httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <>
Subject Re: CVE-2013-5704 fix breaks mod_wsgi
Date Fri, 09 Jan 2015 20:48:18 GMT
On Fri, Jan 9, 2015 at 3:23 PM, Joe Orton <> wrote:

> Since Jim is talking 2.4.11, I should report this now.  We discovered
> this week in Fedora: mod_wsgi does some interesting things in daemon
> mode, notably that it allocates a request_rec internally which ends up
> getting used by httpd.
> Reason is, the fix for CVE-2013-5704 extends the request_rec:
> A mod_wsgi built against <= 2.4.10 will allocate a request_rec using the
> old, smaller "wrong" size, and hence, if such a build is used with >=
> 2.4.11, it passes in the wrong-sized request_rec and that breaks later
> when httpd tries to access r->trailers_*.
> It's one of those fuzzy boundaries in the API, you can argue mod_wsgi is
> wrong, but, I could argue it back; the struct *is* public, not got a
> strong opinion on this personally.
> Either way, the fix for CVE-2013-5704 ends up breaking backwards
> compatibility with existing 2.4.x builds of mod_wsgi, which is kind of
> Bad.  I don't have a good proposal for how to fix or avoid this.  Worst
> case, we make clear the mod_wsgi case is API/ABI abuse and warn binary
> distributors they have to handle this by rebuilding.
> Regards, Joe

* One-time only: Make clear in announcement that mod_wsgi has to be rebuilt.
* Add helper functions to allocate a request_rec, conn_rec, server_rec.  It
doesn't solve all possible problems of course but can drastically reduce
the frequency of needing to recompile a module that needs to do such things.
* Module authors who allocate structures generally created by httpd own the
monitoring and announcement, or should just document "You must recompile
this module every time you update httpd."

Born in Roswell... married an alien...

View raw message