suphp 0.6.2 backport request to dapper (0.6.1) and edgy (0.6.1) from feisty
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Dapper Backports |
Invalid
|
Undecided
|
Unassigned | ||
Edgy Backports |
Invalid
|
Undecided
|
Unassigned | ||
suphp (Debian) |
Fix Released
|
Unknown
|
|||
suphp (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Backport request: please backport suphp 0.6.2 to dapper and edgy from feisty.
Binary package hint: libapache2-
Whenever suphp refuses to run a script for any reason (e.g. UID/GID out of configured allowable range, wrong permissions, etc), it causes the following error messages to appear in the Apache error log:
---SNIP---
[Mon Nov 27 17:56:12 2006] [error] [client 142.150.160.59] Premature end of script headers: index.cgi
[Mon Nov 27 17:56:12 2006] [error] [client 142.150.160.59] SoftException in Application.
[Mon Nov 27 17:56:12 2006] [error] [client 142.150.160.59] *** glibc detected *** double free or corruption (fasttop): 0x0806f990 ***
[Mon Nov 27 17:56:41 2006] [error] [client 142.150.160.59] Premature end of script headers: index.cgi
[Mon Nov 27 17:56:41 2006] [error] [client 142.150.160.59] SoftException in Application.
[Mon Nov 27 17:56:41 2006] [error] [client 142.150.160.59] *** glibc detected *** double free or corruption (fasttop): 0x0806f9f8 ***
[Mon Nov 27 17:57:18 2006] [error] [client 142.150.160.59] Premature end of script headers: index.cgi
[Mon Nov 27 17:57:18 2006] [error] [client 142.150.160.59] SoftException in Application.
[Mon Nov 27 17:57:18 2006] [error] [client 142.150.160.59] Caused by SystemException in API_Linux.cpp:427: execve() for program "/var/www/
[Mon Nov 27 17:57:18 2006] [error] [client 142.150.160.59] *** glibc detected *** double free or corruption (fasttop): 0x0806f9f8 ***
---SNIP---
As you can see, the above are three distinct examples:
1. [Mon Nov 27 17:56:12 2006] was caused by the target script being outside of the allowable suphp docroot.
2. [Mon Nov 27 17:56:41 2006] was caused by wrong ownership: owner UID of the target script file was less than the allowable UID.
3. [Mon Nov 27 17:57:18 2006] was caused by wrong permissions (the www-data user/group has no read access to the script in question).
In all three cases, the last error message seen was always "*** glibc detected *** double free or corruption (fasttop): 0x0806f9f8 ***" which is a bit unnerving. I am not sure if this problem is potentially exploitable.
Note that this seems to be a known issue with suphp, and the latest release (0.6.2) seems to have addressed the issue according to the suphp homepage: http://
Changed in suphp: | |
status: | Unknown → Unconfirmed |
Changed in suphp: | |
assignee: | nobody → rouben |
status: | Unconfirmed → Confirmed |
Changed in suphp: | |
assignee: | ubuntu-archive → ubuntu-backporters |
Changed in suphp: | |
status: | Unconfirmed → Fix Released |
description: | updated |
Changed in suphp: | |
status: | Unknown → Fix Released |
Changed in dapper-backports: | |
assignee: | nobody → snowmaninva66 |
status: | Needs Info → In Progress |
This would appear to have been fixed in the latest unstable Debian version of the package. Thus this is a request to make the 0.6.1.20061108-1 version of suphp available in the Ubuntu package repositories (6.06 LTS and 6.10 at the very least).
Thank you!