Re: New worm segfaults apache

From: Marc Slemko (marcs@znep.com)
Date: 09/21/01


Date: Thu, 20 Sep 2001 21:12:05 -0700 (PDT)
From: Marc Slemko <marcs@znep.com>
To: "'incidents@securityfocus.com '" <incidents@securityfocus.com>
Subject: Re: New worm segfaults apache
Message-ID: <Pine.BSF.4.20.0109202109250.8992-100000@alive.znep.com>

One possible reason for Apache segfaulting when hit by this worm in some
configurations is addressed in the below patch that has been committed to
the 1.3 tree.

This does not represent a security problem, just a good old normal bug.
A very mild DoS potential, but that is Very with a capital V.

dgaudet 01/09/20 20:51:54

  Modified: src CHANGES
               src/include httpd.h
               src/modules/standard mod_include.c
  Log:
  ErrorDocument 404 pointing to a parsed html file with a
  <!--#include virtual="file" --> with a request URI containing
  %2f would result in a segfault (NULL pointer deref, not a
  security problem).
  
  PR: 8362
  
  Revision Changes Path
  1.1708 +5 -0 apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1707
  retrieving revision 1.1708
  diff -u -r1.1707 -r1.1708
  --- CHANGES 2001/09/12 15:16:41 1.1707
  +++ CHANGES 2001/09/21 03:51:53 1.1708
  @@ -1,5 +1,10 @@
   Changes with Apache 1.3.21
   
  + *) ErrorDocument 404 pointing to a parsed html file with a
  + <!--#include virtual="file" --> with a request URI containing
  + %2f would result in a segfault (NULL pointer deref, not a
  + security problem). [Jeff Moe <tux@themoes.org>, Dean Gaudet] PR#8362
  +
     *) UnsetEnv from main body of httpd.conf file didn't work; backport
        of bugfix from 2.0 codebase. [Gary Benson <gbenson@redhat.com>] PR#8254
   
  
  
  
  1.345 +1 -1 apache-1.3/src/include/httpd.h
  
  Index: httpd.h
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/include/httpd.h,v
  retrieving revision 1.344
  retrieving revision 1.345
  diff -u -r1.344 -r1.345
  --- httpd.h 2001/08/13 17:09:42 1.344
  +++ httpd.h 2001/09/21 03:51:54 1.345
  @@ -806,7 +806,7 @@
   
       char *unparsed_uri; /* the uri without any parsing performed */
       char *uri; /* the path portion of the URI */
  - char *filename;
  + char *filename; /* filename if found, otherwise NULL */
       char *path_info;
       char *args; /* QUERY_ARGS, if any */
       struct stat finfo; /* ST_MODE set to zero if no such file */
  
  
  
  1.130 +1 -1 apache-1.3/src/modules/standard/mod_include.c
  
  Index: mod_include.c
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/modules/standard/mod_include.c,v
  retrieving revision 1.129
  retrieving revision 1.130
  diff -u -r1.129 -r1.130
  --- mod_include.c 2001/07/13 19:45:52 1.129
  +++ mod_include.c 2001/09/21 03:51:54 1.130
  @@ -718,7 +718,7 @@
                   for (p = r; p != NULL && !founddupe; p = p->main) {
                       request_rec *q;
                       for (q = p; q != NULL; q = q->prev) {
  - if ( (strcmp(q->filename, rr->filename) == 0) ||
  + if ( (q->filename && strcmp(q->filename, rr->filename) == 0) ||
                                (strcmp(q->uri, rr->uri) == 0) ){
                               founddupe = 1;
                               break;
  
  
  

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: php5 segfault
    ... do with the segfault you're reporting. ... Still using MySQL so I can't speak to PostgreSQL PHP connectivity. ... extent Apache wouldn't even start. ... you want it to log to it's own file uncomment;error_log = filename (or ...
    (freebsd-questions)
  • Re: php5 segfault
    ... do with the segfault you're reporting. ... you cannot use a threaded Apache with PHP ... since not all extensions support threading. ... Search the mailing lists for this situation, try the recommendations, ...
    (freebsd-questions)
  • RE: Apache and segfaults
    ... segfault is a segmentation fault. ... write to read-only memory). ... As I understand apache, ... it starts multiple processes upon startup (to avoid the overhead of forking ...
    (Debian-User)
  • Re: Strange Segmentation Fault
    ... but fails with a segfault when called under Apache/mod_cgi/perl ... but large parts of apache and suexec and perl require system-specific ... Is the linux system interface and/or strace ontopic in this group? ...
    (comp.lang.c)