httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: CVE-2013-5704 fix breaks mod_wsgi
Date Sat, 10 Jan 2015 12:38:03 GMT
On Fri, Jan 9, 2015 at 3:48 PM, Jeff Trawick <trawick@gmail.com> wrote:

> On Fri, Jan 9, 2015 at 3:23 PM, Joe Orton <jorton@redhat.com> wrote:
>
>> Since Jim is talking 2.4.11, I should report this now.  We discovered
>> this week in Fedora: mod_wsgi does some interesting things in daemon
>> mode, notably that it allocates a request_rec internally which ends up
>> getting used by httpd.
>>
>> Reason is, the fix for CVE-2013-5704 extends the request_rec:
>>
>> http://svn.apache.org/r1619884
>>
>> A mod_wsgi built against <= 2.4.10 will allocate a request_rec using the
>> old, smaller "wrong" size, and hence, if such a build is used with >=
>> 2.4.11, it passes in the wrong-sized request_rec and that breaks later
>> when httpd tries to access r->trailers_*.
>>
>> It's one of those fuzzy boundaries in the API, you can argue mod_wsgi is
>> wrong, but, I could argue it back; the struct *is* public, not got a
>> strong opinion on this personally.
>>
>> Either way, the fix for CVE-2013-5704 ends up breaking backwards
>> compatibility with existing 2.4.x builds of mod_wsgi, which is kind of
>> Bad.  I don't have a good proposal for how to fix or avoid this.  Worst
>> case, we make clear the mod_wsgi case is API/ABI abuse and warn binary
>> distributors they have to handle this by rebuilding.
>>
>> Regards, Joe
>>
>
> * One-time only: Make clear in announcement that mod_wsgi has to be
> rebuilt.
> * Add helper functions to allocate a request_rec, conn_rec, server_rec.
> It doesn't solve all possible problems of course but can drastically reduce
> the frequency of needing to recompile a module that needs to do such things.
>

Actually, ap_{request_rec|conn_rec|server_rec}_size would be much better;
that supports allocation, copy, as well as "Pfft!  You better recompile me."


> * Module authors who allocate structures generally created by httpd own
> the monitoring and announcement, or should just document "You must
> recompile this module every time you update httpd."
>
> --
> Born in Roswell... married an alien...
> http://emptyhammock.com/
>
>


-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Mime
View raw message