Issue 1030658 in chromium: Chromium: Vulnerability reported in apache-win32

[metzman via monorail]

Updates:
Cc: blink...@chromium.org robe...@chromium.org l...@chromium.org
Components: Blink>Infra
Labels: -Restrict-View-SecurityTeam OS-Windows Type-Bug

Comment #1 on issue 1030658 by met...@chromium.org: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c1

Since this is not shipped (and the CVEs for this are already public) I'm removing restrict-view-security
robertma@ or lpz@ would one of you be the right person to own this?

--
You received this message because:
1. You were specifically CC'd on the issue

You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings

Reply to this email to add a comment or make updates.

[lpz via monorail]

Updates:
Cc: qyea...@chromium.org davi...@chromium.org

Comment #3 on issue 1030658 by l...@chromium.org: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c3

It looks like qyearsley@ and davidben@ dealt with that last issue like this. Quinten/David: are you still the right folks to look into this?

[davidben via monorail]

Comment #4 on issue 1030658 by davi...@chromium.org: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c4

Probably due for an update anyway, but that directory has Apache 2.4.37, not 2.2.25, and has been since December 2018.
https://chromium.googlesource.com/chromium/src/+/7b0154c4c82add5bb4e36f3f313dc0cb5e6cf34d%5E%21/#F11

Is vomit watching the wrong repository?

[swarnasree.mukkala via monorail]

Updates:
Cc: swarnasre...@chromium.org
Labels: TE-NeedsTriageHelp Triaged-ET

Comment #5 on issue 1030658 by swarnasre...@chromium.org: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c5

The issue seems to be related to Infra related which is out of scope for TE to triage hence adding "TE-NeedsTriageHelp" to push the issue out of TE's bucket.

Thanks.!

[ajha via monorail]

Comment #6 on issue 1030658 by aj...@chromium.org: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c6

Setting status to Untriaged to get an update and further action on this, from the respective team.

[davidben via monorail]

Comment #7 on issue 1030658 by davi...@chromium.org: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c7

This needs an update from the Vomit team. Vomit appears to be watching the wrong repository, as the version of Apache it detected was wrong.

[ji via monorail]

Updates:
Labels: Needs-Feedback

Comment #9 on issue 1030658 by j...@chromium.org: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c9

(No comment was entered for this change.)

[davidben via monorail]

Updates:
Cc: adet...@chromium.org

Comment #10 on issue 1030658 by davi...@chromium.org: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c10

+adetaylor, do you know what's going on with Vomit here? (Comment #4 and comment #6.)

[adetaylor via monorail]

Comment #11 on issue 1030658 by adet...@chromium.org: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c11

Yes. This is fixed. Vomit was looking at a version of our code from literally years ago. It's now looking at our current repos (though it's not yet smart enough to understand DEPS files) and it correctly understands we have Apache 2.4.37. https://vomit.googleplex.com/thirdpartyentry?repository=chromium&name=third_party%2fapache-win32

That said, there are various vulnerabilities known in 2.4.37: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&cves=on&cpe_version=cpe%3a%2fa%3aapache%3ahttp_server%3a2.4.37
I don't know if any of them apply to our limited use of Apache code, but it feels like this might be wise to update anyway?

[davidben via monorail]

Comment #12 on issue 1030658 by davi...@chromium.org: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c12

This is just a test server, so we don't particularly care about it, but yeah it's probably worth another round of updating. blink-infra?

[ji via monorail]

Updates:
Components: -Blink>Infra Infra>Client>Infra
Labels: -Needs-Feedback

Comment #13 on issue 1030658 by j...@chromium.org: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c13

this sounds like an overall infra related

[davidben via monorail]

Comment #14 on issue 1030658 by davi...@chromium.org: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c14

third_party/apache-win32 is currently marked as owned by Blink>Infra and blink...@chromium.org. Should that change?
https://source.chromium.org/chromium/chromium/src/+/master:third_party/apache-win32/OWNERS

[davidben via monorail]

Comment #15 on issue 1030658 by davi...@chromium.org: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c15

I believe it's also only used by Blink tests. It's the runner for the old PHP, etc., LayoutTests. (Not sure what they're called now.) There are some instructions in README.chromium for updating it.

[ji via monorail]

Updates:
Components: Blink>Infra
Status: Available

Comment #16 on issue 1030658 by j...@chromium.org: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c16

ok, thanks for the info.

[weizhong via monorail]

Comment #18 on issue 1030658 by weiz...@google.com: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c18

third_party/apache-win32/README.chromium

[weizhong via monorail]

Updates:
Labels: blink-infra-reviewed

Comment #19 on issue 1030658 by weiz...@google.com: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c19

(No comment was entered for this change.)

[weizhong via monorail]

Updates:
Owner: weiz...@google.com
Status: Assigned

Comment #20 on issue 1030658 by weiz...@google.com: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c20

[weizhong via monorail]

Updates:
Cc: d.ha...@gmail.com hy...@google.com

Comment #21 on issue 1030658 by weiz...@google.com: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c21

Reading README.chromium and find it requires uploading binaries to google storage again, which is not allowed now.

means we need use 3pp to packaging this?

[hypan via monorail]

Comment #22 on issue 1030658 by hy...@google.com: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c22

Yeah, we should migrate it to 3pp. infra/infra repo would be better as it support win platforms

[davidben via monorail]

Updates:
Cc: dpr...@google.com

Comment #24 on issue 1030658 by davi...@chromium.org: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c24

This one's interesting because we were using the pre-built Windows binaries from upstream anyway. I don't know whether 3pp would require that we figure out how to build from source on Windows, or if it's sufficient to just transcript the download/unzip rules into 3pp. Alas, unlike the Mac one, there's no alternative system httpd we can use instead.

