[SRU] wrong path to libxml2.so.2 in mod_security - broken by multiarch enabled libraries
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| apache2 (Debian) |
Fix Released
|
Unknown
|
||
| apache2 (Ubuntu) |
High
|
Unassigned | ||
| Precise |
High
|
Unassigned | ||
| mod-proxy-html (Ubuntu) |
Undecided
|
Unassigned | ||
| Precise |
High
|
Robie Basak | ||
| modsecurity-apache (Ubuntu) |
High
|
Unassigned | ||
| Precise |
High
|
Robie Basak |
Bug Description
[Impact]
The libapache2-
[Test Case]
apt-get -y install apache2 <libapache2-
This fails with the following error, although the postinst does exit 0:
Setting up libapache2-
Action 'configtest' failed.
The Apache error log may have more information.
Your apache2 configuration is broken, so we're not restarting it for you.
$ sudo apachectl configtest
apache2: Syntax error on line 210 of /etc/apache2/
Action 'configtest' failed.
The Apache error log may have more information.
Expected results:
1. The installations should succeed.
2. "sudo apachectl configtest" should return "Syntax OK" with a zero exit status.
3. "sudo grep libxml2.so.2 /proc/$(cat /run/apache2.
[Fix]
Debian has fixed this by updating apache2 to use dlopen's search path and changing mod-security.load to not use any absolute path. We have merged apache2. modsecurity-apache and mod-proxy-html have synced and I have verified that Quantal is fixed.
For the Precise SRU, it was concluded that the change to apache2 in Debian is too invasive. Instead, we have removed the LoadFile directives entirely, after ensuring that the modules do depend correctly on libxml2.so.2.
[Regression Potential]
With the new approach, apache2 does not need an update.
Previously, libapache2-
We have changed a config file, but since it is a config file, an administrator who has manually worked around the problem by changing the config file differently will be prompted and so should not get an unexpected regression.
/usr/lib/
So the area to look for regressions is in the existence of XML functionality in these two modules, but I think this change is so minimal it is very unlikely.
Original bug description:
service apache2 restart
apache2: Syntax error on line 210 of /etc/apache2/
Action 'configtest' failed.
The Apache error log may have more information.
...fail!
in file /etc/apache2/
LoadFile /usr/lib/
correct path on x86 would be /usr/lib/
maybe a symlink could fix this issue?
Related branches
- masum chechra (community): Approve on 2016-05-08
- Chuck Short (community): Approve on 2012-05-29
-
Diff: 97692 lines (+586/-96068)68 files modified.pc/004_usr_bin_perl_0wnz_j00/docs/cgi-examples/printenv (+0/-13)
.pc/008_make_include_safe/server/config.c (+0/-2190)
.pc/009_apache2_has_dso/support/apxs.in (+0/-768)
.pc/010_fhs_compliance/config.layout (+0/-324)
.pc/010_fhs_compliance/configure (+0/-20482)
.pc/010_fhs_compliance/configure.in (+0/-732)
.pc/010_fhs_compliance/include/ap_config_layout.h.in (+0/-64)
.pc/031_apxs2_sucks_more/support/apxs.in (+0/-769)
.pc/032_suexec_is_shared/os/unix/unixd.c (+0/-775)
.pc/033_dbm_read_hash_or_btree/support/dbmmanage.in (+0/-312)
.pc/034_apxs2_libtool_fixtastic/support/apxs.in (+0/-771)
.pc/038_no_LD_LIBRARY_PATH/support/envvars-std.in (+0/-24)
.pc/045_suexec_log_cloexec/support/suexec.c (+0/-638)
.pc/047_fix_usage_message/server/main.c (+0/-778)
.pc/052_logresolve_linelength/support/logresolve.c (+0/-387)
.pc/057_disablemods/acinclude.m4 (+0/-576)
.pc/057_disablemods/configure (+0/-20482)
.pc/058_suexec-CVE-2007-1742/support/suexec.c (+0/-636)
.pc/067_fix_segfault_in_ab/support/ab.c (+0/-2298)
