354297 – www-servers/apache-2.2.16-r1 uses memcpy incorrectly (breaks with glibc-2.13)

Bug 354297 - www-servers/apache-2.2.16-r1 uses memcpy incorrectly (breaks with glibc-2.13)

Summary: www-servers/apache-2.2.16-r1 uses memcpy incorrectly (breaks with glibc-2.13)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Server (show other bugs)
Hardware:	All Linux

Importance:	High normal with 2 votes (vote)
Assignee:	Apache Team - Bugzilla Reports

URL:
Whiteboard:
Keywords:

Duplicates (2):	354303 354737 (view as bug list)
Depends on:	342055
Blocks:	glibc-2.13
	Show dependency tree

Reported:	2011-02-09 22:14 UTC by Stelian Ionescu
Modified:	2011-02-18 17:31 UTC (History)
CC List:	9 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stelian Ionescu 2011-02-09 22:14:28 UTC

After installing glibc-2.13 on a Core i7 box running the amd64/10.0/no-multilib profile, I started seeing "request failed: error reading the headers" on almost all SSL requests
The bug seems to be this one: https://issues.apache.org/bugzilla/show_bug.cgi?id=45444 , although it's strange that the fix was pushed to trunk 3 years ago but not released

Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure

2011-02-10 00:20:45 UTC

Are you sure this isn't a duplicate of bug 353814?

Comment 2 Stelian Ionescu 2011-02-10 09:01:40 UTC

Yes, because the mod_ssl bug consists in using memcpy() with overlapping memory areas, thus truncating HTTP headers while parsing them.
The patch referenced by the upstream bug report replaces two uses of memcpy() with memmove()

Comment 3 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure

2011-02-10 11:30:18 UTC

In that case this is an apache bug so I'm reassigning to the apache team.

Comment 4 Paweł Jastrzębski 2011-02-11 16:21:28 UTC

Confirming. Error is caused by bug in mod_ssl.

Comment 5 Timo A. Hummel 2011-02-11 17:13:19 UTC

*** Bug 354303 has been marked as a duplicate of this bug. ***

Comment 6 Paweł Jastrzębski 2011-02-11 19:02:23 UTC

This bug is fixed in Apache 2.2.17.

Comment 7 Chí-Thanh Christopher Nguyễn gentoo-dev

2011-02-13 14:46:07 UTC

*** Bug 354737 has been marked as a duplicate of this bug. ***

Comment 8 Robert Piasek (RETIRED) gentoo-dev

2011-02-17 15:53:21 UTC

Yeah, I can confirm that:

2.2.17 (released 2010-10-19)

works just fine.

Comment 9 Nathan Phillip Brink (binki) (RETIRED) gentoo-dev

2011-02-17 16:15:31 UTC

This bug should depend on bug 342055.

Comment 10 Benedikt Böhm (RETIRED) gentoo-dev

2011-02-18 17:31:24 UTC

should be fixed with 2.2.17