Debian Bug report logs -
#644169
libapache2-mod-perl2: PerlOptions -Sections not permitted in server config, but should be
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
:
Bug#644169
; Package libapache2-mod-perl2
.
(Mon, 03 Oct 2011 15:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Jan Ingvoldstad <jani+debian-2011+@ifi.uio.no>
:
New Bug report received and forwarded. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
.
(Mon, 03 Oct 2011 15:12:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libapache2-mod-perl2
Version: 2.0.4-7
Severity: important
I'm unable to disable <Perl> sections, as described here:
http://perl.apache.org/docs/2.0/user/config/config.html#C_Perl_Handler_
Note: all configuration options below and screen output is indented by
two spaces intentionally. Comments are not indented.
So, according to the documentation, I should be able to simply place
the following in the server configuration.
PerlOption -Sections
When the option is placed in the server configuration, the following error message is printed to screen when using apache2ctl configtest:
Syntax error on line 10 of /etc/apache2/conf.d/all_vhosts:
Invalid per-server PerlOption: Sections
Action 'configtest' failed.
The Apache error log may have more information.
The apache error log does not have any information.
This option is not allowed in per-directory configurations, and if I
try to do so, Apache provides the following error message (IP address
and path mangled):
[Mon Oct 03 16:11:28 2011] [alert] [client aaa.bbb.ccc.ddd] /home/dir/.htaccess: Invalid per-directory PerlOption: Sections (only allowed per-server)
As far as I can tell from the changelog, nothing has changed regarding
this part of mod_perl 2 that would affect this feature between 2.0.4
(the version in Debian squeeze) and 2.0.5 (the current best version).
Updating to 2.0.5 from testing is not an option, because of eager
dependencies to newer versions of other packages.
For my use, this bug is a security problem, as it makes it impossible
to include mod_perl code to manage the Apache API in server
configurations without permitting users to run Perl code in the same
server, unless you also disable per-user configuration in .htaccess,
which breaks other useful functionality.
-- Package-specific info:
-------------8<---------- Start Bug Report ------------8<----------
1. Problem Description:
[DESCRIBE THE PROBLEM HERE]
2. Used Components and their Configuration:
*** mod_perl version 2.000004
*** using /usr/lib/perl5/Apache2/BuildConfig.pm
*** Makefile.PL options:
MP_APR_LIB => aprext
MP_APXS => /usr/bin/apxs2
MP_CCOPTS => -g -Wall
MP_COMPAT_1X => 1
MP_GENERATE_XS => 1
MP_INCLUDE_DIR => /usr/include/apache2 /usr/include/apr-1.0
MP_LIBNAME => mod_perl
MP_TRACE => 0
MP_USE_DSO => 1
MP_USE_GTOP => 1
MP_USE_STATIC => 0
*** The httpd binary was not found
*** (apr|apu)-config linking info
-L/usr/lib -laprutil-1 -ldb
-L/usr/lib -lapr-1
*** /usr/bin/perl -V
Summary of my perl5 (revision 5 version 10 subversion 1) configuration:
Platform:
osname=linux, osvers=2.6.32-5-amd64, archname=x86_64-linux-gnu-thread-multi
uname='linux brahms 2.6.32-5-amd64 #1 smp tue jun 14 09:42:28 utc 2011 x86_64 gnulinux '
config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.10 -Darchlib=/usr/lib/perl/5.10 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.10.1 -Dsitearch=/usr/local/lib/perl/5.10.1 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -DDEBUGGING=-g -Doptimize=-O2 -Duseshrplib -Dlibperl=libperl.so.5.10.1 -Dd_dosuid -des'
hint=recommended, useposix=true, d_sigaction=define
useithreads=define, usemultiplicity=define
useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
use64bitint=define, use64bitall=define, uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler:
cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
optimize='-O2 -g',
cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
ccversion='', gccversion='4.4.5', gccosandvers=''
intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
alignbytes=8, prototype=define
Linker and Libraries:
ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
libpth=/usr/local/lib /lib /usr/lib /lib64 /usr/lib64
libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
perllibs=-ldl -lm -lpthread -lc -lcrypt
libc=/lib/libc-2.11.2.so, so=so, useshrplib=true, libperl=libperl.so.5.10.1
gnulibc_version='2.11.2'
Dynamic Linking:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
cccdlflags='-fPIC', lddlflags='-shared -O2 -g -L/usr/local/lib -fstack-protector'
Characteristics of this binary (from libperl):
Compile-time options: MULTIPLICITY PERL_DONT_CREATE_GVSV
PERL_IMPLICIT_CONTEXT PERL_MALLOC_WRAP USE_64_BIT_ALL
USE_64_BIT_INT USE_ITHREADS USE_LARGE_FILES
USE_PERLIO USE_REENTRANT_API
Locally applied patches:
DEBPKG:debian/arm_thread_stress_timeout - http://bugs.debian.org/501970 Raise the timeout of ext/threads/shared/t/stress.t to accommodate slower build hosts
DEBPKG:debian/cpan_config_path - Set location of CPAN::Config to /etc/perl as /usr may not be writable.
DEBPKG:debian/cpan_definstalldirs - Provide a sensible INSTALLDIRS default for modules installed from CPAN.
DEBPKG:debian/db_file_ver - http://bugs.debian.org/340047 Remove overly restrictive DB_File version check.
DEBPKG:debian/doc_info - Replace generic man(1) instructions with Debian-specific information.
DEBPKG:debian/enc2xs_inc - http://bugs.debian.org/290336 Tweak enc2xs to follow symlinks and ignore missing @INC directories.
DEBPKG:debian/errno_ver - http://bugs.debian.org/343351 Remove Errno version check due to upgrade problems with long-running processes.
DEBPKG:debian/extutils_hacks - Various debian-specific ExtUtils changes
DEBPKG:debian/fakeroot - Postpone LD_LIBRARY_PATH evaluation to the binary targets.
DEBPKG:debian/instmodsh_doc - Debian policy doesn't install .packlist files for core or vendor.
DEBPKG:debian/ld_run_path - Remove standard libs from LD_RUN_PATH as per Debian policy.
DEBPKG:debian/libnet_config_path - Set location of libnet.cfg to /etc/perl/Net as /usr may not be writable.
DEBPKG:debian/m68k_thread_stress - http://bugs.debian.org/495826 Disable some threads tests on m68k for now due to missing TLS.
DEBPKG:debian/mod_paths - Tweak @INC ordering for Debian
DEBPKG:debian/module_build_man_extensions - http://bugs.debian.org/479460 Adjust Module::Build manual page extensions for the Debian Perl policy
DEBPKG:debian/perl_synopsis - http://bugs.debian.org/278323 Rearrange perl.pod
DEBPKG:debian/prune_libs - http://bugs.debian.org/128355 Prune the list of libraries wanted to what we actually need.
DEBPKG:debian/use_gdbm - Explicitly link against -lgdbm_compat in ODBM_File/NDBM_File.
DEBPKG:fixes/assorted_docs - http://bugs.debian.org/443733 [384f06a] Math::BigInt::CalcEmu documentation grammar fix
DEBPKG:fixes/net_smtp_docs - http://bugs.debian.org/100195 [rt.cpan.org #36038] Document the Net::SMTP 'Port' option
DEBPKG:fixes/processPL - http://bugs.debian.org/357264 [rt.cpan.org #17224] Always use PERLRUNINST when building perl modules.
DEBPKG:debian/perlivp - http://bugs.debian.org/510895 Make perlivp skip include directories in /usr/local
DEBPKG:fixes/pod2man-index-backslash - http://bugs.debian.org/521256 Escape backslashes in .IX entries
DEBPKG:debian/disable-zlib-bundling - Disable zlib bundling in Compress::Raw::Zlib
DEBPKG:fixes/kfreebsd_cppsymbols - http://bugs.debian.org/533098 [3b910a0] Add gcc predefined macros to $Config{cppsymbols} on GNU/kFreeBSD.
DEBPKG:debian/cpanplus_definstalldirs - http://bugs.debian.org/533707 Configure CPANPLUS to use the site directories by default.
DEBPKG:debian/cpanplus_config_path - Save local versions of CPANPLUS::Config::System into /etc/perl.
DEBPKG:fixes/kfreebsd-filecopy-pipes - http://bugs.debian.org/537555 [16f708c] Fix File::Copy::copy with pipes on GNU/kFreeBSD
DEBPKG:fixes/anon-tmpfile-dir - http://bugs.debian.org/528544 [perl #66452] Honor TMPDIR when open()ing an anonymous temporary file
DEBPKG:fixes/abstract-sockets - http://bugs.debian.org/329291 [89904c0] Add support for Abstract namespace sockets.
DEBPKG:fixes/hurd_cppsymbols - http://bugs.debian.org/544307 [eeb92b7] Add gcc predefined macros to $Config{cppsymbols} on GNU/Hurd.
