perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Hay" <Steve....@verosoftware.com>
Subject RE: perl/hash_attack.t fails with 5.10.1 + CVE-2013-1667 fix
Date Thu, 14 Mar 2013 08:54:06 GMT
Niko Tyni wrote on 2013-03-13:
> On Wed, Mar 13, 2013 at 09:13:15AM -0000, Steve Hay wrote:
>> Dominic Hargreaves wrote on 2013-03-12:
> 
>>> When trying to fix this issue in Debian stable, I found that the
patch
>>> at
>>> 
>>> http://svn.apache.org/viewvc?view=revision&revision=1455340
>>> 
>>> does not stop the test failing when applied to 2.0.4 (as currently
>>> found in Debian stable) and built against the current perl package
>>> in Debian stable (5.10 + the rehashing fix).
> 
>> I haven't looked at the Debian package, or tried anything with
>> mod_perl-2.0.4, but I've just checked out origin/maint-5.10 from the
>> Perl git repo (in fact, I took the snapshot at
>> 
>>
http://perl5.git.perl.org/perl.git/snapshot/f14269908e5f8b4cab4b55643d
>> 7d d9de577e7918.tar.gz) and tried that with Apache 2.2.22 and
mod_perl
>> from trunk and the tests all pass for me... (This is on Windows 7 x64
>> with VC++ 2010.)
> 
> Thanks for checking.
> 
> FWIW, I can reproduce the failure with the Debian perl 5.10.1 package
> and mod_perl2 2.0.7 with just the above test fix. So it doesn't seem
to
> be a Debian change that breaks it. Maybe -Dusethreads or something
like
> that.
> 
> I'll keep looking and send an update when I know more.


The perl I built and tested with was made with ithreads enabled.

There is an alternative patch to fix this test, submitted to mod_perl's
rt.cpan.org queue after I'd applied the patch from the perl5-security
queue on rt.perl.org:

https://rt.cpan.org/Ticket/Display.html?id=83916

I haven't tried it myself yet, but is that any better for you?

Mime
View raw message