perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Hay" <Steve....@verosoftware.com>
Subject RE: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Date Wed, 13 Mar 2013 09:13:15 GMT
Dominic Hargreaves wrote on 2013-03-12:
> Hello,
> 
> When trying to fix this issue in Debian stable, I found that the patch
at
> 
> http://svn.apache.org/viewvc?view=revision&revision=1455340
> 
> does not stop the test failing when applied to 2.0.4 (as currently
> found in Debian stable) and built against the current perl package in
> Debian stable (5.10 + the rehashing fix). t/logs/error_log simply
says:
> 
> [Tue Mar 12 21:09:23 2013] [error] [client 127.0.0.1] Failed to mount
> the hash collision attack at
/home/dom/working/pkg-perl/git/libapache2-
> mod-perl2/t/response/TestPerl/hash_attack.pm line 112,
<fh00003Makefile>
> line 1.\n
> 
> This is the change:
> 
> http://perl5.git.perl.org/perl.git/commitdiff/f14269908e5f8b4cab4b5564
3
> d7dd9de577e7918
> 
> which differs a bit from that applied to 5.14:
> 
> http://perl5.git.perl.org/perl.git/commitdiff/d59e31fc729d8a39a774f03b
c
> 6bc457029a7aef2
> 
> although interestingly both test changes are identical.
> 
> Help to pin down this difference in behaviour would be appreciated.
> 
> The source for the package in question is at
> 
> http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libapache2-mod-
> perl2.git;a=shortlog;h=refs/heads/dom/squeeze-702821
> 
> Thanks,
> Dominic.
>


I haven't looked at the Debian package, or tried anything with
mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from the
Perl git repo (in fact, I took the snapshot at
http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d7d
d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and mod_perl from
trunk and the tests all pass for me... (This is on Windows 7 x64 with
VC++ 2010.)


Mime
View raw message