Debian Bug report logs -
#627182
libapr1: last security update introduces a infinite loop condition
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, christian.roue@neolane.com, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#627182; Package libapr1.
(Wed, 18 May 2011 13:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Tanguy Ortolo <tanguy+debian@ortolo.eu>:
New Bug report received and forwarded. Copy sent to christian.roue@neolane.com, Debian Apache Maintainers <debian-apache@lists.debian.org>.
(Wed, 18 May 2011 13:27:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libapr1
Version: 1.4.2-8
Severity: important
Tags: upstream
Hello,
We have found that the last security update (1.4.2-6+squeeze1, 1.2.12-5+lenny3)
causes apr_fnmatch to enter an infinite loop, on particular patters.
For instance, with the following configuration directive:
<Location "/*/WEB-INF/">
deny from all
</Location>
if someone visits any URL, an apache2 thread will start consuming 100% CPU.
This is introduced by the backport
debian/patches/028_fnmatch_CVE-2011-0419.dpatch, but it can be reproduced with the vanilla apr.
Regards,
--
,--.
: /` ) Tanguy Ortolo <xmpp:tanguy@ortolo.eu> <irc://irc.oftc.net/Elessar>
| `-' Debian Maintainer
\_
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libapr1 depends on:
ii libc6 2.13-4 Embedded GNU C Library: Shared lib
ii libuuid1 2.17.2-9.1 Universally Unique ID library
libapr1 recommends no packages.
libapr1 suggests no packages.
-- no debconf information
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#627182; Package libapr1.
(Wed, 18 May 2011 13:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Tanguy Ortolo <tanguy+debian@ortolo.eu>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>.
(Wed, 18 May 2011 13:39:03 GMT) (full text, mbox, link).
Message #12 received at 627182@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
forwarded 627182 https://issues.apache.org/bugzilla/show_bug.cgi?id=51219
thanks
In fact this bug has been reported upstream.
--
,--.
: /` ) Tanguy Ortolo <xmpp:tanguy@ortolo.eu> <irc://irc.oftc.net/Elessar>
| `-' Debian Maintainer
\_
[signature.asc (application/pgp-signature, inline)]
Severity set to 'grave' from 'important'
Request was from Stefan Fritsch <sf@sfritsch.de>
to control@bugs.debian.org.
(Wed, 18 May 2011 20:15:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>:
Bug#627182; Package libapr1.
(Fri, 20 May 2011 07:42:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Roberto <giaffy@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>.
(Fri, 20 May 2011 07:42:10 GMT) (full text, mbox, link).
Message #19 received at 627182@bugs.debian.org (full text, mbox, reply):
Date: 2011 05 20
Hi,
I can confirm the same problem on our prod server after upgrade to
libapr1-1.2.12-5+lenny3:
the problem is triggered by some configuration directive in apache.conf;
package details:
ii apache2
2.2.9-10+lenny9 Apache HTTP Server metapackage
ii apache2-mpm-prefork 2.2.9-10+lenny9
Apache HTTP Server - traditional non-threade
ii apache2-utils
2.2.9-10+lenny9 utility programs for webservers
ii apache2.2-common 2.2.9-10+lenny9
Apache HTTP Server common files
ii libapache2-mod-auth-pgsql 2.0.3-5
Module for Apache2 which provides pgsql auth
ii libapr1
1.2.12-5+lenny3 The Apache Portable Runtime Library
ii libaprutil1
1.2.12+dfsg-8+lenny5 The Apache Portable Runtime Utility Library
O.S.: Linux i686 GNU/Linux
I have also some GDB debug if someone is interested: it shows an
application loop in the apr_fnmatch() function
(I can provide the full debug session on someone will ask for it):
Breakpoint 1, apr_fnmatch (pattern=0x9b0e7c0
"/somestring/*/*/*/*/other_string/", string=0x9b5a5a0 "/somestring",
flags=2)
Thanks
Roby
Bug No longer marked as found in versions apr/1.4.2-8.
Request was from Stefan Fritsch <sf@debian.org>
to control@bugs.debian.org.
(Sat, 21 May 2011 08:06:09 GMT) (full text, mbox, link).
Bug Marked as found in versions apr/1.4.4-1.
Request was from Stefan Fritsch <sf@debian.org>
to control@bugs.debian.org.
(Sat, 21 May 2011 08:06:10 GMT) (full text, mbox, link).
Bug Marked as found in versions 1.2.12-5+lenny3.
Request was from Stefan Fritsch <sf@debian.org>
to control@bugs.debian.org.
(Sat, 21 May 2011 08:06:10 GMT) (full text, mbox, link).
Bug Marked as found in versions apr/1.4.2-6+squeeze1.
Request was from Stefan Fritsch <sf@debian.org>
to control@bugs.debian.org.
(Sat, 21 May 2011 08:06:11 GMT) (full text, mbox, link).
