Bug 235296 - www/nginx: spnego-http-auth-nginx-module crashes worker process due to read-after-free
Summary: www/nginx: spnego-http-auth-nginx-module crashes worker process due to read-a...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Jochen Neumeister
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-01-29 14:01 UTC by topical
Modified: 2019-11-26 16:34 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (joneum)


Attachments
Patch to remove obsolete (broken) putenv() code. (1.18 KB, patch)
2019-01-29 14:04 UTC, topical
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description topical 2019-01-29 14:01:26 UTC
The current version uses putenv() to pass the name of the keytab to GSS.

Incorrectly, it assumes that putenv() creates a copy of the passed string. This leads to corruption of environment variables and eventually to a core dump. Usually, this happens unnoticed due to the auto-recovery feature of nginx work process.

Actually, putenv isn't really needed anymore and the affected code can be removed safely.
Comment 1 topical 2019-01-29 14:04:01 UTC
Created attachment 201506 [details]
Patch to remove obsolete (broken) putenv() code.

Need to add the following files to "Makefile.extmod" to activate patch:

HTTP_AUTH_KRB5_EXTRA_PATCHES=   ${PATCHDIR}/extra-patch-spnego-http-auth-nginx-module-config \
                                ${PATCHDIR}/extra-patch-spnego-http-auth-nginx-no-putenv
Comment 2 topical 2019-02-26 16:35:51 UTC
Is there anything else needed to apply the patch to the ports tree?
Comment 3 topical 2019-07-22 11:26:54 UTC
Hi there!

When I updated to the new quarterly ports release, I still had to see that the putenv() bug is still in there.

Is there anyone who can finally please apply the patch? This would be great.
Comment 4 commit-hook freebsd_committer 2019-11-16 19:36:39 UTC
A commit references this bug:

Author: osa
Date: Sat Nov 16 19:36:15 UTC 2019
New revision: 517770
URL: https://svnweb.freebsd.org/changeset/ports/517770

Log:
  When nginx compiled with third-party spnego module, a worker process
  may crash due to read-after-free operation.  This third-party module
  update fix the issue.

  Bump PORTREVISION.

  PR:	235296

Changes:
  head/www/nginx-devel/Makefile
  head/www/nginx-devel/Makefile.extmod
  head/www/nginx-devel/distinfo
Comment 5 Sergey A. Osokin freebsd_committer 2019-11-16 19:40:20 UTC
Hi there,

thanks for the report and the patch.

I've found the patch has been committed to the upstream as https://github.com/stnoonan/spnego-http-auth-nginx-module/commit/21bb963666480ca87e8051459bcd7cd35cc46df4, so I've just updated the third-party module version to 21bb963 for www/nginx-devel port.


I believe Jochen will commit the update soon.

Thanks.
Comment 6 topical 2019-11-18 12:30:57 UTC
Great! Thanks a lot
Comment 7 commit-hook freebsd_committer 2019-11-26 16:33:25 UTC
A commit references this bug:

Author: joneum
Date: Tue Nov 26 16:32:39 UTC 2019
New revision: 518471
URL: https://svnweb.freebsd.org/changeset/ports/518471

Log:
  When nginx compiled with third-party spnego module, a worker process
  may crash due to read-after-free operation.  This third-party module
  update fix the issue.

  PR:	235296
  Sponsored by:	Netzkommune GmbH

Changes:
  head/www/nginx/Makefile
  head/www/nginx/Makefile.extmod
  head/www/nginx/distinfo