On Wed, Jun 27, 2007 at 04:42:38PM -0400, Jim Jagielski wrote:
> I might be missing this (just did a quick scan) but
> what about ap_reclaim_child_processes/reclaim_one_pid()?
> Here we "trust" the pid in the scoreboard and
> send signals.
I'd said in the other thread that this wasn't an attack vector (and
hence 2.0.x wasn't vulnerable), because it already goes through a
waitpid() before a kill(). Having looked it again on your prompting
there is a cute way to exploit it: using a pid of -1 will have waitpid()
wait for any child, which can easily succeed with "not done", and then
passing a pid of -1 to kill is... kind of nasty, especially for root.
So I fixed that also in the commit to the trunk.
I haven't forgotten 1.3, and will submit 2.0/2.2 backports for review
shortly!
joe
|