Ubuntu
apache2 package

Apache 2.4.41 corrupts files from samba share

Bug #1930921 reported by Fabian on 2021-06-04

258

This bug affects 1 person

	Status	Importance	Assigned to
Debian	Fix Released	Unknown	debbugs #900821
apache2 (Ubuntu)	Invalid	Undecided	Unassigned
linux (Ubuntu)	Triaged	Undecided	Unassigned
samba (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

Wenn I serve a samba share with apache 2.4.41 on Ubuntu 20.04 then some files have a corrupt header during transmission. It seems that the first few bytes of the headers are truncated and sometimes other bytes of the download are not belonging to the file.

A workaround I found that works is to set "EnableMMAP Off" in the apache config.

See other bug reports like this:

https://serverfault.com/questions/1044724/apache2-sends-corrupt-responses-when-using-a-cifs-share
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900821

This is most probably not a bug in Ubuntu itself but I am reporting it here since I assume that a data corruption bug is seen as critical.

I am also marking it as a security vulnerability since it seems that wrong parts of memory get exposed during file download. I don't know how random the exposed memory is and if it potentially could expose e.g. secrets.
Please feel free to remove the security vulnerability flag if your assessment leads to a different conclusion.

CVE References

2022-0847

Revision history for this message

Fabian (fsturm) wrote on 2021-06-04:

Corrupt header of apache response Edit (36.8 KiB, image/png)

Seth Arnold (seth-arnold) on 2021-06-04

information type:

Private Security → Public Security

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2021-06-04:

I've added a few more packages to the bug; nothing in the various links suggested to me that anyone has yet identified where the fault lies.

Thanks

Revision history for this message

Robie Basak (racb) wrote on 2021-06-07:

Thank you for taking the time to report this bug and helping to make Ubuntu better.

I'll leave any security assessment and security-based prioritisation for the security team.

From a non-security perspective, I think this is of low priority since it only affects an unusual end-user configuration that is likely to affect only a very small minority of users. Feel free to continue to use this bug to track the problem, but I do not expect anyone else to spend time looking into this soon.

Steve Beattie (sbeattie) on 2021-06-08

Changed in apache2 (Ubuntu):
status:	New → Confirmed
Changed in samba (Ubuntu):
status:	New → Confirmed
Changed in linux (Ubuntu):
status:	New → Confirmed

Revision history for this message

Lena Voytek (lvoytek) wrote on 2022-03-02:

Looking into the Debian report it seems that this issue can be reproduced without apache2. Users have reported being able to reproduce with "Nextcloud PHP on nginx." I will set the apache2 part of this issue as incomplete for now because it does not seem to be the main cause.

Changed in apache2 (Ubuntu):
status:	Confirmed → Incomplete

Bug Watch Updater (bug-watch-updater) on 2022-03-02

Changed in debian:
status:	Unknown → Confirmed

Revision history for this message

Paride Legovini (paride) wrote on 2022-03-09:

Maybe it's completely unrelated, but this rings a bell for me:

https://dirtypipe.cm4all.com/

I think it's worth trying with an updated kernel, see

https://ubuntu.com/security/CVE-2022-0847

for the status of the fix in Ubuntu.

Paride Legovini (paride) on 2022-03-15

Changed in linux (Ubuntu):
status:	Confirmed → Incomplete
Changed in samba (Ubuntu):
status:	Confirmed → Incomplete

Bug Watch Updater (bug-watch-updater) on 2022-12-19

Changed in debian:
status:	Confirmed → Fix Released

Revision history for this message

Lucas Kanashiro (lucaskanashiro) wrote on 2023-01-03:

According to the Debian bug this seems to be a bug in linux and not in samba and apache2.

Changed in apache2 (Ubuntu):
status:	Incomplete → Invalid
Changed in samba (Ubuntu):
status:	Incomplete → Invalid
Changed in linux (Ubuntu):
status:	Incomplete → Triaged