Apache 1.3.26/mod_ssl-2.8.9-1.3.26 segfault

Apache 1.3.26/mod_ssl-2.8.9-1.3.26 segfault

am 21.06.2002 00:06:41 von gkuchta

--sm4nu43k4a2Rpi4c
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

Per the recently announced vulnerability in versions of apache < 1.3.26,
I decided to be a happy little prole and update all of my webservices.

Unpacking clean source for apache, mod_ssl and mod_perl-1.26, I upgraded
the packages like I always do:

apply mod_ssl to apache, apply mod_perl to apache, compile apache,
install apache, compile mod_ssl apxs module.

however, this time around, upon running ./apachetel startssl, apache
segfaulted:

275 [HAL:root](/usr/apache):./bin/apachectl startssl
/bin/apachectl: line 184: 4423 Segmentation fault $HTTPD -DSSL
/bin/apachectl startssl: httpd could not be started

apache starts fine without ssl enabled.

Here's an strace:

..
..
..
[snip]
stat("/usr/apache/conf/access.conf", {st_mode=3DS_IFREG|0600, st_size=3D348,
..}) =3D 0
lstat("/usr/apache/conf/access.conf", {st_mode=3DS_IFREG|0600,
st_size=3D348, ...}) =3D 0
open("/usr/apache/conf/access.conf", O_RDONLY) =3D 3
fstat(3, {st_mode=3DS_IFREG|0600, st_size=3D348, ...}) =3D 0
fstat(3, {st_mode=3DS_IFREG|0600, st_size=3D348, ...}) =3D 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) =3D 0x4019f000
read(3, "##\n## access.conf -- Apache HTTP"..., 4096) =3D 348
read(3, "", 4096) =3D 0
close(3) =3D 0
munmap(0x4019f000, 4096) =3D 0
brk(0x80f7000) =3D 0x80f7000
pipe([3, 4]) =3D 0
fork() =3D 4494
close(3) =3D 0
fcntl(4, F_GETFL) =3D 0x1 (flags O_WRONLY)
fstat(4, {st_mode=3DS_IFIFO|0600, st_size=3D0, ...}) =3D 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) =3D 0x4019f000
_llseek(4, 0, 0xbfffda00, SEEK_CUR) =3D -1 ESPIPE (Illegal seek)
dup2(4, 2) =3D 2
pipe([3, 5]) =3D 0
fork() =3D 4495
close(3) =3D 0
fcntl(5, F_GETFL) =3D 0x1 (flags O_WRONLY)
fstat(5, {st_mode=3DS_IFIFO|0600, st_size=3D0, ...}) =3D 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) =3D 0x404ac000
_llseek(5, 0, 0xbfffda00, SEEK_CUR) =3D -1 ESPIPE (Illegal seek)
open("/var/adm/https.log", O_WRONLY|O_APPEND|O_CREAT, 0666) =3D 3
fcntl(3, F_DUPFD, 15) =3D 15
close(3) =3D 0
fcntl(15, F_GETFL) =3D 0x401 (flags
O_WRONLY|O_APPEND)
fstat(15, {st_mode=3DS_IFREG|0644, st_size=3D11391310, ...}) =3D 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) =3D 0x404ad000
_llseek(15, 0, [0], SEEK_CUR) =3D 0
munmap(0x404ad000, 4096) =3D 0
time(NULL) =3D 1024609805
open("/etc/localtime", O_RDONLY) =3D 3
read(3, "TZif\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0"..., 44)
=3D 44
read(3, "\236\246,\200\237\272\371p\240\206\16\200\241\232\333p"...,
1170) =3D 1170
fstat(3, {st_mode=3DS_IFREG|0644, st_size=3D1262, ...}) =3D 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) =3D 0x404ad000
read(3, "\377\377\271\260\1\0\377\377\253\240\0\4\377\377\271\260".. .,
4096) =3D 48
close(3) =3D 0
munmap(0x404ad000, 4096) =3D 0
getpid() =3D 4493
write(15, "[20/Jun/2002 16:50:05 04493] [in"..., 110) =3D 110
time(NULL) =3D 1024609805
getpid() =3D 4493
write(15, "[20/Jun/2002 16:50:05 04493] [in"..., 82) =3D 82
time(NULL) =3D 1024609805
getpid() =3D 4493
write(15, "[20/Jun/2002 16:50:05 04493] [in"..., 72) =3D 72
brk(0x80f8000) =3D 0x80f8000
brk(0x80f9000) =3D 0x80f9000
brk(0x80fa000) =3D 0x80fa000
brk(0x80fb000) =3D 0x80fb000
brk(0x80fd000) =3D 0x80fd000
brk(0x80fb000) =3D 0x80fb000
brk(0x80fd000) =3D 0x80fd000
time(NULL) =3D 1024609805
getpid() =3D 4493
write(15, "[20/Jun/2002 16:50:05 04493] [in"..., 119) =3D 119
open("/etc/ssl/www.cert", O_RDONLY) =3D 3
fstat(3, {st_mode=3DS_IFREG|0600, st_size=3D1493, ...}) =3D 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) =3D 0x404ad000
read(3, "-----BEGIN CERTIFICATE-----\nMIIE"..., 4096) =3D 1493
brk(0x80fe000) =3D 0x80fe000
brk(0x80ff000) =3D 0x80ff000
close(3) =3D 0
munmap(0x404ad000, 4096) =3D 0
open("/etc/ssl/www.key", O_RDONLY) =3D 3=20
fstat(3, {st_mode=3DS_IFREG|0600, st_size=3D887, ...}) =3D 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) =3D 0x404ad000
read(3, "-----BEGIN RSA PRIVATE KEY-----\n"..., 4096) =3D 887
close(3) =3D 0
munmap(0x404ad000, 4096) =3D 0
time(NULL) =3D 1024609805
getpid() =3D 4493
time(NULL) =3D 1024609805
time(NULL) =3D 1024609805
getpid() =3D 4493=20
write(15, "[20/Jun/2002 16:50:05 04493] [in"..., 82) =3D 82
getpid() =3D 4493
getuid() =3D 0
time(NULL) =3D 1024609805
open("/dev/urandom", O_RDONLY) =3D 3
read(3, "$\255\215\30L\315\255\356\3106\305\213\364\f\233\25", 16) =3D 16
close(3) =3D 0
time(NULL) =3D 1024609805
getpid() =3D 4493
write(15, "[20/Jun/2002 16:50:05 04493] [in"..., 97) =3D 97
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805=20
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493