Reply sent
to Stefan Fritsch <sf@debian.org>:
You have taken responsibility.
(Sat, 21 May 2011 13:57:07 GMT) (full text, mbox, link).
Notification sent
to Tanguy Ortolo <tanguy+debian@ortolo.eu>:
Bug acknowledged by developer.
(Sat, 21 May 2011 13:57:07 GMT) (full text, mbox, link).
Message #32 received at 627182-close@bugs.debian.org (full text, mbox, reply):
Source: apr
Source-Version: 1.4.2-6+squeeze2
We believe that the bug you reported is fixed in the latest version of
apr, which is due to be installed in the Debian FTP archive:
apr_1.4.2-6+squeeze2.diff.gz
to main/a/apr/apr_1.4.2-6+squeeze2.diff.gz
apr_1.4.2-6+squeeze2.dsc
to main/a/apr/apr_1.4.2-6+squeeze2.dsc
libapr1-dbg_1.4.2-6+squeeze2_i386.deb
to main/a/apr/libapr1-dbg_1.4.2-6+squeeze2_i386.deb
libapr1-dev_1.4.2-6+squeeze2_i386.deb
to main/a/apr/libapr1-dev_1.4.2-6+squeeze2_i386.deb
libapr1_1.4.2-6+squeeze2_i386.deb
to main/a/apr/libapr1_1.4.2-6+squeeze2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 627182@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apr package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 19 May 2011 07:49:05 +0200
Source: apr
Binary: libapr1 libapr1-dev libapr1-dbg
Architecture: source i386
Version: 1.4.2-6+squeeze2
Distribution: stable-security
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
libapr1 - The Apache Portable Runtime Library
libapr1-dbg - The Apache Portable Runtime Library - Debugging Symbols
libapr1-dev - The Apache Portable Runtime Library - Development Headers
Closes: 627182
Changes:
apr (1.4.2-6+squeeze2) stable-security; urgency=low
.
* Fix regression introduced by fix for CVE-2011-0419:
apr_fnmatch may consume 100% CPU. CVE-2011-1928
Closes: #627182
Checksums-Sha1:
d1dfe494a67460bc469a26d1b7dbcba9765376e9 1396 apr_1.4.2-6+squeeze2.dsc
2faf7079e26604ae959efb05f3e0ba110ed76bc2 25863 apr_1.4.2-6+squeeze2.diff.gz
e41d7404492fb1118170873dbd5a836a79c5f011 86016 libapr1_1.4.2-6+squeeze2_i386.deb
a406685c29321ad4ce9c54fd99bb426ce27ee62e 1029208 libapr1-dev_1.4.2-6+squeeze2_i386.deb
f57cf747e8bc6126819c059c17cc2b2c102804ae 23984 libapr1-dbg_1.4.2-6+squeeze2_i386.deb
Checksums-Sha256:
8881eafcde2acaf7cae4ecc3957f8be29904d342cb929942685c79746ff015f3 1396 apr_1.4.2-6+squeeze2.dsc
2d1801c3477e4b2888f0a1827d75a9f068eb0c2f2a87a29aadc95293b783c034 25863 apr_1.4.2-6+squeeze2.diff.gz
79fa4ecd885a397720d81b85df81bd0296f1e835386d9a98b0509354785e6282 86016 libapr1_1.4.2-6+squeeze2_i386.deb
fbe3e2a3022e71e0ab11515aca2f1d91f7d6e77f0d5f12bb1cb7d620bfd9e8a5 1029208 libapr1-dev_1.4.2-6+squeeze2_i386.deb
7758f98fc3dd41f9bed039e68a68b7f3fd9ce0488bd07d78d0a1d17133a7af8f 23984 libapr1-dbg_1.4.2-6+squeeze2_i386.deb
Files:
e84dfc0fbdb765427cbb7ffa5ca6eeec 1396 libs optional apr_1.4.2-6+squeeze2.dsc
7ee09dbe0f0691b06dc71a346b0fb3df 25863 libs optional apr_1.4.2-6+squeeze2.diff.gz
99e63c65b900fc31d8a00e22edb759dc 86016 libs optional libapr1_1.4.2-6+squeeze2_i386.deb
47c131f38486dcac21ebfb5e8f4a9748 1029208 libdevel optional libapr1-dev_1.4.2-6+squeeze2_i386.deb
31f6a80b2c0654069d25d93f2a5b2b50 23984 debug extra libapr1-dbg_1.4.2-6+squeeze2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFN1LFSbxelr8HyTqQRAlU/AKCpbtOXulTi6fxpYRiFiSUNAu2UIACfS0/F
tZcnxKc/8Qc4f+5VTb4aQTk=
=3VLs
-----END PGP SIGNATURE-----
Reply sent
to Stefan Fritsch <sf@debian.org>:
You have taken responsibility.