DEBPKG:fixes/autodie-flock - http://bugs.debian.org/543731 Allow for flock returning EAGAIN instead of EWOULDBLOCK on linux/parisc
DEBPKG:fixes/archive-tar-instance-error - http://bugs.debian.org/539355 [rt.cpan.org #48879] Separate Archive::Tar instance error strings from each other
DEBPKG:fixes/positive-gpos - http://bugs.debian.org/545234 [perl #69056] [c584a96] Fix \G crash on first match
DEBPKG:debian/devel-ppport-ia64-optim - http://bugs.debian.org/548943 Work around an ICE on ia64
DEBPKG:fixes/trie-logic-match - http://bugs.debian.org/552291 [perl #69973] [0abd0d7] Fix a DoS in Unicode processing [CVE-2009-3626]
DEBPKG:fixes/hppa-thread-eagain - http://bugs.debian.org/554218 make the threads-shared test suite more robust, fixing failures on hppa
DEBPKG:fixes/crash-on-undefined-destroy - http://bugs.debian.org/564074 [perl #71952] [1f15e67] Fix a NULL pointer dereference when looking for a DESTROY method
DEBPKG:fixes/tainted-errno - http://bugs.debian.org/574129 [perl #61976] [be1cf43] fix an errno stringification bug in taint mode
DEBPKG:fixes/safe-upgrade - http://bugs.debian.org/582978 Upgrade Safe.pm to 2.25, fixing CVE-2010-1974
DEBPKG:fixes/tell-crash - http://bugs.debian.org/578577 [f4817f3] Fix a tell() crash on bad arguments.
DEBPKG:fixes/format-write-crash - http://bugs.debian.org/579537 [perl #22977] [421f30e] Fix a crash in format/write
DEBPKG:fixes/arm-alignment - http://bugs.debian.org/289884 [f1c7503] Prevent gcc from optimizing the alignment test away on armel
DEBPKG:fixes/fcgi-test - Fix a failure in CGI/t/fast.t when FCGI is installed
DEBPKG:fixes/hurd-ccflags - http://bugs.debian.org/587901 Make hints/gnu.sh append to $ccflags rather than overriding them
DEBPKG:debian/squelch-locale-warnings - http://bugs.debian.org/508764 Squelch locale warnings in Debian package maintainer scripts
DEBPKG:fixes/lc-numeric-docs - http://bugs.debian.org/379329 [perl #78452] [903eb63] LC_NUMERIC documentation fixes
DEBPKG:fixes/lc-numeric-sprintf - http://bugs.debian.org/601549 [perl #78632] [b3fd614] Fix sprintf not to ignore LC_NUMERIC with constants
DEBPKG:fixes/concat-stack-corruption - http://bugs.debian.org/596105 [perl #78674] [e3393f5] Fix stack pointer corruption in pp_concat() with 'use encoding'
DEBPKG:fixes/cgi-multiline-header - http://bugs.debian.org/606995 [CVE-2010-2761 CVE-2010-4410 CVE-2010-4411] CGI.pm MIME boundary and multiline header vulnerabilities
DEBPKG:fixes/casing-taint-cve-2011-1487 - http://bugs.debian.org/622817 [perl #87336] fix unwanted taint laundering in lc(), uc() et al.
DEBPKG:fixes/safe-reval-rdo-cve-2010-1447 - [PATCH] Wrap by default coderefs returned by rdo and reval
DEBPKG:patchlevel - http://bugs.debian.org/567489 List packaged patches for 5.10.1-17squeeze2 in patchlevel.h
Built under linux
Compiled at Jun 30 2011 22:28:00
%ENV:
PERL_LWP_USE_HTTP_10="1"
@INC:
/etc/perl
/usr/local/lib/perl/5.10.1
/usr/local/share/perl/5.10.1
/usr/lib/perl5
/usr/share/perl5
/usr/lib/perl/5.10
/usr/share/perl/5.10
/usr/local/lib/site_perl
.
*** Packages of interest status:
Apache2 : -
Apache2::Request : -
CGI : 3.43, 3.49
ExtUtils::MakeMaker: 6.55_02
LWP : 5.836
mod_perl : -
mod_perl2 : 2.000004
3. This is the core dump trace: (if you get a core dump):
[CORE TRACE COMES HERE]
This report was generated by /usr/share/libapache2-mod-perl2/mp2bug on Mon Oct 3 14:55:40 2011 GMT.
