[Bug 73556] libapache2-mod-suphp causes double free error in Apache error log when script is inaccessible

Rouben rouben at rouben.net
Tue Dec 5 06:47:36 GMT 2006 

Public bug reported:

Binary package hint: libapache2-mod-suphp

Whenever suphp refuses to run a script for any reason (e.g. UID/GID out
of configured allowable range, wrong permissions, etc), it causes the
following error messages to appear in the Apache error log:

---SNIP---
[Mon Nov 27 17:56:12 2006] [error] [client 142.150.160.59] Premature end of script headers: index.cgi
[Mon Nov 27 17:56:12 2006] [error] [client 142.150.160.59] SoftException in Application.cpp:193: Script "/var/www/index.cgi" resolving to "/var/www/index.cgi" not within configured docroot
[Mon Nov 27 17:56:12 2006] [error] [client 142.150.160.59] *** glibc detected *** double free or corruption (fasttop): 0x0806f990 ***
[Mon Nov 27 17:56:41 2006] [error] [client 142.150.160.59] Premature end of script headers: index.cgi
[Mon Nov 27 17:56:41 2006] [error] [client 142.150.160.59] SoftException in Application.cpp:291: UID of script "/var/www/index.cgi" is smaller than min_uid
[Mon Nov 27 17:56:41 2006] [error] [client 142.150.160.59] *** glibc detected *** double free or corruption (fasttop): 0x0806f9f8 ***
[Mon Nov 27 17:57:18 2006] [error] [client 142.150.160.59] Premature end of script headers: index.cgi
[Mon Nov 27 17:57:18 2006] [error] [client 142.150.160.59] SoftException in Application.cpp:472: Could not execute script "/var/www/index.cgi"
[Mon Nov 27 17:57:18 2006] [error] [client 142.150.160.59] Caused by SystemException in API_Linux.cpp:427: execve() for program "/var/www/index.cgi" failed: Permission denied
[Mon Nov 27 17:57:18 2006] [error] [client 142.150.160.59] *** glibc detected *** double free or corruption (fasttop): 0x0806f9f8 ***
---SNIP---

As you can see, the above are three distinct examples:

1. [Mon Nov 27 17:56:12 2006] was caused by the target script being outside of the allowable suphp docroot.
2. [Mon Nov 27 17:56:41 2006] was caused by wrong ownership: owner UID of the target script file was less than the allowable UID.
3. [Mon Nov 27 17:57:18 2006] was caused by wrong permissions (the www-data user/group has no read access to the script in question).

In all three cases, the last error message seen was always "*** glibc
detected *** double free or corruption (fasttop): 0x0806f9f8 ***" which
is a bit unnerving. I am not sure if this problem is potentially
exploitable.

Note that this seems to be a known issue with suphp, and the latest
release (0.6.2) seems to have addressed the issue according to the suphp
homepage: http://www.suphp.org/

** Affects: suphp (Ubuntu)
     Importance: Undecided
     Assignee: Ubuntu Package Archive Administrators
         Status: Confirmed
** Affects: suphp (Debian)
     Importance: Unknown
         Status: Unconfirmed

-- 
libapache2-mod-suphp causes double free error in Apache error log when script is inaccessible
https://launchpad.net/bugs/73556

More information about the ubuntu-archive mailing list