[Bug 1272857] Re: Double free in libapache2-mod-auth-pgsql causes Apache to crash

Andreas Hasenack andreas at canonical.com
Wed Jul 19 20:45:22 UTC 2017 

** Description changed:

- Ubuntu Trusty Tahr 14.04
+ [Impact]
  
- apache2:
-   Installed: 2.4.7-1ubuntu1
-   Candidate: 2.4.7-1ubuntu1
-   Version table:
-  *** 2.4.7-1ubuntu1 0
-         500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
-         100 /var/lib/dpkg/status
+  * An explanation of the effects of the bug on users and
  
- Just maked a following steps:
- - sudo apt-get update
- - sudo apt-get upgrade
+  * justification for backporting the fix to the stable release.
  
- ProblemType: Crash
- DistroRelease: Ubuntu 14.04
- Package: apache2-bin 2.4.7-1ubuntu1
- ProcVersionSignature: Ubuntu 3.13.0-4.19-generic 3.13.0-rc8
- Uname: Linux 3.13.0-4-generic x86_64
- NonfreeKernelModules: nvidia
- ApportVersion: 2.13.1-0ubuntu2
- Architecture: amd64
- Date: Sun Jan 26 00:07:10 2014
- ExecutablePath: /usr/sbin/apache2
- InstallationDate: Installed on 2012-12-19 (402 days ago)
- InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64+mac (20111012)
- ProcCmdline: /usr/sbin/apache2 -k start
- ProcEnviron:
-  PATH=(custom, no user)
-  LANG=C
- SegvAnalysis:
-  Segfault happened at: 0x7f197ce45bb2:	and    %al,(%rax)
-  PC (0x7f197ce45bb2) ok
-  source "%al" ok
-  destination "(%rax)" (0x00000000) not located in a known VMA region (needed writable region)!
- SegvReason: writing NULL VMA
- Signal: 11
- SourcePackage: apache2
- StacktraceTop:
-  ?? () from /usr/lib/apache2/modules/mod_cgid.so
-  <signal handler called>
-  __accept_nocancel () at ../sysdeps/unix/syscall-template.S:81
-  ?? () from /usr/lib/apache2/modules/mod_cgid.so
-  ?? () from /usr/lib/apache2/modules/mod_cgid.so
- Title: apache2 crashed with SIGSEGV in <signal handler called>()
- UpgradeStatus: Upgraded to trusty on 2013-11-10 (76 days ago)
- UserGroups:
+  * In addition, it is helpful, but not required, to include an
+    explanation of how the upload fixes this bug.
+ 
+ [Test Case]
+ 
+ * install the packages on the Ubuntu release you are testing:
+ $ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql
+ 
+ * create the database and populate it with the test user:
+ $ sudo -u postgres -H createdb userdb
+ $ sudo -u postgres -H psql userdb -c "CREATE TABLE UserLogin (Username text, ApachePassword text);"
+ $ sudo -u postgres -H psql userdb -c "INSERT INTO UserLogin VALUES ('ubuntu', 'secret');"
+ 
+ * Create the DB user the module will use and grant access to the user table:
+ $ sudo -u postgres -H psql postgres -c "CREATE ROLE www UNENCRYPTED PASSWORD 'password' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;"
+ $ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;"
+ 
+ * Create /etc/apache2/conf-available/authpgtest.conf with the following content:
+ Alias /authpgtest /export/scratch/authpgtest
+ <Directory /export/scratch/authpgtest/>
+   Options +ExecCGI +FollowSymLinks
+   AddHandler cgi-script .pl
+   AuthType basic
+   AuthName "My Auth"
+   Require valid-user
+   AuthBasicProvider pgsql
+   Auth_PG_authoritative On
+   Auth_PG_host 127.0.0.1
+   Auth_PG_port 5432
+   Auth_PG_user www
+   Auth_PG_pwd password
+   Auth_PG_database userdb
+   Auth_PG_encrypted off
+   Auth_PG_pwd_table UserLogin
+   Auth_PG_uid_field Username
+   Auth_PG_pwd_field ApachePassword
+ </Directory>
+ 
+ * Enable this new configuration:
+ $ sudo a2enconf authpgtest.conf
+ 
+ * Enable the auth-pgsql and cgi modules and then restart apache:
+ $ for n in 000_auth_pgsql cgi; do sudo a2enmod $n; done
+ $ sudo service apache2 restart
+ 
+ * Create the CGI directory for our script:
+ $ sudo mkdir -p /export/scratch/authpgtest
+ 
+ * Create the CGI script /export/scratch/authpgtest/hw.pl with the following contents:
+ #!/usr/bin/perl
+ print "Content-type: text/html\n\n";
+ print "Hello, World!\n";
+ 
+ * Make it executable:
+ $ sudo chmod 0755 /export/scratch/authpgtest/hw.pl
+ 
+ 
+ * Access the http://ubuntu:secret@localhost/authpgtest/hw.pl URL a few times while tailing /var/log/apache/error.log. After a few tries it will fail, and apache will log a segfault:
+ $ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
+ Hello, World!
+ $ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
+ Hello, World!
+ $ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
+ curl: (52) Empty reply from server
+ 
+ In /var/log/apache2/error.log:
+ *** Error in `/usr/sbin/apache2': free(): invalid pointer: 0x00007fa9340007c8 ***
+ [Wed Jul 19 20:43:57.077960 2017] [core:notice] [pid 10926:tid 140365262006144] AH00051: child pid 10930 exit signal Aborted (6), possible coredump in /etc/apache2
+ 
+ 
+ After installing the fixed libapache2-mod-auth-pgsql package, all attempts will work.
+ 
+ 
+ [Regression Potential] 
+ 
+  * discussion of how regressions are most likely to manifest as a result
+ of this change.
+ 
+  * It is assumed that any SRU candidate patch is well-tested before
+    upload and has a low overall risk of regression, but it's important
+    to make the effort to think about what ''could'' happen in the
+    event of a regression.
+ 
+  * This both shows the SRU team that the risks have been considered,
+    and provides guidance to testers in regression-testing the SRU.
+ 
+ [Other Info]
+  
+  * Anything else you think is useful to include
+  * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
+  * and address these questions in advance

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1272857

Title:
  Double free in libapache2-mod-auth-pgsql causes Apache to crash

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1272857/+subscriptions

More information about the Ubuntu-server-bugs mailing list