Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 29893 - net-www/apache : denial of service using malicious CGI
Summary: net-www/apache : denial of service using malicious CGI
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Depends on: 32271
  Show dependency tree
Reported: 2003-09-29 05:43 UTC by Stephen Tallowitz
Modified: 2004-09-22 20:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Diff for mod_cgi.c (mod_cgi.c.diff,23.58 KB, patch)
2004-05-07 06:14 UTC, Thierry Carrez (RETIRED)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stephen Tallowitz 2003-09-29 05:43:02 UTC
As explained at there's
a problem with mod_cgi. Whenever a perl script tries to write more than 4096
bytes to STDERR, script execution is stopped, but the process (belonging to that
script) is not terminated. If several scripts of that sort are started then many
processes will still be in the system causing apache to refuse new connections
if max connections has been reached by those scripts. This could be used to
start a denial of service on that server.
I do not use apache myself, but have seen that no one has posted a bug on So you might want to check if this has been fixed in the ebuild
of apache.
There should be an update at the apache website in the CVS, which resolves that

Reproducible: Didn't try
Steps to Reproduce:

Applies to: apache 2.0.47, mod_cgi
Comment 1 Marius Mauch (RETIRED) gentoo-dev 2003-09-29 11:57:09 UTC
Mandrake has updated packages with the mod_cgi from apache-2.1 cvs:
Comment 2 Donny Davies (RETIRED) gentoo-dev 2003-09-29 15:26:06 UTC

author of the mod_cgi.c mandrake included in their SRPM
notes a problem with it, and says it will be developed a bit further. 

There is another workaround however offered by hmm.
Comment 3 solar (RETIRED) gentoo-dev 2003-10-15 16:13:36 UTC
looks like no progress is being made upstream on this bug yet..

Comment 4 Donny Davies (RETIRED) gentoo-dev 2003-10-27 15:01:14 UTC
Mandrake Update:

 The previous update introduced an experimental mod_cgi.c that while
 fixing the deadlock did not do so in a correct manner and it likewise
 introduced new problems with other scripts.

 These packages roll back to the original mod_cgi.c until such a time as
 the apache team have a proper fix in place.  Both Mandrake Linux 9.1
 and 9.2 are affected with this problem.

I knew they were going to regret going with that fix they did :-)
Comment 5 solar (RETIRED) gentoo-dev 2003-10-29 10:12:51 UTC
Comment 6 Donny Davies (RETIRED) gentoo-dev 2003-10-30 09:49:54 UTC
I think this was addressed in 2.0.48.

Anybody can confirm/deny?
Comment 7 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2003-10-31 01:09:26 UTC
the apache folks still have their bug open. so i do not believe that it is
addressed in 2.0.48.

still waiting on upstream...
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-04-01 07:41:06 UTC
Status update :

No fix in 2.0.49, and apparently this is not top priority in Apache bugzilla. They appear to consider it more a bug than a security problem. Note that to trigger the DoS you need to install a nasty CGI on the server, this cannot be remote-triggered. Downgrading to normal prio.

Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2004-04-19 07:43:56 UTC
Status update :

A patch has been posted on Apache bugzilla entry. We should wait for the patch to be included in CVS, and then probably wait for it to be included in an official release, since this is not a serious vuln.

Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-05-07 06:14:26 UTC
Created attachment 30926 [details, diff]
Diff for mod_cgi.c

Status update : the patch committed to HEAD
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-05-07 06:16:50 UTC
We can apply the patch to 2.0.49 or wait for a release that would include this patch. Given the low vuln level, I would say wait for a release.

Patch pointers :

apache herd : your opinion about this ?
Comment 12 Chuck Short (RETIRED) gentoo-dev 2004-05-07 06:23:11 UTC
My opinnon is better to be safer then sorry.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-05-15 11:19:39 UTC
zul : can we have a patch for 2.0.49 then ?
Thanks in advance :)
Comment 14 Chuck Short (RETIRED) gentoo-dev 2004-05-16 07:04:44 UTC
Oh I guess so. Added patch.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-05-18 06:33:17 UTC
Thanks zul !
Ready for a GLSA decision...
s390 : please mark 2.0.49-r1 stable if you want to benefit from this GLSA.
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2004-05-18 07:50:50 UTC
Closed without GLSA : it's more a bug than a security issue.