Bug#384622: debian patch renders MIME::Lite unusable under mod_perl
Niko Tyni
ntyni at iki.fi
Mon Aug 28 19:34:48 UTC 2006
reassign 384622 libapache2-mod-perl2 2.0.2-2
retitle 384622 libapache2-mod-perl2: localizing %ENV causes a segmentation fault
# present in stable too
found 384622 1.999.21-1
severity 384622 important
tags 384622 fixed-upstream patch
thanks
On Fri, Aug 25, 2006 at 04:22:54PM +0200, Martin Gruner wrote:
> Package: libmime-lite-perl
> Version: 3.01-7
> Severity: grave
>
> The Debian libmime-lite-perl package contains the following workaround
> for MIME::Lite programming errors:
> +local %ENV = %ENV;
> This leads to segfaults of apache2 if used under mod_perl2. It
> effectively deletes %ENV, so that script which uses MIME::Lite works
> well if called for the first time, but dies at the second call (under
> mod_perl, scripts stay in memory).
Hi,
there's nothing wrong with localizing %ENV, in my understanding. This
is a bug in libapache2-mod-perl2. It's fixed upstream and in Ubuntu:
http://thread.gmane.org/gmane.comp.apache.mod-perl/22236
http://svn.apache.org/viewvc?view=rev&revision=357236
http://patches.ubuntu.com/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2-2ubuntu1.patch
> Please fix this. A sarge fix would be nice too. This can be used for
> local DOS attacks on mod_perl2 servers.
I don't see how having this in libmime-lite-perl creates an attack vector.
People writing scripts running under mod_perl2 can just as well write
local %ENV;
in their script and get the apache2 process to segfault. Furthermore,
I would expect that segfaulting apache2 with eg. user-supplied XS code
is quite trivial when you can run code inside mod_perl2. Sorry if I'm
missing something.
I'm reassigning this against libapache2-mod-perl2. As the bug doesn't
make either libmime-lite-perl or libapache2-mod-perl2 generally unusable
and doesn't (IMO) introduce a security hole, I don't see grounds for the
'grave' severity. I'm thus downgrading it to 'important' for now.
Thanks for your report,
--
Niko Tyni ntyni at iki.fi
More information about the pkg-perl-maintainers
mailing list