itr += vallen;
> +     }
> 
>         if (buflen == vallen) {
>             (*starting_elem)++;
> ```
> 
> Please try to get this into the next Debian Stretch point release. It seems 
> to be critical as this bug renders mod_proxy_fcgi unusable for most.
> 
> Thanks,
> Philip
> 
> 
> -- Package-specific info:
> 
> -- System Information:
> Debian Release: 9.4
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 4.15.17-3-pve (SMP w/2 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set 
> to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to 
> en_US.UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages apache2-bin depends on:
> ii  libapr1                  1.5.2-5
> ii  libaprutil1              1.5.4-3
> ii  libaprutil1-dbd-sqlite3  1.5.4-3
> ii  libaprutil1-ldap         1.5.4-3
> ii  libc6                    2.24-11+deb9u3
> ii  libldap-2.4-2            2.4.44+dfsg-5+deb9u1
> ii  liblua5.2-0              5.2.4-1.1+b2
> ii  libnghttp2-14            1.18.1-1
> ii  libpcre3                 2:8.39-3
> ii  libssl1.0.2              1.0.2l-2+deb9u3
> ii  libxml2                  2.9.4+dfsg1-2.2+deb9u2
> ii  perl                     5.24.1-3+deb9u4
> ii  zlib1g                   1:1.2.8.dfsg-5
> 
> apache2-bin recommends no packages.
> 
> Versions of packages apache2-bin suggests:
> pn  apache2-doc                                      <none>
> pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
> pn  www-browser                                      <none>
> 
> Versions of packages apache2-bin is related to:
> pn  apache2      <none>
> ii  apache2-bin  2.4.25-3+deb9u4
> 
> -- no debconf information
> 
> 

Reply via email to