-------------8<---------- End Bug Report --------------8<----------
-- System Information:
Debian Release: 6.0.2
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libapache2-mod-perl2 depends on:
ii apache2 2.2.16-6+squeeze3 Apache HTTP Server metapackage
ii apache2-mpm-worker [ap 2.2.16-6+squeeze3 Apache HTTP Server - high speed th
ii apache2.2-common 2.2.16-6+squeeze3 Apache HTTP Server common files
ii libapr1 1.4.2-6+squeeze3 The Apache Portable Runtime Librar
ii libaprutil1 1.3.9+dfsg-5 The Apache Portable Runtime Utilit
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libdb4.8 4.8.30-2 Berkeley v4.8 Database Libraries [
ii libdevel-symdump-perl 2.08-3 Perl module for inspecting perl's
ii libperl5.10 5.10.1-17squeeze2 shared Perl library
ii liburi-perl 1.54-2 module to manipulate and access UR
ii libwww-perl 5.836-1 Perl HTTP/WWW client/server librar
ii netbase 4.45 Basic TCP/IP networking system
ii perl [libmime-base64-p 5.10.1-17squeeze2 Larry Wall's Practical Extraction
ii perl-base [perlapi-5.1 5.10.1-17squeeze2 minimal Perl system
Versions of packages libapache2-mod-perl2 recommends:
ii libapache2-reload-perl 0.10-2 Reload Perl modules when changed o
ii libbsd-resource-perl 1.2904-1 BSD process resource limit and pri
libapache2-mod-perl2 suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
:
Bug#644169
; Package libapache2-mod-perl2
.
(Tue, 04 Oct 2011 07:39:08 GMT) (full text, mbox, link).
Message #8 received at 644169@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 644169 confirmed
found 644169 2.0.5-2
thanks
-=| Jan Ingvoldstad, 03.10.2011 17:08:52 +0200 |=-
> I'm unable to disable <Perl> sections, as described here:
>
> http://perl.apache.org/docs/2.0/user/config/config.html#C_Perl_Handler_
>
> So, according to the documentation, I should be able to simply place
> the following in the server configuration.
>
> PerlOption -Sections
>
> When the option is placed in the server configuration, the following error message is printed to screen when using apache2ctl configtest:
>
> Syntax error on line 10 of /etc/apache2/conf.d/all_vhosts:
> Invalid per-server PerlOption: Sections
Same here.
I tried a patch that seems to accept 'PerlOptions -Sections' (tested
within <VirtualHost>), but the <Perl> sections are still run :(
[signature.asc (application/pgp-signature, inline)]
Added tag(s) confirmed.
Request was from Damyan Ivanov <dmn@debian.org>
to control@bugs.debian.org
.
(Tue, 04 Oct 2011 07:39:15 GMT) (full text, mbox, link).
Bug Marked as found in versions 2.0.5-2.
Request was from Damyan Ivanov <dmn@debian.org>
to control@bugs.debian.org
.
(Tue, 04 Oct 2011 07:39:16 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
:
Bug#644169
; Package libapache2-mod-perl2
.
(Wed, 05 Oct 2011 09:43:23 GMT) (full text, mbox, link).
Acknowledgement sent
to Jan Ingvoldstad <jani+debian-2011+@ifi.uio.no>
:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
.
(Wed, 05 Oct 2011 09:43:32 GMT) (full text, mbox, link).
Message #19 received at 644169@bugs.debian.org (full text, mbox, reply):
Here is a patch that ensures that <Perl> (and Pod) sections are only
allowed in the server configuration and not per directory, which
incidentally matches the specification table here:
http://perl.apache.org/docs/2.0/user/config/config.html#mod_perl_Directives_Argument_Types_and_Allowed_Location
The patch has been tested on the same system where I identified the
problem.
The patch solves the issue for me, and leaves only the following
issues, as far as I can tell:
- Should there be fine-grained control as "PerlOptions -Sections"
implies or not?
- The mod_perl documentation (online and in the module) probably
needs to be changed to reflect that PerlOptions -Sections does not
work.