..

repeat this message about 300 more times

..

time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time([1024609805]) =3D 1024609805
getpid() =3D 4493
time(NULL) =3D 1024609805
getpid() =3D 4493
write(15, "[20/Jun/2002 16:50:05 04493] [in"..., 95) =3D 95
brk(0x8109000) =3D 0x8109000
open("./php.ini", O_RDONLY) =3D -1 ENOENT (No such file or
directory)
open("/usr/lib/php.ini", O_RDONLY) =3D -1 ENOENT (No such file or
directory)
brk(0x810a000) =3D 0x810a000
brk(0x810b000) =3D 0x810b000
brk(0x810c000) =3D 0x810c000
brk(0x810d000) =3D 0x810d000
brk(0x810e000) =3D 0x810e000
brk(0x810f000) =3D 0x810f000
brk(0x8110000) =3D 0x8110000
brk(0x8111000) =3D 0x8111000
brk(0x8112000) =3D 0x8112000
brk(0x8113000) =3D 0x8113000
brk(0x8114000) =3D 0x8114000
brk(0x8115000) =3D 0x8115000
brk(0x8116000) =3D 0x8116000
brk(0x8117000) =3D 0x8117000
brk(0x8118000) =3D 0x8118000
brk(0x8119000) =3D 0x8119000
brk(0x811a000) =3D 0x811a000
brk(0x811b000) =3D 0x811b000
brk(0x811c000) =3D 0x811c000
brk(0x811d000) =3D 0x811d000
brk(0x811e000) =3D 0x811e000
brk(0x811f000) =3D 0x811f000
brk(0x8120000) =3D 0x8120000
brk(0x8121000) =3D 0x8121000
brk(0x8122000) =3D 0x8122000
brk(0x8123000) =3D 0x8123000
brk(0x8125000) =3D 0x8125000
brk(0x8126000) =3D 0x8126000
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++

configurations:

mod_ssl:
./configure \
"--with-apache=3D../apache_1.3.26" \
"$@"

apache:
CC=3D"gcc" \
RANLIB=3D"ranlib" \
./configure \
"--with-layout=3DApache" \
"--prefix=3D/usr/apache" \
"--enable-module=3Drewrite" \
"--enable-module=3Dssl" \
"--enable-module=3Dso" \
"--enable-shared=3Dssl" \
"--enable-suexec" \
"--suexec-caller=3Dwww" \
"$@"

php4:
./configure --prefix=3D/usr --with-apxs=3D/usr/apache/bin/apxs \
--with-openssl=3D../../openssl-0.9.6c --enable-bcmath \
--with-mysql=3D/usr/mysql

gcc version: 2.95.3
libc: libc6
ldd: 1.9.9
ld: 2.11.2
OpenSSL: 0.9.6.c

Let me know if there's anything else I can include to help you out;
I hope I'm just missing something stupid...

sorry if I'm wasting anyone's time.