.pc/071_fix_cacheenable/modules/cache/cache_util.c (+0/-917)
.pc/073_mod_dav_trunk_fixes/modules/dav/fs/lock.c (+0/-1514)
.pc/073_mod_dav_trunk_fixes/modules/dav/fs/repos.c (+0/-2167)
.pc/073_mod_dav_trunk_fixes/modules/dav/main/mod_dav.c (+0/-4869)
.pc/074_link_support_progs_with_lcrypt/configure (+0/-20486)
.pc/074_link_support_progs_with_lcrypt/support/config.m4 (+0/-140)
.pc/075_mod_rewrite_literal_ipv6_redirect/modules/mappers/mod_rewrite.c (+0/-4940)
.pc/076_apxs2_a2enmod/support/apxs.in (+0/-771)
.pc/077_CacheIgnoreURLSessionIdentifiers/modules/cache/cache_storage.c (+0/-558)
.pc/079_polish_translation/docs/error/HTTP_NOT_FOUND.html.var (+0/-444)
.pc/082_ab_num_requests/support/ab.c (+0/-2297)
.pc/201_build_suexec-custom/Makefile.in (+0/-233)
.pc/201_build_suexec-custom/support/Makefile.in (+0/-72)
.pc/applied-patches (+0/-25)
Makefile.in (+1/-1)
acinclude.m4 (+8/-13)
config.guess (+0/-1500)
config.layout (+3/-3)
config.sub (+0/-1608)
configure (+14/-18)
configure.in (+3/-3)
debian/changelog (+44/-2)
debian/config-dir/sites-available/default (+0/-10)
debian/config-dir/sites-available/default-ssl (+0/-9)
debian/control (+2/-3)
debian/gbp.conf (+3/-0)
debian/patches/083_dlopen_search_path (+145/-0)
debian/patches/series (+1/-0)
debian/rules (+5/-5)
docs/cgi-examples/printenv (+1/-1)
docs/error/HTTP_NOT_FOUND.html.var (+1/-1)
include/ap_config_layout.h.in (+0/-1)
modules/cache/cache_storage.c (+17/-49)
modules/cache/cache_util.c (+35/-72)
modules/dav/fs/lock.c (+84/-13)
modules/dav/fs/repos.c (+54/-125)
modules/dav/main/mod_dav.c (+3/-23)
modules/mappers/mod_rewrite.c (+2/-19)
os/unix/unixd.c (+0/-4)
server/config.c (+2/-29)
server/main.c (+1/-3)
support/Makefile.in (+1/-5)
support/ab.c (+3/-5)
support/apxs.in (+121/-51)
support/config.m4 (+2/-2)
support/dbmmanage.in (+3/-5)
support/envvars-std.in (+3/-0)
support/logresolve.c (+12/-10)
support/suexec.c (+12/-23)
- James Page: Approve on 2012-06-08
- Ubuntu branches: Pending requested 2012-06-08
-
Diff: 38 lines (+12/-2)3 files modifieddebian/changelog (+9/-0)
debian/control (+2/-1)
debian/mod-security.load (+1/-1)
- James Page: Approve on 2012-06-08
- Ubuntu branches: Pending requested 2012-06-08
-
Diff: 773 lines (+641/-35)6 files modified.pc/083_dlopen_search_path/modules/mappers/mod_so.c (+434/-0)
.pc/applied-patches (+1/-0)
debian/changelog (+9/-0)
debian/patches/083_dlopen_search_path (+152/-0)
debian/patches/series (+1/-0)
modules/mappers/mod_so.c (+44/-35)
- James Page: Approve on 2012-07-19
- Ubuntu branches: Pending requested 2012-07-19
-
Diff: 52 lines (+14/-3)4 files modifieddebian/changelog (+11/-0)
debian/conf/proxy_html.load (+0/-1)
debian/control (+2/-1)
debian/rules (+1/-1)
- James Page: Approve on 2012-07-19
- Ubuntu branches: Pending requested 2012-07-19
-
Diff: 47 lines (+21/-2)3 files modifieddebian/changelog (+19/-0)
debian/control (+2/-1)
debian/mod-security.load (+0/-1)
Christoph_vW (christoph-apiviewer) wrote : | #1 |
Christoph_vW (christoph-apiviewer) wrote : | #2 |
tags: | added: precise |
no longer affects: | apache2 (Debian) |
James Page (james-page) wrote : | #3 |
sudo apt-get install apache2 libapache2-
reproduced on 12.04:
sudo apachectl configtest
apache2: Syntax error on line 210 of /etc/apache2/
Action 'configtest' failed.
The Apache error log may have more information.
affects: | apache2 (Ubuntu) → modsecurity-apache (Ubuntu) |
Changed in modsecurity-apache (Ubuntu): | |
importance: | Undecided → High |
status: | New → Confirmed |
James Page (james-page) wrote : | #4 |
Issue is that this package has not been updated to support the multiarch version of libxml2.
