Uploads greater than 64 kilobytes corrupted when using Apache mod_fcgid

Bug #573591 reported by Ian Justman on 2010-05-02
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Apache 2 mod_fcgid
Fix Released
libapache2-mod-fcgid (Debian)
Fix Released
libapache2-mod-fcgid (Ubuntu)

Bug Description

Binary package hint: php5

I run a Mediawiki server which I just recently upgraded to Lucid Lynx. My wiki's users originally reported issues with uploading PNGs, but further testing on the actual server along with a VM show that it is not MediaWiki itself that is doing this but PHP. Using a very simple HTML and PHP script setup, I uploaded several files, mainly images but I also uploaded .ZIP files as well. Under PHP 5.3.2 even using either my full live system or a very basic setup*, all files greater than 64 kilobytes were corrupted at about the 64 kilobyte mark. The amount of corrupted data varies but it doesn't appear to be more than about 32 kilobytes.

However, in stark contrast, PHP 5.2.10 in Karmic Koala running in another VM works just fine using the exact same "very basic setup".

Both of these setups are running x86-64 installs. I have yet to try x86-32 installs.

This might be an upstream issue in PHP 5.3.2 since they ditch mime_magic in favor of fileinfo, so I am going to test this in other distributions, notably Debian.


Testcase to reproduce the bug:

- install the following packages: php5-cgi apache2-mpm-worker libapache2-mod-fcgid
- download the testcase from comment #13: http://launchpadlibrarian.net/48980040/modfcgid_testcase.tar.gz
- extract it to /
- execute the command: sudo chown -R www-data:www-data /var/www && sudo service apache2 restart
- go to http://localhost/upload.html and upload a file that is larger than 64KB
- compare the md5sum of the original file with the uploaded file in /var/www/upload/, if they match the bug is fixed

Ian Justman (ianj) wrote :

Actually, as it turns out, it's more an Apache problem than a PHP problem. I tried to downgrade PHP, but it turns out that it won't work. Instead, I brought PHP to Lucid's level, but installed Apache from Karmic, and that solved the problem. At this point, I suspect that I might have a buggered config, or there may be a bug in Apache that needs addressing.

I'm having the same problem here with SquirrelMail. The update to lucid buggerd the uploads.

I tried downgrading Apache2 to:

ii apache2 2.2.12-1ubuntu2.2 Apache HTTP Server metapackage
ii apache2-mpm-worker 2.2.12-1ubuntu2.2 Apache HTTP Server - high speed threaded mod
ii apache2-threaded-dev 2.2.12-1ubuntu2.2 Apache development headers - threaded MPM
ii apache2-utils 2.2.12-1ubuntu2.2 utility programs for webservers
ii apache2.2-bin 2.2.12-1ubuntu2.2 Apache HTTP Server common binary files
ii apache2.2-common 2.2.12-1ubuntu2.2 Apache HTTP Server common files

but that wouldn't help.

I found the culprit!

I downgrade apache2 (see above), to no avail
I downgrade php5 and all module (a lot of work), to no avail

I downgraded libapache2-mod-fcgid from 1:2.3.4-2 to 1:2.2-1 and it would work again!

Ondřej Surý (ondrej) on 2010-05-03
affects: php5 (Ubuntu) → libapache2-mod-fcgid (Ubuntu)
Changed in libapache2-mod-fcgid (Debian):
status: Unknown → Fix Committed

Sorry for asking, but I tried downgrading in Ubuntu Lucid 10.04 LTS and I'm getting a message which says "E: Version '1:2.2-1' for 'libapache2-mod-fcgid' was not found":

webappz@drupal:~$ sudo apt-get install libapache2-mod-fcgid=1:2.2-1
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Version '1:2.2-1' for 'libapache2-mod-fcgid' was not found

Ps: I did try removing it first too, but made no difference.
webappz@drupal:~$ sudo apt-get remove libapache2-mod-fcgid

I thought that was the way for installing a specific version, am I doing it wrong?

