Bug 112216 - 4097+ bytes of stderr from cgi script causes script to hang
Summary: 4097+ bytes of stderr from cgi script causes script to hang
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: httpd (Show other bugs)
(Show other bugs)
Version: 3.0
Hardware: All Linux
Target Milestone: ---
Assignee: Joe Orton
QA Contact:
URL: http://issues.apache.org/bugzilla/sho...
Depends On:
TreeView+ depends on / blocked
Reported: 2003-12-16 11:02 UTC by Nic Doye
Modified: 2007-11-30 22:06 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-09-01 18:55:38 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2004:349 normal SHIPPED_LIVE Important: httpd security update 2004-09-01 04:00:00 UTC

Description Nic Doye 2003-12-16 11:02:43 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Gecko/20031114 Epiphany/1.0.4

Description of problem:
This is a known bug in apache which hasn't been fixed and is causing
us some problems in upgrading to RHEL 3.


If 4097+ bytes are printed to STDERR, the cgi script returns no more
data to the user at this point. Thus making CGI unreliable under
Apache 2 (especially when you throw in noisy modules like the Red Hat
supplied version of Date::Manip - see bug
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=111369 ).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Put the following script in your ScriptAlias'ed directory (e.g.
/var/www/cgi-bin ) with the correct permissions. (Script stolen from
apache bugzilla).

# 24x170 = 4080 bytes to stderr
foreach my $x (1..24) {
  print STDERR 'X' x 169 . "\n";
# + 17 more bytes, putting us at 4097
# Delete one char from the print below to make
# it work again
print STDERR "0123456789ABCDEF\n";
# Our actual script output, which never comes
print "Content-type: text/plain\n\nASDF\n";

2. visit cgi-script with browser.

Actual Results:  No data ever returned. Browser sits there with
throbber spinning endlessly.

Expected Results:  ASDF returned as text to browser.

Additional info:

Comment 1 Joe Orton 2004-01-07 15:58:25 UTC
Thanks for the report: we're aware of and are tracking this issue.  

Comment 2 Nic Doye 2004-01-09 15:37:15 UTC
I notice that it is fixed in httpd-2.0.48-1.2 on Fedora Core 1.

When I say "fixed" I mean that I tested the simple perl script above.

(I don't remember testing on the previous RPM).

Can that change be merged into the RHEL 3 package?

Comment 3 Joe Orton 2004-01-09 15:41:45 UTC
The issue is not fixed in the FC1 update, unfortunately; did you test
the right version of the script?

Comment 4 Nic Doye 2004-01-09 16:07:24 UTC
You're right. I'm an idiot.

Sorry about that.

Comment 5 nathan r. hruby 2004-03-10 14:41:02 UTC
Here we are three months later.  Any word on this getting fixed before

I do consider this buglet to be a local DoS, and it really does need
to be fixed.


Comment 6 nathan r. hruby 2004-03-10 15:15:34 UTC
Ok, after reading the upstream bugzilla entry about this, it appears
there isn't a fix, eventhough Mandrake seems to have released eratta
with fix about it....

Anyone know what Mandrake did?  Incorperate Jeff Trawic's fixes to

Comment 7 Joe Orton 2004-03-10 16:54:15 UTC
Mandrake briefly issued patches with Jeff's patches to mod_cgi, but
later retracted them since they aren't production-ready yet.

(It's a large stretch of the imagination to call this a DoS: if you
run a malicious CGI script, it blocking on a write() call to a pipe is
the least of your worries!)

I'll prioritize this issue for RHEL4.

Comment 8 Joe Orton 2004-04-16 07:55:52 UTC
Experimental updates for RHEL3 are now ready for testing which include
a fix for this issue:


Please post any results from testing, failure or success, to this bug

Comment 10 Joe Orton 2004-07-13 15:33:39 UTC
The fix for this issue are due to be included in RHEL3 U3.

Comment 11 Josh Bressers 2004-09-01 18:55:39 UTC
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.