Bug 112216 - 4097+ bytes of stderr from cgi script causes script to hang
4097+ bytes of stderr from cgi script causes script to hang
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: httpd (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
http://issues.apache.org/bugzilla/sho...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-12-16 06:02 EST by Nic Doye
Modified: 2007-11-30 17:06 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-09-01 14:55:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nic Doye 2003-12-16 06:02:43 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Gecko/20031114 Epiphany/1.0.4

Description of problem:
This is a known bug in apache which hasn't been fixed and is causing
us some problems in upgrading to RHEL 3.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030 

If 4097+ bytes are printed to STDERR, the cgi script returns no more
data to the user at this point. Thus making CGI unreliable under
Apache 2 (especially when you throw in noisy modules like the Red Hat
supplied version of Date::Manip - see bug
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=111369 ).

Version-Release number of selected component (if applicable):
httpd-2.0.46-25.ent

How reproducible:
Always

Steps to Reproduce:
1. Put the following script in your ScriptAlias'ed directory (e.g.
/var/www/cgi-bin ) with the correct permissions. (Script stolen from
apache bugzilla).

#!/usr/bin/perl
# 24x170 = 4080 bytes to stderr
foreach my $x (1..24) {
  print STDERR 'X' x 169 . "\n";
}
# + 17 more bytes, putting us at 4097
# Delete one char from the print below to make
# it work again
print STDERR "0123456789ABCDEF\n";
# Our actual script output, which never comes
print "Content-type: text/plain\n\nASDF\n";

2. visit cgi-script with browser.
3.
    

Actual Results:  No data ever returned. Browser sits there with
throbber spinning endlessly.

Expected Results:  ASDF returned as text to browser.

Additional info:
Comment 1 Joe Orton 2004-01-07 10:58:25 EST
Thanks for the report: we're aware of and are tracking this issue.  
Comment 2 Nic Doye 2004-01-09 10:37:15 EST
I notice that it is fixed in httpd-2.0.48-1.2 on Fedora Core 1.

When I say "fixed" I mean that I tested the simple perl script above.

(I don't remember testing on the previous RPM).

Can that change be merged into the RHEL 3 package?
Comment 3 Joe Orton 2004-01-09 10:41:45 EST
The issue is not fixed in the FC1 update, unfortunately; did you test
the right version of the script?
Comment 4 Nic Doye 2004-01-09 11:07:24 EST
You're right. I'm an idiot.

Sorry about that.
Comment 5 nathan r. hruby 2004-03-10 09:41:02 EST
Here we are three months later.  Any word on this getting fixed before
RHEL-4?

I do consider this buglet to be a local DoS, and it really does need
to be fixed.

http://www.securitytracker.com/alerts/2003/Sep/1007823.html
Comment 6 nathan r. hruby 2004-03-10 10:15:34 EST
Ok, after reading the upstream bugzilla entry about this, it appears
there isn't a fix, eventhough Mandrake seems to have released eratta
with fix about it....

Anyone know what Mandrake did?  Incorperate Jeff Trawic's fixes to
mod_cgi?
Comment 7 Joe Orton 2004-03-10 11:54:15 EST
Mandrake briefly issued patches with Jeff's patches to mod_cgi, but
later retracted them since they aren't production-ready yet.

(It's a large stretch of the imagination to call this a DoS: if you
run a malicious CGI script, it blocking on a write() call to a pipe is
the least of your worries!)

I'll prioritize this issue for RHEL4.
Comment 8 Joe Orton 2004-04-16 03:55:52 EDT
Experimental updates for RHEL3 are now ready for testing which include
a fix for this issue:

http://people.redhat.com/jorton/Taroon-httpd/

Please post any results from testing, failure or success, to this bug
report.
Comment 10 Joe Orton 2004-07-13 11:33:39 EDT
The fix for this issue are due to be included in RHEL3 U3.
Comment 11 Josh Bressers 2004-09-01 14:55:39 EDT
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-349.html

Note You need to log in before you can comment on or make changes to this bug.