Double free in libapache2-mod-auth-pgsql causes Apache to crash
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libapache2-mod-auth-pgsql (Debian) |
Fix Released
|
Unknown
|
|||
libapache2-mod-auth-pgsql (Ubuntu) |
Fix Released
|
Medium
|
mubm | ||
Trusty |
Fix Released
|
Medium
|
Andreas Hasenack |
Bug Description
[Impact]
The libapache2-
[Test Case]
* install the packages on the Ubuntu release you are testing:
$ sudo apt install apache2 libapache2-
* create the database and populate it with the test user:
$ sudo -u postgres -H createdb userdb
$ sudo -u postgres -H psql userdb -c "CREATE TABLE UserLogin (Username text, ApachePassword text);"
$ sudo -u postgres -H psql userdb -c "INSERT INTO UserLogin VALUES ('ubuntu', 'secret');"
* Create the DB user the module will use and grant access to the user table:
$ sudo -u postgres -H psql postgres -c "CREATE ROLE www UNENCRYPTED PASSWORD 'password' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;"
$ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;"
* Create /etc/apache2/
Alias /authpgtest /export/
<Directory /export/
Options +ExecCGI +FollowSymLinks
AddHandler cgi-script .pl
AuthType basic
AuthName "My Auth"
Require valid-user
AuthBasicProvider pgsql
Auth_
Auth_PG_host 127.0.0.1
Auth_PG_port 5432
Auth_PG_user www
Auth_PG_pwd password
Auth_PG_database userdb
Auth_PG_encrypted off
Auth_PG_pwd_table UserLogin
Auth_PG_uid_field Username
Auth_PG_pwd_field ApachePassword
</Directory>
* Enable this new configuration:
$ sudo a2enconf authpgtest.conf
* Enable the auth-pgsql and cgi modules and then restart apache:
$ for n in 000_auth_pgsql cgi; do sudo a2enmod $n; done
$ sudo service apache2 restart
* Create the CGI directory for our script:
$ sudo mkdir -p /export/
* Create the CGI script /export/
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "Hello, World!\n";
* Make it executable:
$ sudo chmod 0755 /export/
* Access the http://
$ curl -f http://
Hello, World!
$ curl -f http://
Hello, World!
$ curl -f http://
curl: (52) Empty reply from server
In /var/log/
*** Error in `/usr/sbin/
[Wed Jul 19 20:43:57.077960 2017] [core:notice] [pid 10926:tid 140365262006144] AH00051: child pid 10930 exit signal Aborted (6), possible coredump in /etc/apache2
After installing the fixed libapache2-
[Regression Potential]
This patch is already being used in Ubuntu releases higher than trusty, all the way to artful, and also in Debian.
This is a very old module that hasn't been built in a while (see [other info] below. It's possible that just by rebuilding it with the new environment available in Trusty could introduce unknowns. Hopefully, if that happens, it will be immediately noticed by the people who use it and will test this SRU.
[Other Info]
This module hasn't been rebuilt since vivid and seems unmaintained, being at version 2.0.3 since the precise days:
libapache2-
libapache2-
libapache2-
libapache2-
libapache2-
libapache2-
libapache2-
- Debian's last changelog entry is from August 2013
- Fedora killed it in July 2011
- I couldn't find it in SuSE
summary: |
- apache2 crashed with SIGSEGV in <signal handler called>() + Double free in libapache2-mod-auth-pgsql causes Apache to crash |
Changed in libapache2-mod-auth-pgsql (Ubuntu): | |
status: | Confirmed → Fix Released |
Changed in libapache2-mod-auth-pgsql (Ubuntu Trusty): | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in libapache2-mod-auth-pgsql (Debian): | |
status: | Unknown → Fix Released |
tags: | added: server-next |
description: | updated |
description: | updated |
StacktraceTop: signal_ handler (sig=1) at mod_cgid.c:573 unix/syscall- template. S:81 entry=0x7f19808 a4de0) at mod_cgid.c:686 0x7f19808a4de0, procnew= 0x7f19809ba0e8) at mod_cgid.c:876
daemon_
<signal handler called>
__accept_nocancel () at ../sysdeps/
cgid_server (data=data@
cgid_start (p=0x7f19809dd028, main_server=