Bug#1021771: apache2: Accessing to type-map without .var suffix results 500 and apache2 exits

2022-10-14 Thread Shintaro Sakahara 
Package: apache2
Version: 2.4.54-1~deb11u1
Severity: important

Dear Maintainer,

I recently upgraded my server from Debian 10 to 11 and encountered a problem
where apache2 responded 500 Internal Server Error and then the process exited
when a URL to a type-map, which referenced CGI script as actual content,
without ".var" suffix was getting accessed.

I created a small example using Docker and put on GitHub so that everyone could
easily reproduce this problem.

https://github.com/skhrshin/apache2-crash-example

* Steps to reproduce *

1. Clone the repo into somewhere
2. Run `docker-compose build`
3. Run `docker-compose up`
4. Access to http://localhost:8081/board.cgi with your web browser

* Expected behavior *

A string "OK" is displayed.

* Actual behavior *

Your web browser gets 500 Internal Server Error.
Also, in a few seconds, the apache2 process is terminated.

I'm not sure if the problem is caused solely by apache2 package or by some
other dependencies like apache2-suexec-pristine or libapache2-mpm-itk, but
I don't know how to find it out. So I asked about this issue to Debian-user ML
if there's something I can do, but I could get no answer, so now I'm reporting
it here. Please tell me if something is insufficient and there's a way to
investigate it more.


-- Package-specific info:

-- System Information:
Debian Release: 11.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-18-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apache2 depends on:
ii  apache2-bin  2.4.54-1~deb11u1
ii  apache2-data 2.4.54-1~deb11u1
ii  apache2-utils2.4.54-1~deb11u1
ii  dpkg 1.20.12
ii  init-system-helpers  1.60
ii  lsb-base 11.1.0
ii  mime-support 3.66
ii  perl 5.32.1-4+deb11u2
ii  procps   2:3.3.17-5

Versions of packages apache2 recommends:
ii  ssl-cert  1.1.0+nmu1

Versions of packages apache2 suggests:
pn  apache2-doc  
ii  apache2-suexec-pristine  2.4.54-1~deb11u1
ii  lynx [www-browser]   2.9.0dev.6-3~deb11u1

Versions of packages apache2-bin depends on:
ii  libapr1  1.7.0-6+deb11u1
ii  libaprutil1  1.6.1-5
ii  libaprutil1-dbd-sqlite3  1.6.1-5
ii  libaprutil1-ldap 1.6.1-5
ii  libbrotli1   1.0.9-2+b2
ii  libc62.31-13+deb11u4
ii  libcrypt11:4.4.18-4
ii  libcurl4 7.74.0-1.3+deb11u3
ii  libjansson4  2.13.1-1.1
ii  libldap-2.4-22.4.57+dfsg-3+deb11u1
ii  liblua5.3-0  5.3.3-1.1+b1
ii  libnghttp2-141.43.0-1
ii  libpcre3 2:8.39-13
ii  libssl1.11.1.1n-0+deb11u3
ii  libxml2  2.9.10+dfsg-6.7+deb11u2
ii  perl 5.32.1-4+deb11u2
ii  zlib1g   1:1.2.11.dfsg-2+deb11u2

Versions of packages apache2-bin suggests:
pn  apache2-doc  
ii  apache2-suexec-pristine  2.4.54-1~deb11u1
ii  lynx [www-browser]   2.9.0dev.6-3~deb11u1

Versions of packages apache2 is related to:
ii  apache2  2.4.54-1~deb11u1
ii  apache2-bin  2.4.54-1~deb11u1

-- Configuration Files:
/etc/apache2/conf-available/other-vhosts-access-log.conf changed [not included]
/etc/apache2/ports.conf changed [not included]

-- no debconf information

Bug#1021771: apache2: Accessing to type-map without .var suffix results 500 and apache2 exits

2022-10-14 Thread Ondřej Surý 
> On 14. 10. 2022, at 13:13, Shintaro Sakahara  wrote:
> 
> I created a small example using Docker and put on GitHub so that everyone 
> could
> easily reproduce this problem.

Hi,

could you please actually describe the problem into the bugreport?  While having
a reproducer is certainly nice, it's not enough to see what might be the 
problem.
And you can't expect other people do debug the Docker containers.

Ondrej
--
Ondřej Surý (He/Him)
ond...@sury.org

Bug#1021771: apache2: Accessing to type-map without .var suffix results 500 and apache2 exits

2022-10-14 Thread Shintaro Sakahara 
OK, here is the detailed version of steps to reproduce:

1. Install apache2, apache2-suexec-pristine and libapache2-mpm-itk packages.
2. Disable mpm_event and enable cgid, mpm_prefork and suexec modules.
3. Configure two sites on Apache2.
3-1. For the first one, enable SuexecUserGroup. (000-default in the example)
3-2. For the second one, enable AssignUserID. (001-userid in the example)
4. Enable type-map and CGI on the first site.
5. Place a type-map file whose filename ends with .cgi.var on the first
site. (board.cgi.var in the example)
6. In the type-map file, specify valid URIs to CGI scripts. Also specify
"Content-Type: application/x-httpd-cgi"
7. Using web browser, access to the path to the type-map file on the
first site, without putting .var suffix.
8. You'll see 500 Internal Server Error. Also, apache2 is terminated in
few seconds.

The problems you can confirm in the above steps are two:
 - The server responds 500 instead of running CGI correctly.
   When you access to the path to the type-map file *with* .var suffix,
   CGI is executed correctly.
 - The apache2 process is terminated.
   This has to be more severe than just returning 500.
   This problem doesn't occur if the second site doesn't exist.

In error.log, you'll see errors like below:
[Thu Sep 29 18:32:42.176871 2022] [cgid:error] [pid 209665] (104)Connection 
reset by peer: AH01248: Error reading request on cgid socket
[Thu Sep 29 18:32:42.177025 2022] [cgid:error] [pid 209704] [client 
xxx.xxx.xxx.xxx:53380] End of script output before headers: board.cgi
[Thu Sep 29 18:32:43.161802 2022] [cgid:error] [pid 209664] AH01239: cgid 
daemon process died, restarting
[Thu Sep 29 18:32:44.170387 2022] [mpm_prefork:emerg] [pid 209706] (22)Invalid 
argument: AH00144: couldn't grab the accept mutex
[Thu Sep 29 18:32:45.170296 2022] [core:alert] [pid 209664] AH00050: Child 
209706 returned a Fatal error... Apache is exiting!