(Sat, 21 May 2011 19:21:03 GMT) (full text, mbox, link).
Notification sent
to Tanguy Ortolo <tanguy+debian@ortolo.eu>:
Bug acknowledged by developer.
(Sat, 21 May 2011 19:21:03 GMT) (full text, mbox, link).
Message #37 received at 627182-close@bugs.debian.org (full text, mbox, reply):
Source: apr
Source-Version: 1.4.5-1
We believe that the bug you reported is fixed in the latest version of
apr, which is due to be installed in the Debian FTP archive:
apr_1.4.5-1.diff.gz
to main/a/apr/apr_1.4.5-1.diff.gz
apr_1.4.5-1.dsc
to main/a/apr/apr_1.4.5-1.dsc
apr_1.4.5.orig.tar.gz
to main/a/apr/apr_1.4.5.orig.tar.gz
libapr1-dbg_1.4.5-1_i386.deb
to main/a/apr/libapr1-dbg_1.4.5-1_i386.deb
libapr1-dev_1.4.5-1_i386.deb
to main/a/apr/libapr1-dev_1.4.5-1_i386.deb
libapr1_1.4.5-1_i386.deb
to main/a/apr/libapr1_1.4.5-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 627182@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch <sf@debian.org> (supplier of updated apr package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 21 May 2011 20:49:17 +0200
Source: apr
Binary: libapr1 libapr1-dev libapr1-dbg
Architecture: source i386
Version: 1.4.5-1
Distribution: unstable
Urgency: high
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Description:
libapr1 - Apache Portable Runtime Library
libapr1-dbg - Apache Portable Runtime Library - Debugging Symbols
libapr1-dev - Apache Portable Runtime Library - Development Headers
Closes: 627182 627532
Changes:
apr (1.4.5-1) unstable; urgency=high
.
* New upstream version:
- Fix regression introduced by fix for CVE-2011-0419: apr_fnmatch may
consume 100% CPU. CVE-2011-1928. Closes: #627182
* Fix allocator using mmap crashing on non-4k-page platforms. Thanks to
Lifeng Sun for the patch. Closes: #627532
Checksums-Sha1:
63113d5b1a71ca3eadae94c17c039539651b7c50 1360 apr_1.4.5-1.dsc
acdde5a7fdda11e7815fe3035de5fc4c10c1d428 994320 apr_1.4.5.orig.tar.gz
8051523156693e3667effbba64d5db034f838787 18461 apr_1.4.5-1.diff.gz
e500fdfd1b72cf89ce3ca007ef34d9e3f4cf946c 99194 libapr1_1.4.5-1_i386.deb
c9522b0ceb2a2e86d774e3cf2305116e395e0a65 1089578 libapr1-dev_1.4.5-1_i386.deb
28a88240caadb1bbe6016daeb093e7ca14c93d27 25722 libapr1-dbg_1.4.5-1_i386.deb
Checksums-Sha256:
de9b841570cba549ff4e7b53416e1c47931f2c4b85ade1e8b6c7905a47daffc4 1360 apr_1.4.5-1.dsc
7323d5f72d6bddf7d1ecb63e4326df82a66210018bb2f1e8f6d97357e68302df 994320 apr_1.4.5.orig.tar.gz
0008d1c222c4478debd41777d821da68bf6e431f47815a6f7c86becd1e0aa9a7 18461 apr_1.4.5-1.diff.gz
365c5286442bda3a9ea1fcc0ee5000360d324ecda9f5d10fa1e42c09579e0da3 99194 libapr1_1.4.5-1_i386.deb
45eed52060b2c4f7190a00dfe5ea96440124220277b3409f58fb8dc6edc41dd5 1089578 libapr1-dev_1.4.5-1_i386.deb
7db6caa978723dd549e4412f98aaf544a21fc8bc5439f16abb8961d29f310f43 25722 libapr1-dbg_1.4.5-1_i386.deb
Files:
b101b5e1b5a60f3ccff174bd6a22ae15 1360 libs optional apr_1.4.5-1.dsc
97262fe54dddaf583eaaee3497a426e1 994320 libs optional apr_1.4.5.orig.tar.gz
a486e5080c275bd72b145bb602d77525 18461 libs optional apr_1.4.5-1.diff.gz
d1bf69fd620c7f87fc21c1a302247c06 99194 libs optional libapr1_1.4.5-1_i386.deb
cedee726d86282eff9e477b523dd1b13 1089578 libdevel optional libapr1-dev_1.4.5-1_i386.deb
4c9be775f4f60a755d81f6f4fff1f3c4 25722 debug extra libapr1-dbg_1.4.5-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFN2A0Lbxelr8HyTqQRAnTgAKCW9ergtKeollvGQtZXkpRB3xX9yACdGJrM
SxM5Sxwe7sb9hc2RhM/6mYM=
=tk05
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 20 Jun 2011 07:35:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:45:49 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon