[Bug 988819] Re: [SRU] wrong path to libxml2.so.2 in mod_security - broken by multiarch enabled libraries

Robie Basak 988819 at bugs.launchpad.net
Thu Jul 19 12:48:36 UTC 2012 

** Description changed:

  [Impact]
  
- The libapache2-modsecurity package does not work out of the box (but a
- workaround is available).
+ The libapache2-modsecurity and libapache2-mod-proxy-html packages does
+ not work out of the box (but workarounds are available).
  
  [Test Case]
  
- apt-get -y install apache2 libapache2-modsecurity
+ apt-get -y install apache2 <libapache2-modsecurity or libapache2-mod-
+ proxy-html>
  
  This fails with the following error, although the postinst does exit 0:
-  Setting up libapache2-modsecurity (2.6.3-1) ...
-  Action 'configtest' failed.
-  The Apache error log may have more information.
-  Your apache2 configuration is broken, so we're not restarting it for you.
+  Setting up libapache2-modsecurity (2.6.3-1) ...
+  Action 'configtest' failed.
+  The Apache error log may have more information.
+  Your apache2 configuration is broken, so we're not restarting it for you.
  
  $ sudo apachectl configtest
  apache2: Syntax error on line 210 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/mod-security.load: Cannot load /usr/lib/libxml2.so.2 into server: /usr/lib/libxml2.so.2: cannot open shared object file: No such file or directory
  Action 'configtest' failed.
  The Apache error log may have more information.
  
+ Expected results:
+ 
+ 1. The installations should succeed.
+ 2. "sudo apachectl configtest" should return "Syntax OK" with a zero exit status.
+ 3. "sudo grep libxml2.so.2 /proc/$(cat /run/apache2.pid)/maps" should display load locations of libxml2.so.2.<version>, in order to verify that the runtime linker has successfully linked the required module.
+ 
  [Fix]
  
  Debian has fixed this by updating apache2 to use dlopen's search path
  and changing mod-security.load to not use any absolute path. We have
- merged apache2 and synced modsecurity-apache and verified that Quantal
- is fixed.
+ merged apache2.  modsecurity-apache and mod-proxy-html have synced and I
+ have verified that Quantal is fixed.
  
- For Precise, we have backported the upstream apache2 dlopen search path
- modification, and fixed the path in mod-security.load the same as
- Debian.
+ For the Precise SRU, it was concluded that the change to apache2 in
+ Debian is too invasive. Instead, we have removed the LoadFile directives
+ entirely, after ensuring that the modules do depend correctly on
+ libxml2.so.2.
  
  [Regression Potential]
  
- The modsecurity-apache fix is just the load path, so it should either
- work or fail. I can't see any potential for regression here.
+ With the new approach, apache2 does not need an update.
  
- The apache2 fix involves changing the behaviour of dynamic module loads.
- There is now a fallback to use the dlopen search path if the name does
- not use an absolute path. If there is a regression, it will probably be
- with edge cases to do with module load paths and likely manifest
- themselves as modules failing to load. "sudo apachectl configtest"
- should reveal these.
+ Previously, libapache2-modsecurity and libapache2-mod-proxy-html did not
+ load at all in the default configuration, so I don't see how there could
+ be a regression here.
  
+ We have changed a config file, but since it is a config file, an
+ administrator who has manually worked around the problem by changing the
+ config file differently will be prompted and so should not get an
+ unexpected regression.
+ 
+ /usr/lib/apache2/modules/mod_proxy_html.so now explicitly imports
+ symbols from libxml2.so.2, but this was done by the LoadFile directive
+ anyway, so I don't see that there would be a problem here.
+ 
+ So the area to look for regressions is in the existence of XML
+ functionality in these two modules, but I think this change is so
+ minimal it is very unlikely.
  
  Original bug description:
  
  service apache2 restart
  apache2: Syntax error on line 210 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/mod-security.load: Cannot load /usr/lib/libxml2.so.2 into server: /usr/lib/libxml2.so.2: cannot open shared object file: No such file or directory
  Action 'configtest' failed.
  The Apache error log may have more information.
     ...fail!
  
  in file /etc/apache2/mods-enabled/mod-security.load:
  LoadFile /usr/lib/libxml2.so.2
  
  correct path on x86 would be /usr/lib/i386-linux-gnu/libxml2.so.2
  
  maybe a symlink could fix this issue?

** Branch linked: lp:~racb/ubuntu/precise/mod-proxy-html/988819

** Branch linked: lp:~racb/ubuntu/precise/modsecurity-apache/988819_2

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to apache2 in Ubuntu.
https://bugs.launchpad.net/bugs/988819

Title:
  [SRU] wrong path to libxml2.so.2 in mod_security - broken by multiarch
  enabled libraries

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/988819/+subscriptions

More information about the Ubuntu-server-bugs mailing list