Obviously this can be fixed by updating /etc/apache2/
Changed in modsecurity-apache (Ubuntu): | |
status: | Confirmed → Triaged |
Changed in apache2 (Debian): | |
status: | Unknown → New |
tags: | added: libxml2-ma |
Changed in apache2 (Debian): | |
status: | New → Fix Released |
Hugo.Batel (hugo-batel) wrote : | #5 |
The same happens on 64 bit ubuntu 12.04.
Creating a symbolic link like the one bellow is a workaround for this problem.
ln -s /usr/lib/
Robie Basak (racb) wrote : | #6 |
Debian has fixed this by updating apache2 to use dlopen's search path and changing mod-security.load to not use any absolute path. This is a nice clean fix.
For an SRU, I think our options are:
1) Also SRU apache2 to use the search path as Debian has done, but this seems a bit too major for an SRU.
2a) Change mod-security.load dynamically on postinst, but this will prompt on future upgrade (as it's a conffile).
2b) Use ucf to update mod-security.load dynamically on postinst, but this requires introducing ucf which seems excessive for an SRU.
3) Symlink /usr/lib/
I don't like any of these options. What other fix is possible? Or are one of these acceptable?
Robie Basak (racb) wrote : | #7 |
Debian have fixed this by changing both modsecurity-apache and apache2. modsecurity-apache has synced. I have prepared a merge for apache2 which is ready for sponsorship.
For the SRU, please see my questions above.
Thanks!
Changed in modsecurity-apache (Ubuntu): | |
status: | Triaged → Fix Released |
Changed in apache2 (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in apache2 (Ubuntu Precise): | |
importance: | Undecided → High |
Changed in modsecurity-apache (Ubuntu Precise): | |
importance: | Undecided → High |
Changed in apache2 (Ubuntu Precise): | |
status: | New → Triaged |
Changed in modsecurity-apache (Ubuntu Precise): | |
status: | New → Triaged |
Changed in modsecurity-apache (Ubuntu Precise): | |
milestone: | none → ubuntu-12.04.1 |
Changed in apache2 (Ubuntu Precise): | |
milestone: | none → ubuntu-12.04.1 |
Sebastien Bacher (seb128) wrote : | #8 |
(unsubscribing sponsors, jamespage said it's being tracked)
Robie Basak (racb) wrote : | #9 |
I've redone the merge with feedback integrated. I used merges.u.c this time.
Tested build and that it runs on Quantal with this bug fixed.
Robie Basak (racb) wrote : | #10 |
Robie Basak (racb) wrote : | #11 |
James Page (james-page) wrote : | #12 |
Uploaded to quantal - this resolves the apache2 task for development - marking 'Fix Released'
Changed in apache2 (Ubuntu): | |
status: | Triaged → Fix Released |
Changed in apache2 (Ubuntu Precise): | |
assignee: | nobody → Robie Basak (racb) |
Changed in modsecurity-apache (Ubuntu Precise): | |
assignee: | nobody → Robie Basak (racb) |
description: | updated |
Robie Basak (racb) wrote : | #13 |
SRU debdiffs for apache2 and modsecurity-apache attached.
Robie Basak (racb) wrote : | #14 |
Robie Basak (racb) wrote : | #15 |
I have test built and tested these on Precise to verify that the problem goes away and that Apache still works.
summary: |
- wrong path to libxml2.so.2 in mod_security + [SRU] wrong path to libxml2.so.2 in mod_security - broken by multiarch + enabled libraries |
Changed in apache2 (Ubuntu Precise): | |
status: | Triaged → In Progress |
Changed in modsecurity-apache (Ubuntu Precise): | |
status: | Triaged → In Progress |
Clint Byrum (clint-fewbar) wrote : | #16 |
I'm a little concerned about how deep inside the core of Apache this change is. I think its probably, as you say, a corner case if it causes somebody issues, but we should make sure it actually works as we think it does by testing some of those corner cases.
Changed in apache2 (Ubuntu Precise): | |
status: | In Progress → Fix Committed |
tags: | added: verification-needed |
Hello Christoph_vW, or anyone else affected,
Accepted apache2 into precise-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https:/
Changed in modsecurity-apache (Ubuntu Precise): | |
status: | In Progress → Fix Committed |
Clint Byrum (clint-fewbar) wrote : | #18 |
Hello Christoph_vW, or anyone else affected,
Accepted modsecurity-apache into precise-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https:/
James Page (james-page) wrote : | #19 |
sudo apt-get install apache2 libapache2-
[....]