Description: allow Perl and Pod sections only in server config
Author: Jan Ingvoldstad <jani+debian-mod-perl-2011+@ifi.uio.no>
Last-Update: 2011-10-05
--- a/src/modules/perl/mod_perl.c 2011-02-02 21:23:45.000000000 +0100
+++ b/src/modules/perl/mod_perl.c 2011-10-05 11:05:52.977576861 +0200
@@ -913,18 +913,18 @@
MP_CMD_DIR_ITERATE2("PerlAddVar", add_var, "PerlAddVar"),
MP_CMD_DIR_TAKE2("PerlSetEnv", set_env, "PerlSetEnv"),
MP_CMD_SRV_TAKE1("PerlPassEnv", pass_env, "PerlPassEnv"),
- MP_CMD_DIR_RAW_ARGS_ON_READ("<Perl", perl, "Perl Code"),
- MP_CMD_DIR_RAW_ARGS("Perl", perldo, "Perl Code"),
+ MP_CMD_SRV_RAW_ARGS_ON_READ("<Perl", perl, "Perl Code"),
+ MP_CMD_SRV_RAW_ARGS("Perl", perldo, "Perl Code"),
MP_CMD_DIR_TAKE1("PerlSetInputFilter", set_input_filter,
"filter[;filter]"),
MP_CMD_DIR_TAKE1("PerlSetOutputFilter", set_output_filter,
"filter[;filter]"),
- MP_CMD_DIR_RAW_ARGS_ON_READ("=pod", pod, "Start of POD"),
- MP_CMD_DIR_RAW_ARGS_ON_READ("=back", pod, "End of =over"),
- MP_CMD_DIR_RAW_ARGS_ON_READ("=cut", pod_cut, "End of POD"),
- MP_CMD_DIR_RAW_ARGS_ON_READ("__END__", END, "Stop reading config"),
+ MP_CMD_SRV_RAW_ARGS_ON_READ("=pod", pod, "Start of POD"),
+ MP_CMD_SRV_RAW_ARGS_ON_READ("=back", pod, "End of =over"),
+ MP_CMD_SRV_RAW_ARGS_ON_READ("=cut", pod_cut, "End of POD"),
+ MP_CMD_SRV_RAW_ARGS_ON_READ("__END__", END, "Stop reading config"),
MP_CMD_SRV_RAW_ARGS("PerlLoadModule", load_module, "A Perl module"),
#ifdef MP_TRACE
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
:
Bug#644169
; Package libapache2-mod-perl2
.
(Wed, 05 Oct 2011 10:06:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Jan Ingvoldstad <jani+debian-2011+@ifi.uio.no>
:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
.
(Wed, 05 Oct 2011 10:06:14 GMT) (full text, mbox, link).
Message #24 received at 644169@bugs.debian.org (full text, mbox, reply):
One more thing:
Disallowing POD sections per-directory breaks some of the tests, that
is, those tests that use <Location.
The security risk in allowing POD sections is perhaps low enough that
this part of the patch can be skipped, but I didn't see any sense in
permitting POD sections when other parts of mod_perl are invisible to
the users.
Added tag(s) patch.
Request was from Dominic Hargreaves <dom@earth.li>
to control@bugs.debian.org
.
(Fri, 04 Jan 2013 18:45:08 GMT) (full text, mbox, link).
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 26 Aug 2018 14:03:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
:
Bug#644169
; Package libapache2-mod-perl2
.
(Sun, 26 Aug 2018 14:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
.
(Sun, 26 Aug 2018 14:27:05 GMT) (full text, mbox, link).
Message #33 received at 644169@bugs.debian.org (full text, mbox, reply):
Hi
Back in 2011 after this bug was reported, for the security implication
mentioned, CVE-2011-2767 was assigned. mod_perl checks .htaccess files
for <Perl> sections, and users allowed to write to .htaccess files can
run code as the user running the web server, leading to privilege
escalation.
This can be demonstrated in situations were both mod_perl and userdir
support would be enabled, or other setups potentially leading to full
root privilege escalation.
Jan, want to outline your finding in more detail? I just have
submitted the CVE itself to MITRE, as it was back then assigned from
the Debian pool.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
:
Bug#644169
; Package libapache2-mod-perl2
.
(Sun, 26 Aug 2018 19:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
.
(Sun, 26 Aug 2018 19:45:03 GMT) (full text, mbox, link).
Message #38 received at 644169@bugs.debian.org (full text, mbox, reply):
Hi
The MITRE CVE entry for CVE-2011-2767 is now populated:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2767
Regards,
Salvatore
Marked as fixed in versions 2.0.9~1624218-2+deb8u3.
Request was from Dominic Hargreaves <dom@earth.li>
to control@bugs.debian.org
.
(Wed, 14 Nov 2018 09:24:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
:
Bug#644169
; Package libapache2-mod-perl2
.
(Wed, 14 Nov 2018 09:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominic Hargreaves <dom@earth.li>
:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
.
(Wed, 14 Nov 2018 09:30:03 GMT) (full text, mbox, link).
Message #45 received at 644169@bugs.debian.org (full text, mbox, reply):
On Sun, Aug 26, 2018 at 04:26:09PM +0200, Salvatore Bonaccorso wrote:
> Hi
>
> Back in 2011 after this bug was reported, for the security implication
> mentioned, CVE-2011-2767 was assigned. mod_perl checks .htaccess files
> for <Perl> sections, and users allowed to write to .htaccess files can
> run code as the user running the web server, leading to privilege
> escalation.
>
> This can be demonstrated in situations were both mod_perl and userdir
> support would be enabled, or other setups potentially leading to full
> root privilege escalation.