+dpranke since we had a similar discussion over in issue #1190885 about having a fixit to convert all these Blink tests.

[weizhong via monorail]

Comment #25 on issue 1030658 by weiz...@google.com: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c25

hypan@, what is your thought on #c24?

About the idea "finally switch all this to wptserve", is this same to migrate http tests to wpt tests? I see there are a lot of http tests, so would take some time?

[davidben via monorail]

Comment #26 on issue 1030658 by davi...@chromium.org: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c26

> About the idea "finally switch all this to wptserve", is this same to migrate http tests to wpt tests?

Yup. Possibly with some infra work to support wptserve-based Chrome-only tests, as there may be tests we don't want to upstream, but still need to run in Blink.

> I see there are a lot of http tests, so would take some time?

Yeah, I think we'd need to do a fixit and get a bunch of people to hack on it in parallel. (That could also be a reason to make Chrome-only wptserve-based tests possible. Even if it's a test we want to upstream, that would require a judgement call by the person porting the tests. If we separate the upstreaming decision from the porting work, it'll be easier to port things.)

[dpranke via monorail]

Comment #27 on issue 1030658 by dpr...@google.com: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c27

> That could also be a reason to make Chrome-only wptserve-based tests possible.

I think this is already possible, but we might have to change the configuration of the servers depending on where we wanted tests to live ... Or, I could be misremembering.

[davidben via monorail]

Comment #28 on issue 1030658 by davi...@chromium.org: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c28

Ah, even better. I don't actually work on Blink, so I've no idea. :-) I was just going by the end of this comment, and assuming it hadn't been done yet.
https://bugs.chromium.org/p/chromium/issues/detail?id=347864#c41

[weizhong via monorail]

Comment #29 on issue 1030658 by weiz...@google.com: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c29

If we don't want to upstream a test, we put it under wpt_internal?

[weizhong via monorail]

Updates:
Cc: bry...@google.com

Comment #30 on issue 1030658 by weiz...@google.com: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c30

davidben@, for 3pp packaging httpd for win32, do you know what is the best way to get the additional DLLs from MSVC and UCRT? Are they ready for downloading at somewhere?

bryner@, do you know if there is any other applications need use those additional DLLs? should we make that a cipd package?

[bryner via monorail]

Comment #31 on issue 1030658 by bry...@google.com: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c31

re: #30, these DLLs are included in the windows sdk package that we use for the 3pp builders, so one option might be to copy them from there (chrome_internal/third_party/sdk/windows)

We try to create 3pp CIPD packages to be hermetic, so I think it would be better to copy the DLLs to the packages where they are needed than to create a separate DLL package. You could also try to figure out if there is an option to link the CRT statically so that we don't have this dependency for the httpd binary.

We have run into a related issue before with Python; but basically the python.org distribution does the right thing by distributing the dependency with the python interpreter.

[weizhong via monorail]

Comment #32 on issue 1030658 by weiz...@google.com: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c32

bryner@, I was not able to find chrome_internal/third_party/sdk/windows.

Do I need to modify .gclient then run "gclient sync"?

[bryner via monorail]

Comment #33 on issue 1030658 by bry...@google.com: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c33

This doesn't have anything to do with .gclient. I meant that we use the CIPD package https://chrome-infra-packages.appspot.com/p/chrome_internal/third_party/sdk/windows/+/ to build things from source on Windows. I believe the CRT runtime DLLs should be in that package somewhere, so one option is to have the install.sh step copy those into the package.

[weizhong via monorail]

Comment #34 on issue 1030658 by weiz...@google.com: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c34

bryner@, thanks. Is there a download url for this package?

[weizhong via monorail]

Comment #35 on issue 1030658 by weiz...@google.com: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c35

Another question: If I use fetch.py and set "unpack_archive: true", where would those unpacked packages be put at?

[weizhong via monorail]

Updates:
Status: WontFix

Comment #37 on issue 1030658 by weiz...@google.com: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c37

I would suggest we wontfix this. We are using httpd as a test server. We are using 2.4.37 on windows, and 2.4.38 on mac. I checked nist site, there are also a lot vulnerability report for 2.4.38.

I tried to fix this with https://chromium-review.googlesource.com/c/infra/infra/+/3554607, but met issue to download the package.

Continue to work on this does not seem to make sense, as the gain is not comparable to the effort.

[davidben via monorail]

Comment #38 on issue 1030658 by davi...@chromium.org: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c38

Agreed the vulnerability isn't a problem, but if we cannot update this server at all, I think that's a problem. If we had some other reason to need to update it (previously, I had to update it to get modern TLS supported), we'd be stuck. It sounds like we have a few problems here that should be owned by infra:

- Our use of httpd is clearly a problem and we need to get rid of it. That's probably #1297254.
- It sounds like 3pp infrastructure is not yet usable on Windows. Do we have a ticket owned by the 3pp team to fix that?
- In the meantime, whatever mechanism that blocked google storage uploads should be reverted on Windows, as it sounds like infra isn't ready for that yet.

[weizhong via monorail]

Updates:
Cc: jcli...@google.com

Comment #39 on issue 1030658 by weiz...@google.com: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c39

Yes #1297254 should be our long term goal. I think we need find a way to advocate that.

For the downloading issue on 3pp, created crbug/1311338

- In the meantime, whatever mechanism that blocked google storage uploads should be reverted on Windows, as it sounds like infra isn't ready for that yet.

>> I cced jclinton@ for his opinion on this.

[jclinton via monorail]

Comment #40 on issue 1030658 by jcli...@google.com: Chromium: Vulnerability reported in apache-win32
https://bugs.chromium.org/p/chromium/issues/detail?id=1030658#c40

I replied on Bug 1311116