Package: libapache2-mod-suphp Version: 0.6.1.20061108-1 Whenever suphp refuses to run a script for any reason (e.g. UID/GID out of configured allowable range, wrong permissions, etc), it causes the following error messages to appear in the Apache error log:
---SNIP--- [Mon Nov 27 17:56:12 2006] [error] [client 142.150.160.59] Premature end of script headers: index.cgi [Mon Nov 27 17:56:12 2006] [error] [client 142.150.160.59] SoftException in Application.cpp:193: Script "/var/www/index.cgi" resolving to "/var/www/index.cgi" not within configured docroot [Mon Nov 27 17:56:12 2006] [error] [client 142.150.160.59] *** glibc detected *** double free or corruption (fasttop): 0x0806f990 *** [Mon Nov 27 17:56:41 2006] [error] [client 142.150.160.59] Premature end of script headers: index.cgi [Mon Nov 27 17:56:41 2006] [error] [client 142.150.160.59] SoftException in Application.cpp:291: UID of script "/var/www/index.cgi" is smaller than min_uid [Mon Nov 27 17:56:41 2006] [error] [client 142.150.160.59] *** glibc detected *** double free or corruption (fasttop): 0x0806f9f8 *** [Mon Nov 27 17:57:18 2006] [error] [client 142.150.160.59] Premature end of script headers: index.cgi [Mon Nov 27 17:57:18 2006] [error] [client 142.150.160.59] SoftException in Application.cpp:472: Could not execute script "/var/www/index.cgi" [Mon Nov 27 17:57:18 2006] [error] [client 142.150.160.59] Caused by SystemException in API_Linux.cpp:427: execve() for program "/var/www/index.cgi" failed: Permission denied [Mon Nov 27 17:57:18 2006] [error] [client 142.150.160.59] *** glibc detected *** double free or corruption (fasttop): 0x0806f9f8 *** ---SNIP--- As you can see, the above are three distinct examples: 1. [Mon Nov 27 17:56:12 2006] was caused by the target script being outside of the allowable suphp docroot. 2. [Mon Nov 27 17:56:41 2006] was caused by wrong ownership: owner UID of the target script file was less than the allowable UID. 3. [Mon Nov 27 17:57:18 2006] was caused by wrong permissions (the www-data user/group has no read access to the script in question). In all three cases, the last error message seen was always "*** glibc detected *** double free or corruption (fasttop): 0x0806f9f8 ***" which is a bit unnerving. I am not sure if this problem is potentially exploitable. Note that this seems to be a known issue with suphp, and the latest release (0.6.2) seems to have addressed the issue according to the suphp homepage: http://www.suphp.org/ Therefore the suggested resolution would be to simply package the latest version of this software. This bug was originally reported by me for Ubuntu here: https://launchpad.net/distros/ubuntu/+source/suphp/+bug/73556 -- Rouben Tchakhmakhtchian High Performance Computing System Administrator Information & Instructional Technology Services University of Toronto at Scarborough ----------------------------------------------- E-mail: [EMAIL PROTECTED] Phone: 416-208-4732 Fax: 416-287-7507 GnuPG Key: http://preview.tinyurl.com/roce2 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