Much thanks,

Garrett

=09
=09
--=20
Garrett Kuchta [gkuchta[at]astro.umn.edu]
Assistant System Manager
Dept. of Astronomy
University of Minnesota, Twin Cities
http://www.astro.umn.edu/~gkuchta

--sm4nu43k4a2Rpi4c
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD4DBQE9ElHxGFi+W9iUV88RAlLyAJiWatM4LDFP2vkgIyeQsBFPzWc4AJsH zE/o
YyekAW5/Ur0WlAIWyBLLCg==
=YoYS
-----END PGP SIGNATURE-----

--sm4nu43k4a2Rpi4c--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Apache 1.3.26/mod_ssl-2.8.9-1.3.26 segfault

am 21.06.2002 00:09:17 von Cliff Woolley

On Thu, 20 Jun 2002 gkuchta@astro.umn.edu wrote:

> Per the recently announced vulnerability in versions of apache < 1.3.26,
> I decided to be a happy little prole and update all of my webservices.
>
> Unpacking clean source for apache, mod_ssl and mod_perl-1.26, I upgraded
> the packages like I always do:
>
> write(15, "[20/Jun/2002 16:50:05 04493] [in"..., 95) = 95
> brk(0x8109000) = 0x8109000
> open("./php.ini", O_RDONLY) = -1 ENOENT (No such file or
> directory)
> open("/usr/lib/php.ini", O_RDONLY) = -1 ENOENT (No such file or
> directory)
> brk(0x810a000) = 0x810a000
> brk(0x810b000) = 0x810b000
> brk(0x810c000) = 0x810c000
> brk(0x810d000) = 0x810d000
....
> brk(0x8123000) = 0x8123000
> brk(0x8125000) = 0x8125000
> brk(0x8126000) = 0x8126000
> --- SIGSEGV (Segmentation fault) ---
> +++ killed by SIGSEGV +++


Sounds like PHP is borked. Try building a new copy.

--Cliff

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Apache 1.3.26/mod_ssl-2.8.9-1.3.26 segfault

am 21.06.2002 09:47:07 von gkuchta

--9amGYk9869ThD9tj
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

My library update hadn't completely propigated across our network from
the fileserver, so parts of my mish-mash compiled against different
versions of openssl. All better. Maybe this will help someone else
down the road.=20

On Thu, Jun 20, 2002 at 06:09:17PM -0400, Cliff Woolley wrote:
> On Thu, 20 Jun 2002 gkuchta@astro.umn.edu wrote:
>=20
> > Per the recently announced vulnerability in versions of apache < 1.3.26,
> > I decided to be a happy little prole and update all of my webservices.
> >
> > Unpacking clean source for apache, mod_ssl and mod_perl-1.26, I upgraded
> > the packages like I always do:
> >
> > write(15, "[20/Jun/2002 16:50:05 04493] [in"..., 95) =3D 95
> > brk(0x8109000) =3D 0x8109000
> > open("./php.ini", O_RDONLY) =3D -1 ENOENT (No such file or
> > directory)
> > open("/usr/lib/php.ini", O_RDONLY) =3D -1 ENOENT (No such file or
> > directory)
> > brk(0x810a000) =3D 0x810a000
> > brk(0x810b000) =3D 0x810b000
> > brk(0x810c000) =3D 0x810c000
> > brk(0x810d000) =3D 0x810d000
> ...
> > brk(0x8123000) =3D 0x8123000
> > brk(0x8125000) =3D 0x8125000
> > brk(0x8126000) =3D 0x8126000
> > --- SIGSEGV (Segmentation fault) ---
> > +++ killed by SIGSEGV +++
>=20
>=20
> Sounds like PHP is borked. Try building a new copy.
>=20
> --Cliff
>=20

Garrett=20

--=20
Garrett Kuchta [gkuchta[at]astro.umn.edu]
Assistant System Manager
Dept. of Astronomy
University of Minnesota, Twin Cities
http://www.astro.umn.edu/~gkuchta

--9amGYk9869ThD9tj
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9Etn7GFi+W9iUV88RAiQlAJ9ALrfq8z99wFw08Sd/JIawy92bIACe KG/y
Y8etLQspnvvPwtx5RQr6mic=
=DXLj
-----END PGP SIGNATURE-----

--9amGYk9869ThD9tj--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org