Setting up apache2.2-common (2.2.22-1ubuntu1.1) ...
Enabling site default.
Enabling module alias.
Enabling module autoindex.
Enabling module dir.
Enabling module env.
Enabling module mime.
Enabling module negotiation.
Enabling module setenvif.
Enabling module status.
Enabling module auth_basic.
Enabling module deflate.
Enabling module authz_default.
Enabling module authz_user.
Enabling module authz_groupfile.
Enabling module authn_file.
Enabling module authz_host.
Enabling module reqtimeout.
Setting up apache2-mpm-worker (2.2.22-1ubuntu1.1) ...
* Starting web server apache2 [ OK ]
Setting up apache2 (2.2.22-1ubuntu1.1) ...
Setting up libapache2-
* Restarting web server apache2 ... waiting . [ OK ]
Setting up ssl-cert (1.0.28ubuntu0.1) ...
Setting up modsecurity-crs (2.2.0-1) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place
/var/log/apache2# cat error.log
[Mon Jun 18 12:15:42 2012] [notice] Apache/2.2.22 (Ubuntu) configured -- resuming normal operations
[Mon Jun 18 12:15:43 2012] [notice] caught SIGTERM, shutting down
[Mon Jun 18 12:15:45 2012] [notice] ModSecurity for Apache/2.6.3 (http://
[Mon Jun 18 12:15:45 2012] [notice] ModSecurity: APR compiled version="1.4.6"; loaded version="1.4.6"
[Mon Jun 18 12:15:45 2012] [notice] ModSecurity: PCRE compiled version="8.12"; loaded version="8.12 2011-01-15"
[Mon Jun 18 12:15:45 2012] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[Mon Jun 18 12:15:45 2012] [notice] ModSecurity: LIBXML compiled version="2.7.8"
[Mon Jun 18 12:15:46 2012] [notice] Apache/2.2.22 (Ubuntu) configured -- resuming normal operations
James Page (james-page) wrote : | #20 |
The specific issue this fix resolves tested OK - but as Clint states this probably needs more thorough testing before acceptance into -updates.
Launchpad Janitor (janitor) wrote : | #21 |
Status changed to 'Confirmed' because the bug affects multiple users.
Changed in mod-proxy-html (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in mod-proxy-html (Ubuntu): | |
status: | New → Confirmed |
Changed in mod-proxy-html (Ubuntu): | |
status: | Confirmed → Fix Released |
Steve Langasek (vorlon) wrote : | #23 |
I have serious misgivings about the particular approach taken here, in SRU or otherwise. Why does mod-security.load need to hard-code libxml2.so.2 *at all*? Isn't that why DSOs are dynamically linked to their dependent libraries (which mod_security2.so is)? And why is libxml2.so.2 being special-cased here, when mod_security2.so is also linked against liblua5.1.so.0? Did anyone try to fix this by just removing the LoadFile line completely? That would be a much safer fix than SRUing the core of apache2, and would probably fix the problem that this SRU seems to be stalled waiting for indeterminate regression testing of "corner cases".
A naive test here of commenting out this 'LoadFile' line shows that the apache config validates, and apache2-mpm-prefork starts without any problems.
Stefan Fritsch (sf-sfritsch) wrote : | #24 |
There are two schools of thought here. Some people prefer linking to the libraries directly (the saner approach for a Linux distribution) and some people prefer to load depending libraries with LoadFile (to make it easier to avoid loading to different versions of the same library in the same process). Mod_security used to take the second approach. If that has changed, or the packaging modifies it to link to libxml, then simply removing the LoadFile line is the logical thing to do.
Robie Basak (racb) wrote : | #25 |
The SRU I proposed just backports the fix that Debian have applied. If we want to do something else in Quantal, then we'd be deviating from Debian on this. Is this worth doing?
Of course, the SRU can be done differently. If commenting out LoadFile works, then perhaps that's all we need to do for the SRU?
Clint Byrum (clint-fewbar) wrote : | #26 |
Since the fix in -proposed is in doubt, I've marked the bug verification-
tags: |
added: verification-failed removed: verification-needed |
Robie Basak (racb) wrote : | #27 |
Removing the "LoadFile /usr/lib/
However, I am concerned to make sure that mod-security is actually functional after this change, in case it can't resolve symbols further down the line.
