[Bug 1272857] [NEW] Double free in libapache2-mod-auth-pgsql causes Apache to crash

Launchpad Bug Tracker 1272857 at bugs.launchpad.net
Wed Jul 19 21:21:50 UTC 2017 

You have been subscribed to a public bug by Andreas Hasenack (ahasenack):

[Impact]
The libapache2-mod-auth-pgsql module will trigger frequent segfaults in apache if used in conjunction with a CGI script.


[Test Case]

* install the packages on the Ubuntu release you are testing:
$ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql

* create the database and populate it with the test user:
$ sudo -u postgres -H createdb userdb
$ sudo -u postgres -H psql userdb -c "CREATE TABLE UserLogin (Username text, ApachePassword text);"
$ sudo -u postgres -H psql userdb -c "INSERT INTO UserLogin VALUES ('ubuntu', 'secret');"

* Create the DB user the module will use and grant access to the user table:
$ sudo -u postgres -H psql postgres -c "CREATE ROLE www UNENCRYPTED PASSWORD 'password' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;"
$ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;"

* Create /etc/apache2/conf-available/authpgtest.conf with the following content:
Alias /authpgtest /export/scratch/authpgtest
<Directory /export/scratch/authpgtest/>
  Options +ExecCGI +FollowSymLinks
  AddHandler cgi-script .pl
  AuthType basic
  AuthName "My Auth"
  Require valid-user
  AuthBasicProvider pgsql
  Auth_PG_authoritative On
  Auth_PG_host 127.0.0.1
  Auth_PG_port 5432
  Auth_PG_user www
  Auth_PG_pwd password
  Auth_PG_database userdb
  Auth_PG_encrypted off
  Auth_PG_pwd_table UserLogin
  Auth_PG_uid_field Username
  Auth_PG_pwd_field ApachePassword
</Directory>

* Enable this new configuration:
$ sudo a2enconf authpgtest.conf

* Enable the auth-pgsql and cgi modules and then restart apache:
$ for n in 000_auth_pgsql cgi; do sudo a2enmod $n; done
$ sudo service apache2 restart

* Create the CGI directory for our script:
$ sudo mkdir -p /export/scratch/authpgtest

* Create the CGI script /export/scratch/authpgtest/hw.pl with the following contents:
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "Hello, World!\n";

* Make it executable:
$ sudo chmod 0755 /export/scratch/authpgtest/hw.pl

* Access the http://ubuntu:secret@localhost/authpgtest/hw.pl URL a few times while tailing /var/log/apache/error.log. After a few tries it will fail, and apache will log a segfault:
$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
Hello, World!
$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
Hello, World!
$ curl -f http://ubuntu:secret@localhost/authpgtest/hw.pl
curl: (52) Empty reply from server

In /var/log/apache2/error.log:
*** Error in `/usr/sbin/apache2': free(): invalid pointer: 0x00007fa9340007c8 ***
[Wed Jul 19 20:43:57.077960 2017] [core:notice] [pid 10926:tid 140365262006144] AH00051: child pid 10930 exit signal Aborted (6), possible coredump in /etc/apache2

After installing the fixed libapache2-mod-auth-pgsql package, all
attempts will work.


[Regression Potential]
This patch is already being used in Ubuntu releases higher than trusty, all the way to artful, and also in Debian.

This is a very old module that hasn't been built in a while (see [other
info] below. It's possible that just by rebuilding it with the new
environment available in Trusty could introduce unknowns. Hopefully, if
that happens, it will be immediately noticed by the people who use it
and will test this SRU.


[Other Info]
This module hasn't been rebuilt since vivid and seems unmaintained, being at version 2.0.3 since the precise days:
 libapache2-mod-auth-pgsql | 2.0.3-5build2 | precise
 libapache2-mod-auth-pgsql | 2.0.3-6 | trusty
 libapache2-mod-auth-pgsql | 2.0.3-6.1 | vivid
 libapache2-mod-auth-pgsql | 2.0.3-6.1 | xenial
 libapache2-mod-auth-pgsql | 2.0.3-6.1 | yakkety
 libapache2-mod-auth-pgsql | 2.0.3-6.1 | zesty
 libapache2-mod-auth-pgsql | 2.0.3-6.1ubuntu1 | artful

- Debian's last changelog entry is from August 2013
- Fedora killed it in July 2011
- I couldn't find it in SuSE

** Affects: libapache2-mod-auth-pgsql (Ubuntu)
     Importance: Medium
     Assignee: mubm (mubm)
         Status: Fix Released

** Affects: libapache2-mod-auth-pgsql (Ubuntu Trusty)
     Importance: Medium
     Assignee: Andreas Hasenack (ahasenack)
         Status: In Progress

** Affects: libapache2-mod-auth-pgsql (Debian)
     Importance: Unknown
         Status: Fix Released


** Tags: amd64 apport-crash patch server-next trusty
-- 
Double free in libapache2-mod-auth-pgsql causes Apache to crash
https://bugs.launchpad.net/bugs/1272857
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list