Posted detailed instructions for downgrading on my blog at http://www.socinfo.com/ubuntu/php/fcgid/bug-fix-corrupt-files-upload

Short Summary here:

    * First, download a trusted version of libapache2-mod-fcgid to 1:2.2-1 from http://packages.ubuntu.com/karmic/libapache2-mod-fcgid . In my case, running Ubuntu 64bit being in Singapore now, the closest mirror was Korea, so I did:

      wget http://kr.archive.ubuntu.com/ubuntu/pool/universe/liba/libapache2-mod-fcgid/libapache2-mod-fcgid_2.2-1_amd64.deb

    * Then install it with:

      sudo dpkg -i libapache2-mod-fcgid_2.2-1_amd64.deb

    * Finally, you need to "hold" this version so that it is not upgraded later on any maintenance process or update you do:

      sudo -s
      echo libapache2-mod-fcgid hold | dpkg --set-selections

That's it. You can reload Apache and restart Apache:

sudo etc/init.d/apache2 reload
sudo apache2ctl graceful

You can see the actual version of libapache2-mod-fcgid installed by typing:

sudo dpkg -s libapache2-mod-fcgid

And you can test that it remains even do an upgrade and then test if the version remains. You will see a notice when doing the upgrade that this package will be ignored.

sudo apt-get update
sudo apt-get upgrade
sudo dpkg -s libapache2-mod-fcgid

Felix Geyer (debfx) wrote :

If you have downgraded PHP or Apache please install the most up-to-date version again.
This is a bug in mod_fcgid.

I uploaded a package to my PPA that contains a backport of the upstream fix:

Please test the package by downloading libapache2-mod-fcgid_2.3.4-2ubuntu1_i386.deb or libapache2-mod-fcgid_2.3.4-2ubuntu1_amd64.deb depending on your architecture (run "dpkg-architecture -qDEB_HOST_ARCH" if you are unsure).

After downloading you can install the packages by running:
sudo dpkg -i <filename>

Changed in libapache2-mod-fcgid (Ubuntu):
status: New → Confirmed
Ian Justman (ianj) wrote :

A belated update, once I noticed the messages saying that it's a mod_fcgid bug, I went ahead and upgraded everything but that, keeping mod_fcgid at Karmic's level. Machine's purring along now and no complaints. There are unrelated issues, but this particular problem is solved until the Debian fix finds its way into the Ubuntu .debs.

Felix Geyer (debfx) wrote :

Does it still work when you upgrade from the karmic package to the testing package I posted?

Ian Justman (ianj) wrote :

I just built the new version of that package. It works perfectly. To be safe, I ran MD5s on an FTP-uploaded copy versus the HTTP/PHP5-uploaded copy of the file. They match perfectly.

Felix Geyer (debfx) on 2010-05-16
Changed in libapache2-mod-fcgid (Ubuntu):
status: Confirmed → Fix Released
Felix Geyer (debfx) wrote :

I marked this as Fix Released because version 2.3.5 is in maverick and nominated it for Lucid.

File uploads work for me too with this patch so I'm requesting a SRU:

libapache2-mod-fcgid (1:2.3.4-2ubuntu0.1) lucid-proposed; urgency=low

  * Add 30_fix-request-body-truncation.dpatch to fix corruption of requests
    that exceed the FcgidMaxRequestInMem size. (LP: #573591)

 -- Felix Geyer <email address hidden> Sun, 16 May 2010 13:07:54 +0200

Felix Geyer (debfx) on 2010-05-23
summary: - Uploads greater than 64 kilobytes corrupted under PHP 5.3.2
+ Uploads greater than 64 kilobytes corrupted when using Apache mod_fcgid
Felix Geyer (debfx) wrote :

Attaching a new testcase that doesn't need suexec.

Felix Geyer (debfx) on 2010-05-23
description: updated

Uploaded to the lucid-proposed queue; awaiting ubuntu-sru approval.

Accepted libapache2-mod-fcgid into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in libapache2-mod-fcgid (Ubuntu Lucid):
status: New → Fix Committed
tags: added: verification-needed
Bruce (bruce-blackpage) wrote :

I just upgraded libapache2-mod-fcgid from lucid-proposed and file upload seems to be ok, I don't have uploaded images corrupted anymore.

Paul Elliott (omahn) on 2010-06-03
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libapache2-mod-fcgid - 1:2.3.4-2ubuntu0.1

libapache2-mod-fcgid (1:2.3.4-2ubuntu0.1) lucid-proposed; urgency=low

  * Add 30_fix-request-body-truncation.dpatch to fix corruption of requests
    that exceed the FcgidMaxRequestInMem size. (LP: #573591)
 -- Felix Geyer <email address hidden> Sun, 16 May 2010 13:07:54 +0200

Changed in libapache2-mod-fcgid (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in mod-fcgid:
status: Unknown → Fix Released
Changed in libapache2-mod-fcgid (Debian):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.