>
> Jan, want to outline your finding in more detail? I just have
> submitted the CVE itself to MITRE, as it was back then assigned from
> the Debian pool.
This was apparently already fixed in jessie (LTS) - I've now updated the
bug metadata and I'll look at applying the fix in unstable and stable.
Dominic.
Reply sent
to Dominic Hargreaves <dom@earth.li>
:
You have taken responsibility.
(Thu, 15 Nov 2018 20:45:03 GMT) (full text, mbox, link).
Notification sent
to Jan Ingvoldstad <jani+debian-2011+@ifi.uio.no>
:
Bug acknowledged by developer.
(Thu, 15 Nov 2018 20:45:03 GMT) (full text, mbox, link).
Message #50 received at 644169-close@bugs.debian.org (full text, mbox, reply):
Source: libapache2-mod-perl2
Source-Version: 2.0.10-3
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-perl2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 644169@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated libapache2-mod-perl2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 15 Nov 2018 19:25:41 +0000
Source: libapache2-mod-perl2
Binary: libapache2-mod-perl2 libapache2-mod-perl2-dev libapache2-mod-perl2-doc
Architecture: source
Version: 2.0.10-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description:
libapache2-mod-perl2 - Integration of perl with the Apache2 web server
libapache2-mod-perl2-dev - Integration of perl with the Apache2 web server - development fil
libapache2-mod-perl2-doc - Integration of perl with the Apache2 web server - documentation
Closes: 644169
Changes:
libapache2-mod-perl2 (2.0.10-3) unstable; urgency=medium
.
[ Salvatore Bonaccorso ]
* Update Vcs-* headers for switch to salsa.debian.org
.
[ Xavier Guimard ]
* Patches:
- update format of 0001-Skip-* and 370_http_syntax.patch
- use short link for bugs.d.o in honour-env-LDFLAGS.patch
- update offset in avoid-db-linkage.patch
- add new spelling errors in 200_fix-pod-spelling-errors.patch
* Apache2 license:
- update Apache2 license link
- add required NOTICE file in docs
* dependencies:
- remove useless dependency version to apache2-dev
- remove dh-apache2 from dependencies (alias to apache2-dev)
* Add myself to uploaders
* Declare compliance with policy 4.1.5
* Bump debhelper compatibility to 10
* Add debian/upstream/metadata
* Remove useless --parallel option in debian/rules
* Remove useless Testsuite entry
* Email change: Xavier Guimard -> yadd@debian.org
.
[ Dominic Hargreaves ]
* [SECURITY] CVE-2011-2767: don't allow <Perl> sections in
user controlled configuration (Closes: #644169)
Checksums-Sha1:
8dc4708fa441700689e26ef4bbb0ae0ca129e3ee 2694 libapache2-mod-perl2_2.0.10-3.dsc
55d0e88a6a62b455d5615f1e78f1dce2a20b43cc 28576 libapache2-mod-perl2_2.0.10-3.debian.tar.xz
aa270701ac8565657f1d510eb500ed7272cef14e 7589 libapache2-mod-perl2_2.0.10-3_source.buildinfo
Checksums-Sha256:
c99e9aa6c45953e97909f05e12c0c23c15eb154d2bef17a103b06fde0077549b 2694 libapache2-mod-perl2_2.0.10-3.dsc
8c4058d2028ecbf9e675a9df856a251055da83ffeb9a0742d7452810db7bc254 28576 libapache2-mod-perl2_2.0.10-3.debian.tar.xz
dab6c0c1a0c938ad0b11cd7ffc90f2e23dad1dfd34dafdb3a56923de90723631 7589 libapache2-mod-perl2_2.0.10-3_source.buildinfo
Files:
