Bug#384622: debian patch renders MIME::Lite unusable under mod_perl

[Niko Tyni]

reassign 384622 libapache2-mod-perl2 2.0.2-2
retitle 384622 libapache2-mod-perl2: localizing %ENV causes a segmentation fault
# present in stable too
found 384622 1.999.21-1
severity 384622 important
tags 384622 fixed-upstream patch
thanks

On Fri, Aug 25, 2006 at 04:22:54PM +0200, Martin Gruner wrote:
> Package: libmime-lite-perl
> Version: 3.01-7
> Severity: grave
> 
> The Debian libmime-lite-perl package contains the following workaround
> for MIME::Lite programming errors:

> +local %ENV = %ENV;

> This leads to segfaults of apache2 if used under mod_perl2. It
> effectively deletes %ENV, so that script which uses MIME::Lite works
> well if called for the first time, but dies at the second call (under
> mod_perl, scripts stay in memory).

Hi,

there's nothing wrong with localizing %ENV, in my understanding. This
is a bug in libapache2-mod-perl2. It's fixed upstream and in Ubuntu:

http://thread.gmane.org/gmane.comp.apache.mod-perl/22236

http://svn.apache.org/viewvc?view=rev&revision=357236

http://patches.ubuntu.com/liba/libapache2-mod-perl2/libapache2-mod-perl2_2.0.2-2ubuntu1.patch

> Please fix this. A sarge fix would be nice too. This can be used for
> local DOS attacks on mod_perl2 servers.

I don't see how having this in libmime-lite-perl creates an attack vector.
People writing scripts running under mod_perl2 can just as well write

 local %ENV;

in their script and get the apache2 process to segfault. Furthermore,
I would expect that segfaulting apache2 with eg. user-supplied XS code
is quite trivial when you can run code inside mod_perl2. Sorry if I'm
missing something.

I'm reassigning this against libapache2-mod-perl2. As the bug doesn't
make either libmime-lite-perl or libapache2-mod-perl2 generally unusable
and doesn't (IMO) introduce a security hole, I don't see grounds for the
'grave' severity. I'm thus downgrading it to 'important' for now.

Thanks for your report,
-- 
Niko Tyni	ntyni at iki.fi