Although I note from /proc/../maps that /usr/lib/
I am unfamiliar with mod-security itself. Could someone affected by this bug please post a test case with expected results that exercises the XML functionality in mod-security that would use libxml2.so.2?
Robie Basak (racb) wrote : | #28 |
<jamespage> rbasak, I think that the test case can be technical
<jamespage> so for example I think its sufficient to say - yes we can restart apache OK with it installed and we can see that this library has been loaded by using lsof or suchlike
Based on this, my test case for SRU verification will be based on loading apache and checking /proc/.../maps for presence of the modules expected.
Changed in apache2 (Ubuntu Precise): | |
status: | Fix Committed → In Progress |
Changed in modsecurity-apache (Ubuntu Precise): | |
status: | Fix Committed → In Progress |
James Page (james-page) wrote : | #29 |
Marked bug task for apache2 as 'Invalid' as this is being fix in just the modules.
Changed in mod-proxy-html (Ubuntu Precise): | |
milestone: | none → ubuntu-12.04.1 |
assignee: | nobody → Robie Basak (racb) |
importance: | Undecided → High |
Changed in apache2 (Ubuntu Precise): | |
status: | In Progress → Invalid |
Changed in mod-proxy-html (Ubuntu Precise): | |
status: | Confirmed → In Progress |
Changed in apache2 (Ubuntu Precise): | |
assignee: | Robie Basak (racb) → nobody |
description: | updated |
James Page (james-page) wrote : | #30 |
Robie - both MP's looked good - uploaded.
Adam Conrad (adconrad) wrote : | #31 |
Hello Christoph_vW, or anyone else affected,
Accepted modsecurity-apache into precise-proposed. The package will build now and be available at http://
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-
Further information regarding the verification process can be found at https:/
Changed in modsecurity-apache (Ubuntu Precise): | |
status: | In Progress → Fix Committed |
tags: | removed: verification-failed |
tags: | added: verification-needed |
Changed in mod-proxy-html (Ubuntu Precise): | |
status: | In Progress → Fix Committed |
Adam Conrad (adconrad) wrote : | #32 |
Hello Christoph_vW, or anyone else affected,
Accepted mod-proxy-html into precise-proposed. The package will build now and be available at http://
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-
Further information regarding the verification process can be found at https:/
Stéphane Graber (stgraber) wrote : | #33 |
libapache2-
Stéphane Graber (stgraber) wrote : | #34 |
libapache2-
tags: |
added: verification-done removed: verification-needed |
Stéphane Graber (stgraber) wrote : | #35 |
The tests above were done without the updated apache2 from -proposed as this one was the previous fix and was now pulled out of -proposed.
Marking verification-done.
The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.
Launchpad Janitor (janitor) wrote : | #37 |
This bug was fixed in the package modsecurity-apache - 2.6.3-1ubuntu0.2
---------------
modsecurity-apache (2.6.3-1ubuntu0.2) precise-proposed; urgency=low
* debian/
solution has been agreed in the bug.
* debian/
the loader to resolve all required dependencies. This avoids the
hardcoded path which fails on multiarch-enabled systems (LP: #988819).
modsecurity-apache (2.6.3-1ubuntu0.1) precise-proposed; urgency=low
* debian/
multiarch it is always incorrect on i386 and amd64. Use no path and
a corresponding apache2 change to use the standard dlopen search
path in this case to allow the library to be found (LP: #988819).
-- Robie Basak <email address hidden> Thu, 19 Jul 2012 11:33:40 +0000
Changed in modsecurity-apache (Ubuntu Precise): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #38 |
This bug was fixed in the package mod-proxy-html - 3.0.1-1ubuntu0.1
---------------
mod-proxy-html (3.0.1-1ubuntu0.1) precise-proposed; urgency=low
* debian/rules: explicitly link against libxml2.so, so that it gets
declared as a dependency. This will allow apache to load the module
without explicitly specifying the correct multiarch path.
* debian/
on the loader to resolve all required dependencies. This avoids the
hardcoded path which fails on multiarch-enabled systems (LP: #988819).
-- Robie Basak <email address hidden> Thu, 19 Jul 2012 12:09:11 +0000
Changed in mod-proxy-html (Ubuntu Precise): | |
status: | Fix Committed → Fix Released |
Ubuntu 12.04 LTS