Bug 112216

Summary: 4097+ bytes of stderr from cgi script causes script to hang
Product: Red Hat Enterprise Linux 3 Reporter: Nic Doye <nic>
Component: httpdAssignee: Joe Orton <jorton>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: chrismcc, nhruby, perisse, tao
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://issues.apache.org/bugzilla/show_bug.cgi?id=22030
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-09-01 18:55:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nic Doye 2003-12-16 11:02:43 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Gecko/20031114 Epiphany/1.0.4

Description of problem:
This is a known bug in apache which hasn't been fixed and is causing
us some problems in upgrading to RHEL 3.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030 

If 4097+ bytes are printed to STDERR, the cgi script returns no more
data to the user at this point. Thus making CGI unreliable under
Apache 2 (especially when you throw in noisy modules like the Red Hat
supplied version of Date::Manip - see bug
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=111369 ).

Version-Release number of selected component (if applicable):
httpd-2.0.46-25.ent

How reproducible:
Always

Steps to Reproduce:
1. Put the following script in your ScriptAlias'ed directory (e.g.
/var/www/cgi-bin ) with the correct permissions. (Script stolen from
apache bugzilla).

#!/usr/bin/perl
# 24x170 = 4080 bytes to stderr
foreach my $x (1..24) {
  print STDERR 'X' x 169 . "\n";
}
# + 17 more bytes, putting us at 4097
# Delete one char from the print below to make
# it work again
print STDERR "0123456789ABCDEF\n";
# Our actual script output, which never comes
print "Content-type: text/plain\n\nASDF\n";

2. visit cgi-script with browser.
3.
    

Actual Results:  No data ever returned. Browser sits there with
throbber spinning endlessly.

Expected Results:  ASDF returned as text to browser.

Additional info:
Comment 1 Joe Orton 2004-01-07 15:58:25 UTC 
Thanks for the report: we're aware of and are tracking this issue.
Comment 2 Nic Doye 2004-01-09 15:37:15 UTC 
I notice that it is fixed in httpd-2.0.48-1.2 on Fedora Core 1.

When I say "fixed" I mean that I tested the simple perl script above.

(I don't remember testing on the previous RPM).

Can that change be merged into the RHEL 3 package?
Comment 3 Joe Orton 2004-01-09 15:41:45 UTC 
The issue is not fixed in the FC1 update, unfortunately; did you test
the right version of the script?
Comment 4 Nic Doye 2004-01-09 16:07:24 UTC 
You're right. I'm an idiot.

Sorry about that.
Comment 5 nathan r. hruby 2004-03-10 14:41:02 UTC 
Here we are three months later.  Any word on this getting fixed before
RHEL-4?

I do consider this buglet to be a local DoS, and it really does need
to be fixed.

http://www.securitytracker.com/alerts/2003/Sep/1007823.html
Comment 6 nathan r. hruby 2004-03-10 15:15:34 UTC 
Ok, after reading the upstream bugzilla entry about this, it appears
there isn't a fix, eventhough Mandrake seems to have released eratta
with fix about it....

Anyone know what Mandrake did?  Incorperate Jeff Trawic's fixes to
mod_cgi?
Comment 7 Joe Orton 2004-03-10 16:54:15 UTC 
Mandrake briefly issued patches with Jeff's patches to mod_cgi, but
later retracted them since they aren't production-ready yet.

(It's a large stretch of the imagination to call this a DoS: if you
run a malicious CGI script, it blocking on a write() call to a pipe is
the least of your worries!)

I'll prioritize this issue for RHEL4.
Comment 8 Joe Orton 2004-04-16 07:55:52 UTC 
Experimental updates for RHEL3 are now ready for testing which include
a fix for this issue:

http://people.redhat.com/jorton/Taroon-httpd/

Please post any results from testing, failure or success, to this bug
report.
Comment 10 Joe Orton 2004-07-13 15:33:39 UTC 
The fix for this issue are due to be included in RHEL3 U3.
Comment 11 Josh Bressers 2004-09-01 18:55:39 UTC 
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-349.html