From nobody@hyperreal.com Tue Apr 22 06:46:45 1997 Received: (from nobody@localhost) by hyperreal.com (8.8.4/8.8.4) id GAA24759; Tue, 22 Apr 1997 06:46:45 -0700 (PDT) Message-Id: <199704221346.GAA24759@hyperreal.com> Date: Tue, 22 Apr 1997 06:46:45 -0700 (PDT) From: Gregory Neil Shapiro Reply-To: gshapiro@wpi.edu To: apbugs@hyperreal.com Subject: Segmentation fault in util_script.c:call_exe() X-Send-Pr-Version: 3.2 >Number: 453 >Category: suexec >Synopsis: Segmentation fault in util_script.c:call_exe() >Confidential: no >Severity: critical >Priority: medium >Responsible: apache >State: closed >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Tue Apr 22 06:50:00 1997 >Last-Modified: Thu Apr 24 16:40:14 PDT 1997 >Originator: gshapiro@wpi.edu >Organization: >Release: 1.2B8 >Environment: Digital UNIX 4.0B using stock C compiler, but OS version doesn't matter for this bug. >Description: I reporting this problem two weeks ago via apache-bugs@apache.org and never heard back and it doesn't appear in the bugs database. I'm resubmitting it with the form to be sure it wasn't lost since I doubt 1.2 should be released with a segmentation fault problem. call_exe() grabs the group for passing to suexec with: gr = getgrgid (pw->pw_gid); And then uses gr->gr_name without ever checking to make sure gr isn't NULL. At our site (any many other sites I have seen), users have a unique GID as well as a unique UID and therefore there isn't a /etc/group entry for pw->pw_gid. This causes a segmentation fault and core dump on every CGI call. Additionaly, for sites like mine, call_exe() should pass suexec a group number instead of name if a group name doesn't exist. suexec should accept a group number instead of name as an argument. The patches in the "Do you have any suggested way to fix it?" section include a fix for the segmentation fault as well as the fix for using the gid of the group doesn't have a name. >How-To-Repeat: Create a password entry with a pw->pw_gid that doesn't exist in /etc/group. >Fix: These patches fix the problems outlined above. They are gziped and uuencoded to protect spacing, etc, which would be lost by a cut and paste into the web form. begin 644 cgifix.gz M'XL("+C`7#,``V-G:69I>`#-5EN/FS@4?DY^QU MI$4L4DXK^2+]RCC-1^]J`J\3#OX*O"`*%M%L"?YZO1Q/I]-SF]&[?0V_5JCN MP!Z.@;]2QDG<49YG+)R1W-PU/_& MO!22UZF$*A'BF(%3'4]>Y)S5%3@YWXPO&[0]NH+[JDQN2*OG+BO">E@N_:+M&S5;0WW0Y#'TW#)>-RP"C$2>RYJ72'RD2 MMX9,^\.#:DYANH799CP9O,HYLD5J.<]I!E9U1$['&-?VY@2$?")I+0C7WND( MV!BSHF`I:$\8*URP!/V;L%V+HP)DPR7X]O?@*@QTFL@>S,77"Q=Z&"Z\>?_J MU0#C5NCGR MRGG%$5ZD]E=*)!-0:RW[Z__O/X] M_NV/-R[TURU9MQ\@%Q*>'[R&&^J4AZ85]2DJME@KEC5!`]03-GSY`MWN@_=7 M(Z!E9AF9^WS[W(:76_#L_YC7Y[;NE?UA`-_66VSH!U8-@; MCJTSY^JN4R<:-J.VY4R#+I=NN/;ZP_BI\U;]A#E[(*>GRU?UR%RI'A-U53$N MKT2MD-N[^S4K]64,>&7/HV`5S=>]N_O$9'!U^U&XBH+P_JM[M@[_WF_JJ MZVX'KCEG'%@MU6R6>P(2G2+MA:P'&Q5`RT-2T.Q%9W=E!OO)0$=]JP&(XMNF-V.NZ^"OE=ODP-1 MWF#Z=^A>@=GE..?+%+TIJ=2G"3C2HH`]$UK5?(GT/&P6-9+"E*=EH:OA1ZM' M'?S("FH&05=%$]6?^#C/)@H?GJ!;\]5J!LYE"YA(1JT3$I?W`9_I_5\%_O!" -_I?E^0^Z+]B&Q@P``#C/ ` end %0 >Audit-Trail: State-Changed-From-To: open-analyzed State-Changed-By: coar@decus.org State-Changed-When: Thu Apr 24 10:27:16 PDT 1997 State-Changed-Why: We are investigating how to best address this. Thank you for the report. Category-Changed-From-To: mod_cgi-suexec Category-Changed-By: coar@decus.org Category-Changed-When: Thu Apr 24 10:27:16 PDT 1997 State-Changed-From-To: analyzed-closed State-Changed-By: dgaudet State-Changed-When: Thu Apr 24 16:40:14 PDT 1997 State-Changed-Why: Your fix has been included in 1.2b9 which will be available shortly. Thanks! Dean >Unformatted: