Apache 2.4.41 corrupts files from samba share

Bug #1930921 reported by Fabian
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Debian
Confirmed
Unknown
apache2 (Ubuntu)
Incomplete
Undecided
Unassigned
linux (Ubuntu)
Incomplete
Undecided
Unassigned
samba (Ubuntu)
Incomplete
Undecided
Unassigned

Bug Description

Wenn I serve a samba share with apache 2.4.41 on Ubuntu 20.04 then some files have a corrupt header during transmission. It seems that the first few bytes of the headers are truncated and sometimes other bytes of the download are not belonging to the file.

A workaround I found that works is to set "EnableMMAP Off" in the apache config.

See other bug reports like this:

https://serverfault.com/questions/1044724/apache2-sends-corrupt-responses-when-using-a-cifs-share
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900821

This is most probably not a bug in Ubuntu itself but I am reporting it here since I assume that a data corruption bug is seen as critical.

I am also marking it as a security vulnerability since it seems that wrong parts of memory get exposed during file download. I don't know how random the exposed memory is and if it potentially could expose e.g. secrets.
Please feel free to remove the security vulnerability flag if your assessment leads to a different conclusion.

CVE References

Revision history for this message
Fabian (fsturm) wrote :
information type: Private Security → Public Security
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I've added a few more packages to the bug; nothing in the various links suggested to me that anyone has yet identified where the fault lies.

Thanks

Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

I'll leave any security assessment and security-based prioritisation for the security team.

From a non-security perspective, I think this is of low priority since it only affects an unusual end-user configuration that is likely to affect only a very small minority of users. Feel free to continue to use this bug to track the problem, but I do not expect anyone else to spend time looking into this soon.

Steve Beattie (sbeattie)
Changed in apache2 (Ubuntu):
status: New → Confirmed
Changed in samba (Ubuntu):
status: New → Confirmed
Changed in linux (Ubuntu):
status: New → Confirmed
Revision history for this message
Lena Voytek (lvoytek) wrote :

Looking into the Debian report it seems that this issue can be reproduced without apache2. Users have reported being able to reproduce with "Nextcloud PHP on nginx." I will set the apache2 part of this issue as incomplete for now because it does not seem to be the main cause.

Changed in apache2 (Ubuntu):
status: Confirmed → Incomplete
Changed in debian:
status: Unknown → Confirmed
Revision history for this message
Paride Legovini (paride) wrote :

Maybe it's completely unrelated, but this rings a bell for me:

https://dirtypipe.cm4all.com/

I think it's worth trying with an updated kernel, see

https://ubuntu.com/security/CVE-2022-0847

for the status of the fix in Ubuntu.

Paride Legovini (paride)
Changed in linux (Ubuntu):
status: Confirmed → Incomplete
Changed in samba (Ubuntu):
status: Confirmed → Incomplete
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.