Modification of Apache Scoreboard data, shared by root (uid=0) and www-data process, allows triggering of invalid free in root process during apache shutdown, exploitation seems impossible except for really broken chroot configs.
c4fca211361fbba0c2cbccb0c6f798909ec36dbe33e746db01cba353100298ff
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello List,
Modification of apache scoreboard data, shared by root (uid=0) and
www-data process, allows triggering of invalid free in root process
during apache shutdown, exploitation seems impossible except for really
broken chroot configs.
The free is triggered by setting the scoreboard type from
shared-mem-type to malloc-type. This is possible because the
scoreboard type setting is also stored in shared memory and hence
changeable by lower-privileged worker process.
See
http://www.halfdog.net/Security/2011/ApacheScoreboardInvalidFreeOnShutdown/
- --
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk8Ow4EACgkQxFmThv7tq+7NHgCeJ3AUOs4UHZMfQDm5C61NwEek
szkAoIy/vgYHRBgHQPygbGK6De+Yjxi0
=CYqA
-----END PGP SIGNATURE-----