Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 112216 - 4097+ bytes of stderr from cgi script causes script to hang
4097+ bytes of stderr from cgi script causes script to hang
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: httpd (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
Depends On:
  Show dependency treegraph
Reported: 2003-12-16 06:02 EST by Nic Doye
Modified: 2007-11-30 17:06 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-09-01 14:55:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2004:349 normal SHIPPED_LIVE Important: httpd security update 2004-09-01 00:00:00 EDT

  None (edit)
Description Nic Doye 2003-12-16 06:02:43 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Gecko/20031114 Epiphany/1.0.4

Description of problem:
This is a known bug in apache which hasn't been fixed and is causing
us some problems in upgrading to RHEL 3.


If 4097+ bytes are printed to STDERR, the cgi script returns no more
data to the user at this point. Thus making CGI unreliable under
Apache 2 (especially when you throw in noisy modules like the Red Hat
supplied version of Date::Manip - see bug
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=111369 ).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Put the following script in your ScriptAlias'ed directory (e.g.
/var/www/cgi-bin ) with the correct permissions. (Script stolen from
apache bugzilla).

# 24x170 = 4080 bytes to stderr
foreach my $x (1..24) {
  print STDERR 'X' x 169 . "\n";
# + 17 more bytes, putting us at 4097
# Delete one char from the print below to make
# it work again
print STDERR "0123456789ABCDEF\n";
# Our actual script output, which never comes
print "Content-type: text/plain\n\nASDF\n";

2. visit cgi-script with browser.

Actual Results:  No data ever returned. Browser sits there with
throbber spinning endlessly.

Expected Results:  ASDF returned as text to browser.

Additional info:
Comment 1 Joe Orton 2004-01-07 10:58:25 EST
Thanks for the report: we're aware of and are tracking this issue.  
Comment 2 Nic Doye 2004-01-09 10:37:15 EST
I notice that it is fixed in httpd-2.0.48-1.2 on Fedora Core 1.

When I say "fixed" I mean that I tested the simple perl script above.

(I don't remember testing on the previous RPM).

Can that change be merged into the RHEL 3 package?
Comment 3 Joe Orton 2004-01-09 10:41:45 EST
The issue is not fixed in the FC1 update, unfortunately; did you test
the right version of the script?
Comment 4 Nic Doye 2004-01-09 11:07:24 EST
You're right. I'm an idiot.

Sorry about that.
Comment 5 nathan r. hruby 2004-03-10 09:41:02 EST
Here we are three months later.  Any word on this getting fixed before

I do consider this buglet to be a local DoS, and it really does need
to be fixed.

Comment 6 nathan r. hruby 2004-03-10 10:15:34 EST
Ok, after reading the upstream bugzilla entry about this, it appears
there isn't a fix, eventhough Mandrake seems to have released eratta
with fix about it....

Anyone know what Mandrake did?  Incorperate Jeff Trawic's fixes to
Comment 7 Joe Orton 2004-03-10 11:54:15 EST
Mandrake briefly issued patches with Jeff's patches to mod_cgi, but
later retracted them since they aren't production-ready yet.

(It's a large stretch of the imagination to call this a DoS: if you
run a malicious CGI script, it blocking on a write() call to a pipe is
the least of your worries!)

I'll prioritize this issue for RHEL4.
Comment 8 Joe Orton 2004-04-16 03:55:52 EDT
Experimental updates for RHEL3 are now ready for testing which include
a fix for this issue:


Please post any results from testing, failure or success, to this bug
Comment 10 Joe Orton 2004-07-13 11:33:39 EDT
The fix for this issue are due to be included in RHEL3 U3.
Comment 11 Josh Bressers 2004-09-01 14:55:39 EDT
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.