[Bug 1272857] Re: Double free in libapache2-mod-auth-pgsql causes Apache to crash

Andreas Hasenack andreas at canonical.com
Thu Aug 3 14:08:56 UTC 2017 

Trusty verification

Confirmed the segfault with libapache2-mod-auth-pgsql	2.0.3-6:
ubuntu at trusty-mod-auth-pgsql-double-free-1272857:~$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
Hello, World!
ubuntu at trusty-mod-auth-pgsql-double-free-1272857:~$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
Hello, World!
ubuntu at trusty-mod-auth-pgsql-double-free-1272857:~$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
curl: (52) Empty reply from server

logs:
*** Error in `/usr/sbin/apache2': free(): invalid pointer: 0x00007effd80007c8 ***
[Thu Aug 03 14:03:55.357288 2017] [core:notice] [pid 6943:tid 139637886596992] AH00051: child pid 6947 exit signal Aborted (6), possible coredump in /etc/apache2

Installing the version from proposed:
(...)
Get:1 http://br.archive.ubuntu.com/ubuntu/ trusty-proposed/main libapache2-mod-auth-pgsql amd64 2.0.3-6ubuntu0.1 [18.6 kB]
Fetched 18.6 kB in 0s (1,000 kB/s)                   
(Reading database ... 26196 files and directories currently installed.)
Preparing to unpack .../libapache2-mod-auth-pgsql_2.0.3-6ubuntu0.1_amd64.deb ...
Unpacking libapache2-mod-auth-pgsql (2.0.3-6ubuntu0.1) over (2.0.3-6) ...
Setting up libapache2-mod-auth-pgsql (2.0.3-6ubuntu0.1) ...
apache2_invoke 000_auth_pgsql: already enabled
 * Restarting web server apache2                    

Repeating the test several times, no crash:
ubuntu at trusty-mod-auth-pgsql-double-free-1272857:~$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
Hello, World!
ubuntu at trusty-mod-auth-pgsql-double-free-1272857:~$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
Hello, World!
ubuntu at trusty-mod-auth-pgsql-double-free-1272857:~$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
Hello, World!
ubuntu at trusty-mod-auth-pgsql-double-free-1272857:~$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
Hello, World!
ubuntu at trusty-mod-auth-pgsql-double-free-1272857:~$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
Hello, World!


** Tags removed: verification-needed
** Tags added: verification-done-xenial

** Tags removed: verification-done-xenial
** Tags added: verification-done-trusty

** Tags added: verification-done

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1272857

Title:
  Double free in libapache2-mod-auth-pgsql causes Apache to crash

Status in libapache2-mod-auth-pgsql package in Ubuntu:
  Fix Released
Status in libapache2-mod-auth-pgsql source package in Trusty:
  Fix Committed
Status in libapache2-mod-auth-pgsql package in Debian:
  Fix Released

Bug description:
  [Impact]
  The libapache2-mod-auth-pgsql module will trigger frequent segfaults in apache if used in conjunction with a CGI script.

  
  [Test Case]

  * install the packages on the Ubuntu release you are testing:
  $ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql

  * create the database and populate it with the test user:
  $ sudo -u postgres -H createdb userdb
  $ sudo -u postgres -H psql userdb -c "CREATE TABLE UserLogin (Username text, ApachePassword text);"
  $ sudo -u postgres -H psql userdb -c "INSERT INTO UserLogin VALUES ('ubuntu', 'secret');"

  * Create the DB user the module will use and grant access to the user table:
  $ sudo -u postgres -H psql postgres -c "CREATE ROLE www UNENCRYPTED PASSWORD 'password' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;"
  $ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;"

  * Create /etc/apache2/conf-available/authpgtest.conf with the following content:
  Alias /authpgtest /export/scratch/authpgtest
  <Directory /export/scratch/authpgtest/>
    Options +ExecCGI +FollowSymLinks
    AddHandler cgi-script .pl
    AuthType basic
    AuthName "My Auth"
    Require valid-user
    AuthBasicProvider pgsql
    Auth_PG_authoritative On
    Auth_PG_host 127.0.0.1
    Auth_PG_port 5432
    Auth_PG_user www
    Auth_PG_pwd password
    Auth_PG_database userdb
    Auth_PG_encrypted off
    Auth_PG_pwd_table UserLogin
    Auth_PG_uid_field Username
    Auth_PG_pwd_field ApachePassword
  </Directory>

  * Enable this new configuration:
  $ sudo a2enconf authpgtest.conf

  * Enable the auth-pgsql and cgi modules and then restart apache:
  $ for n in 000_auth_pgsql cgi; do sudo a2enmod $n; done
  $ sudo service apache2 restart

  * Create the CGI directory for our script:
  $ sudo mkdir -p /export/scratch/authpgtest

  * Create the CGI script /export/scratch/authpgtest/hw.pl with the following contents:
  #!/usr/bin/perl
  print "Content-type: text/html\n\n";
  print "Hello, World!\n";

  * Make it executable:
  $ sudo chmod 0755 /export/scratch/authpgtest/hw.pl

  * Access the http://ubuntu:secret@localhost/authpgtest/hw.pl URL a few times while tailing /var/log/apache/error.log. After a few tries it will fail, and apache will log a segfault:
  $ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
  Hello, World!
  $ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
  Hello, World!
  $ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
  curl: (52) Empty reply from server

  In /var/log/apache2/error.log:
  *** Error in `/usr/sbin/apache2': free(): invalid pointer: 0x00007fa9340007c8 ***
  [Wed Jul 19 20:43:57.077960 2017] [core:notice] [pid 10926:tid 140365262006144] AH00051: child pid 10930 exit signal Aborted (6), possible coredump in /etc/apache2

  After installing the fixed libapache2-mod-auth-pgsql package, all
  attempts will work.

  
  [Regression Potential]
  This patch is already being used in Ubuntu releases higher than trusty, all the way to artful, and also in Debian.

  This is a very old module that hasn't been built in a while (see
  [other info] below. It's possible that just by rebuilding it with the
  new environment available in Trusty could introduce unknowns.
  Hopefully, if that happens, it will be immediately noticed by the
  people who use it and will test this SRU.

  
  [Other Info]
  This module hasn't been rebuilt since vivid and seems unmaintained, being at version 2.0.3 since the precise days:
   libapache2-mod-auth-pgsql | 2.0.3-5build2 | precise
   libapache2-mod-auth-pgsql | 2.0.3-6 | trusty
   libapache2-mod-auth-pgsql | 2.0.3-6.1 | vivid
   libapache2-mod-auth-pgsql | 2.0.3-6.1 | xenial
   libapache2-mod-auth-pgsql | 2.0.3-6.1 | yakkety
   libapache2-mod-auth-pgsql | 2.0.3-6.1 | zesty
   libapache2-mod-auth-pgsql | 2.0.3-6.1ubuntu1 | artful

  - Debian's last changelog entry is from August 2013
  - Fedora killed it in July 2011
  - I couldn't find it in SuSE

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1272857/+subscriptions

More information about the Ubuntu-sponsors mailing list