-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Package: libapache2-mod-shib Version: 1.3f.dfsg1-2 Severity: grave Tags: security Tags: etch X-Debbugs-CC: [EMAIL PROTECTED] X-Debbugs-CC: [EMAIL PROTECTED]
After a high number of requests to a shibboleth protected URL, the shibd process dies. It is irrelevant if the requests are made over a long or short period of time. However, the misbehaviour was reproduced using JMeter load tests with a few hundred requests using up to 20 parallel requests. The misbehaviour could also be forced by using "ab", the Apache HTTP server benchmarking tool. After shibd dies, users can no longer access to shibboleh protected content on the Apache httpd. Therefore, the package libapache2-mod-shib has to be regarded as being vulnerable to denial of service attacks. A core dump of the shibd process: - ---- #0 0xb7fcb410 in ?? () #1 0xb244973c in ?? () #2 0x00000006 in ?? () #3 0x0000079a in ?? () #4 0xb75c2811 in raise () from /lib/tls/i686/cmov/libc.so.6 #5 0xb75c3fb9 in abort () from /lib/tls/i686/cmov/libc.so.6 #6 0xb75f7d3a in __fsetlocking () from /lib/tls/i686/cmov/libc.so.6 #7 0xb75ff5cf in mallopt () from /lib/tls/i686/cmov/libc.so.6 #8 0xb75ff672 in free () from /lib/tls/i686/cmov/libc.so.6 #9 0xb77bc3b1 in operator delete () from /usr/lib/libstdc++.so.6 #10 0xb7798ebd in std::string::_Rep::_M_destroy () from /usr/lib/libstdc++.so.6 #11 0xb7f0443d in log4cpp::NDC::_pop () from /usr/lib/liblog4cpp.so.4 #12 0xb7f0393b in log4cpp::NDC::pop () from /usr/lib/liblog4cpp.so.4 #13 0xb7e5da42 in saml::NDC::~NDC () from /usr/lib/libsaml.so.5 #14 0x0805133c in xercesc_2_7::XMLDeleter::~XMLDeleter () #15 0x08052961 in shibboleth::InvalidSessionException::~InvalidSessionException () #16 0xb768b380 in svc_getreq_common () from /lib/tls/i686/cmov/libc.so.6 #17 0xb768acdf in svc_getreqset () from /lib/tls/i686/cmov/libc.so.6 #18 0x0804e105 in xercesc_2_7::XMLDeleter::~XMLDeleter () #19 0x0804e3e1 in xercesc_2_7::XMLDeleter::~XMLDeleter () #20 0xb76d0240 in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 #21 0xb76653de in clone () from /lib/tls/i686/cmov/libc.so.6 - ---- The Shibboleth Service Provider source code is available at http://shibboleth.internet2.edu/downloads/ . Binary package available from the same source do not show this behaviour because they are compiled with patched versions of the log4cpp and xerces-c libararies. In other words, this bug is specific to the Debian GNU/Linux distribution. This is due to the fact the package libapache2-mod-shib uses the log4cpp and xerces-c libraries within the Debian distribution. liblog4cpp4 is not thread- safe and libxerces27 handles memory allocation wrongly at least when used with shibd. Details about the system where the tests were made: Linux debian 2.6.18-4-686 #1 SMP Wed May 9 23:03:12 UTC 2007 i686 GNU/Linux Shared C library version: 2.3.6.ds1-13 Best regards, Patrik Schnellmann -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFGp13t5a+rANulz7oRA3TyAJ9OWypBBb0bJJGJ2DY3YuybPQiPggCgov4X hyYopkQH/yF1nEgc/nDy7Gk= =IUG8 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