dea913c8f362b7dc8667f5988af1c7e5 2694 httpd optional libapache2-mod-perl2_2.0.10-3.dsc
072290aebb624474e18e41a440c73268 28576 httpd optional libapache2-mod-perl2_2.0.10-3.debian.tar.xz
528c65bac897affc10d6cd6e7647cd1e 7589 httpd optional libapache2-mod-perl2_2.0.10-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlvtzxcNHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPsr7hEAC94d46HQxjzEyBi8TsAZwGAGtxKeBT7a+uMCK2
FQpeNxf8KRUPLmJ0WB5ixnPqfnD4+9SnEp5TX89il8Rfvvd2EfG5mMOhBCVA4z2A
C2loMyFRaKCj3wK76z73Kl3MjGsLFdX/qTUSoUzh8JBSLO7nKdNFC7yfiITgwtRo
SBD8HDoxPJZ4cChTjQhT+rGokJ/jrAqsvP9Q+bAkNcYBkCEnD1nqFipABbLHumPF
wEatrq1WrFan38dR4KC3qT9D6YONF05XqFO/bgdpXGjHevVrIgBamOTFjBMMFl2B
XmpdGj3G12JLMXCPqBEXgdxOGH6nYteCTswBJz4pAh7mu4StxBG41C34rOWIuyMJ
WVz03v7wXqEZeNMatUSuZ5YFspKYL2vkI1I8j/9s5IedbAqnjfWoZ7aMEhc4YSrw
hhQsa4R6DiEHFhUEzIEjlGChi3m0DoVh4dfH096K9EakvKqcBFTL+HbwsgXt2Pd5
B8nQ4DHqXtYNLPcgFY15uqODdnvLRJMoP1n6f+3VaGV2Hir7A5tK5YJ1r+PiVbcM
rI9pWEv9NDwjRfumlvVTKfLmv9ZuP1e4QlksDHN/zaVxDKi1B5U2BQQiUs9A6Rnw
ZwX/9gVBY+8NQnai85dtaMfcq9TYhp4Iaoq7gSJfx8yIcciUM43NbsCDsQ7h4e5u
RBAqrA==
=bUys
-----END PGP SIGNATURE-----
Reply sent
to Dominic Hargreaves <dom@earth.li>
:
You have taken responsibility.
(Thu, 03 Jan 2019 21:51:05 GMT) (full text, mbox, link).
Notification sent
to Jan Ingvoldstad <jani+debian-2011+@ifi.uio.no>
:
Bug acknowledged by developer.
(Thu, 03 Jan 2019 21:51:05 GMT) (full text, mbox, link).
Message #55 received at 644169-close@bugs.debian.org (full text, mbox, reply):
Source: libapache2-mod-perl2
Source-Version: 2.0.10-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
libapache2-mod-perl2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 644169@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated libapache2-mod-perl2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 01 Jan 2019 14:04:06 +0000
Source: libapache2-mod-perl2
Binary: libapache2-mod-perl2 libapache2-mod-perl2-dev libapache2-mod-perl2-doc
Architecture: all amd64 source
Version: 2.0.10-2+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Closes: 644169
Description:
libapache2-mod-perl2-dev - Integration of perl with the Apache2 web server - development fil
libapache2-mod-perl2-doc - Integration of perl with the Apache2 web server - documentation
libapache2-mod-perl2 - Integration of perl with the Apache2 web server
Changes:
libapache2-mod-perl2 (2.0.10-2+deb9u1) stretch; urgency=medium
.
* [SECURITY] CVE-2011-2767: don't allow <Perl> sections in
user controlled configuration (Closes: #644169)
Checksums-Sha1:
00ee0f20cb54a5f7e5a472937af4be65eb56c49e 2717 libapache2-mod-perl2_2.0.10-2+deb9u1.dsc
61b5b0fe4449440258ad45dee6efa0e2264a9701 3846211 libapache2-mod-perl2_2.0.10.orig.tar.gz
80de12bb4fc36551aae9d44ff679bc5dabe8c93e 27516 libapache2-mod-perl2_2.0.10-2+deb9u1.debian.tar.xz
fa383a06e1698eb635f563d00b14bd4cb5b8d78f 8059 libapache2-mod-perl2_2.0.10-2+deb9u1_source.buildinfo
84faae68dd154b0736901b931bc509817789eb4c 3119632 libapache2-mod-perl2-dbgsym_2.0.10-2+deb9u1_amd64.deb
fe5a00d03942fabc8db59df07723f005fde747c1 86374 libapache2-mod-perl2-dev_2.0.10-2+deb9u1_all.deb
326324061ee395911951b28b9ade6b9871bb004e 1304296 libapache2-mod-perl2-doc_2.0.10-2+deb9u1_all.deb
860c8cb24c62366631a2fb761411ba71ee40563b 7921 libapache2-mod-perl2_2.0.10-2+deb9u1_amd64.buildinfo
54f9a9734dffa01ab35bae7b96d6d7511acf6de4 885802 libapache2-mod-perl2_2.0.10-2+deb9u1_amd64.deb
Checksums-Sha256:
78440c051fad9a998d789d2a2644d320b5873ff4875ea550edff50634d33a0d1 2717 libapache2-mod-perl2_2.0.10-2+deb9u1.dsc
d1cf83ed4ea3a9dfceaa6d9662ff645177090749881093051020bf42f9872b64 3846211 libapache2-mod-perl2_2.0.10.orig.tar.gz
e7f2d51d90cbd4ff6de1c5d9331723da2147e19a1e56f8e4b9325b80664e5986 27516 libapache2-mod-perl2_2.0.10-2+deb9u1.debian.tar.xz
80466d60fe58466d96af266448224401646dc36911e1a4831a6ffccf85c285d8 8059 libapache2-mod-perl2_2.0.10-2+deb9u1_source.buildinfo
0e100ab9df2da4bd8da6bf9b00a4f7c5f5a9eb1c6cfc4a3675900309457ace2a 3119632 libapache2-mod-perl2-dbgsym_2.0.10-2+deb9u1_amd64.deb
9c3689064b7b1fe85110431e03c1375f055a295ccd46aac1a55e20168306f3ee 86374 libapache2-mod-perl2-dev_2.0.10-2+deb9u1_all.deb
28797267616b9e4c41bef0828b9c7165544d00d014ed50b6aeef4ddb40d18446 1304296 libapache2-mod-perl2-doc_2.0.10-2+deb9u1_all.deb
9dec16ef00f606026edf818b960faaeaf460d80ce3cd1b96c3c1e72a26bcd436 7921 libapache2-mod-perl2_2.0.10-2+deb9u1_amd64.buildinfo
d8ddc25ce48cc96b29527b062a5a7fc0ff151830ad0252dacda61d75add9544c 885802 libapache2-mod-perl2_2.0.10-2+deb9u1_amd64.deb
Files:
b22774142e3ddbe063f022d951ba11fa 2717 httpd optional libapache2-mod-perl2_2.0.10-2+deb9u1.dsc
cef55e715b5770a63b3becbe9d271121 3846211 httpd optional libapache2-mod-perl2_2.0.10.orig.tar.gz
5c52b9b5924933b711cbe5dcde310a2c 27516 httpd optional libapache2-mod-perl2_2.0.10-2+deb9u1.debian.tar.xz
cdeb2c2f135104758b0042aa55a81fd2 8059 httpd optional libapache2-mod-perl2_2.0.10-2+deb9u1_source.buildinfo
7de6029f67208a0bd14aed97b5bf6b7b 3119632 debug extra libapache2-mod-perl2-dbgsym_2.0.10-2+deb9u1_amd64.deb
ddeca5e0b0de2f56838a30ee4de557bf 86374 libdevel optional libapache2-mod-perl2-dev_2.0.10-2+deb9u1_all.deb
20a85255335183ae80d685002969fca3 1304296 doc optional libapache2-mod-perl2-doc_2.0.10-2+deb9u1_all.deb
20122c3aaa6fdb51360b25640da37dce 7921 httpd optional libapache2-mod-perl2_2.0.10-2+deb9u1_amd64.buildinfo
3bf34aa871a33e28254b31bd92c4c8d1 885802 httpd optional libapache2-mod-perl2_2.0.10-2+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlwrdkUNHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPsuvFD/oCux2Da06IHfq1sSygUYQeU0mYIN7oD1dg5uEc
ZZ6KCjGkfpjDE9S4rQyAMeyo+GABBWO9T+qo/39qNlG3UAfJf3RNdpF0N5doTUV1
kcAdCAm85HvKCd08NqCb+icRqaNZQCV72fBlgOUua0fu/vWzG20IZTqm016Eio5/
wOvCfNXj8hZmusz4RmSZHW1/dZ4eyatCv8bpBnM7m31VRkPegL5ZMFE/MFx1dKgz
LPLyQi/s3R4ajj50vHNk1nQiZSgBynDu4bNW6fJR8S3cWX8IHaBCpFkIVU6DUAb+
DQ8az5N2YhRMeq8FayO00Wa7J40fn9Norn4yyMPNl6+uhK9mPNkktho8uL/b6wS4
MhOanLNVC8VEqHXbl7uxAvHHGVHJHCTmuLtcFPNJvuwLxQXeN6Dq2vz9kFFkyyWZ
yd8NiTqsKF6ClDRSRmUBQnr6gUmzqesMlxd4iSiYXIuDQ+eORRW3LXJQVs3PHZwB
g8UBVL5AxMrDhJVD4TCpPOk8vl3NUPuDM5Hj7TPh0FZDCtzlZ/ozky9pjLIM+iN9
rK90WyuuHIFLimq7RTDFb8hgZ8vchCnR8tz7aE9G8zQ4SN3hdfgpaFeJnST81Akv
iJuwSgu0tbUdfdQgar671pS3EFb35+fyDL4SHprJAKgUBrsP4SAnLyCFM4tSFXkE
KsQCHA==
=n/f5
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 05 Jun 2019 08:19:30 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:40:50 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.