Red Hat Bugzilla – Bug 112216
4097+ bytes of stderr from cgi script causes script to hang
Last modified: 2007-11-30 17:06:59 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1) Gecko/20031114 Epiphany/1.0.4 Description of problem: This is a known bug in apache which hasn't been fixed and is causing us some problems in upgrading to RHEL 3. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=22030 If 4097+ bytes are printed to STDERR, the cgi script returns no more data to the user at this point. Thus making CGI unreliable under Apache 2 (especially when you throw in noisy modules like the Red Hat supplied version of Date::Manip - see bug http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=111369 ). Version-Release number of selected component (if applicable): httpd-2.0.46-25.ent How reproducible: Always Steps to Reproduce: 1. Put the following script in your ScriptAlias'ed directory (e.g. /var/www/cgi-bin ) with the correct permissions. (Script stolen from apache bugzilla). #!/usr/bin/perl # 24x170 = 4080 bytes to stderr foreach my $x (1..24) { print STDERR 'X' x 169 . "\n"; } # + 17 more bytes, putting us at 4097 # Delete one char from the print below to make # it work again print STDERR "0123456789ABCDEF\n"; # Our actual script output, which never comes print "Content-type: text/plain\n\nASDF\n"; 2. visit cgi-script with browser. 3. Actual Results: No data ever returned. Browser sits there with throbber spinning endlessly. Expected Results: ASDF returned as text to browser. Additional info:
Thanks for the report: we're aware of and are tracking this issue.
I notice that it is fixed in httpd-2.0.48-1.2 on Fedora Core 1. When I say "fixed" I mean that I tested the simple perl script above. (I don't remember testing on the previous RPM). Can that change be merged into the RHEL 3 package?
The issue is not fixed in the FC1 update, unfortunately; did you test the right version of the script?
You're right. I'm an idiot. Sorry about that.
Here we are three months later. Any word on this getting fixed before RHEL-4? I do consider this buglet to be a local DoS, and it really does need to be fixed. http://www.securitytracker.com/alerts/2003/Sep/1007823.html
Ok, after reading the upstream bugzilla entry about this, it appears there isn't a fix, eventhough Mandrake seems to have released eratta with fix about it.... Anyone know what Mandrake did? Incorperate Jeff Trawic's fixes to mod_cgi?
Mandrake briefly issued patches with Jeff's patches to mod_cgi, but later retracted them since they aren't production-ready yet. (It's a large stretch of the imagination to call this a DoS: if you run a malicious CGI script, it blocking on a write() call to a pipe is the least of your worries!) I'll prioritize this issue for RHEL4.
Experimental updates for RHEL3 are now ready for testing which include a fix for this issue: http://people.redhat.com/jorton/Taroon-httpd/ Please post any results from testing, failure or success, to this bug report.
The fix for this issue are due to be included in RHEL3 U3.
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2004-349.html