Re: [Mod-security-developers] ModSecurity version 2.9.0-RC1 released

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Thanks for the release candidate.

It has built successfully on ubuntu 04.14 on apache 2.4.10 and I can confirm that the fix for the bug in the 2.8.0 ipMatch directive works fine.

However, I encountered a segfault during init when using the new remote URI feature in ipMatchFromFile.

Fetching the files works fine, but enabling the ssl engine _afterwards_ in a VH leads to the segfault:

gdb output:
        ssl_init_ctx_protocol (s=0x75efd8, p=0x6a7138, ptemp=0x6d6368, mctx=0x7243b0) at ssl_engine_init.c:481
        481        ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
        (gdb) n
        484        if (protocol == SSL_PROTOCOL_SSLV3) {
        (gdb) n
        489        else if (protocol == SSL_PROTOCOL_TLSV1) {
        (gdb) n
        495        else if (protocol == SSL_PROTOCOL_TLSV1_1) {
        (gdb) n
        500        else if (protocol == SSL_PROTOCOL_TLSV1_2) {
        (gdb) n
        507            method = mctx->pkp ?
        (gdb) n
        508                SSLv23_client_method() : /* proxy */
        (gdb) n
        507            method = mctx->pkp ?
        (gdb) n
        511        ctx = SSL_CTX_new(method);
        (gdb) n
        513        mctx->ssl_ctx = ctx;
        (gdb) n
        515        SSL_CTX_set_options(ctx, SSL_OP_ALL);
        (gdb) s
        Program received signal SIGSEGV, Segmentation fault.
        0x00007ffff5641adb in SSL_CTX_ctrl () from /lib/x86_64-linux-gnu/libssl.so.1.0.0

Apache Compilation:
$> CFLAGS="-Og -g -ggdb3"; export CFLAGS
$> ./configure --prefix=/apache --with-included-apr --enable-modules=most --enable-mods-shared=all --enable-mime-magic --enable-unique-id --enable-logio --enable-ssl --enable-proxy --enable-proxy-http --enable-deflate --enable-mpms-shared=event worker prefork --enable-nonportable-atomics=yes

ModSec Compilation:
$> CFLAGS="-Og -g -ggdb3"; export CFLAGS
$> ./configure --with-apxs=/apache/bin/apxs --with-apu=/apache/bin/apu-1-config --with-apr=/apache/bin/apr-1-config --with-pcre=/usr/bin/pcre-config

Minimal apache configuration producing the error:
    ServerName      localhost
    ServerAdmin     root@localhost
    ServerRoot      /apache
    PidFile        /tmp/httpd.pid

    Listen          127.0.0.1:443

    LoadModule    mpm_event_module    modules/mod_mpm_event.so
    LoadModule    unixd_module        modules/mod_unixd.so
    LoadModule    ssl_module        modules/mod_ssl.so
    LoadModule      unique_id_module       modules/mod_unique_id.so
    LoadModule      security2_module       modules/mod_security2.so

    SecRule REMOTE_ADDR "@ipMatchFromFile https://blacklistserver.example.com/ip-blacklist.txt"    "id:10500,pass"

    <VirtualHost *:443>
          ServerName localhost
          SSLEngine On
    </VirtualHost>

Unfortunately, I have not compiled  /lib/x86_64-linux-gnu/libssl.so.1.0.0 myself, so I guess that's why I can not
dig into that library with gdb.

I have a core-file if that is needed.

Best,

Christian Folini