110637 – www-servers/thttpd insecure tempfile creation (CVE-2005-3124)

Bug 110637 - www-servers/thttpd insecure tempfile creation (CVE-2005-3124)

Summary: www-servers/thttpd insecure tempfile creation (CVE-2005-3124)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	C3 [noglsa] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2005-10-27 11:18 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2005-11-21 01:05 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
patch.CVE-2005-3124.thttpd (patch.CVE-2005-3124.thttpd,724 bytes, patch) 2005-10-27 11:20 UTC, Sune Kloppenborg Jeppesen (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-10-27 11:18:39 UTC

Javier Fern

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-10-27 11:18:39 UTC

Javier Fernández-Sanguino Peña from the Debian Security Audit team 
discovered that the syslogtocern script from thttpd, a tiny webserver, 
uses a temporary file insecurely, allowing a local attacker to craft a 
symlink attack to overwrite arbitrary files. 
 
Patch by Javier attached.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-10-27 11:20:04 UTC

Created attachment 71583 [details, diff]
patch.CVE-2005-3124.thttpd

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-10-28 01:03:11 UTC

Waiting for a hint on disclosure date

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2005-10-28 06:56:02 UTC

Already public.

www-servers herd please check if we ship that script and bump with patch if
necessary.

Comment 5 Aaron Walker (RETIRED) gentoo-dev

2005-10-28 08:49:59 UTC

(In reply to comment #3)
> Already public.
> 
> www-servers herd please check if we ship that script and bump with patch if
> necessary.

Yes it is installed by make install.

I've gone ahead and committed 2.25b-r3 but unless I get rid of the php stuff
Stuart added to 2.25b-r2 I don't feel comfortable stabilizing (plus it needs a
few deps stabilized first).  Stuart, comments?

Comment 6 Thierry Carrez (RETIRED) gentoo-dev

2005-11-04 05:27:07 UTC

www-servers please make up your mind on which version we should ask to
stable-ize to fix this security bug.

Comment 7 Thierry Carrez (RETIRED) gentoo-dev

2005-11-06 10:49:05 UTC

sent an email to stuart so that we get an answer on this.

Comment 8 Stuart Herbert (RETIRED) gentoo-dev

2005-11-06 12:16:40 UTC

Hi,

I suggest we drop the PHP5 support for now, and stabilise without it.

Best regards,
Stu

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-11-11 01:08:30 UTC

Aaron/Stuart we'll call for stable marking of 2.25b-r3 when you confirm.

Comment 10 Aaron Walker (RETIRED) gentoo-dev

2005-11-15 18:58:35 UTC

2.25b-r4 is in cvs w/o php support.  x86 stable.

Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-11-15 22:47:56 UTC

ppc please test and mark stable.

Comment 12 Joe Jezak (RETIRED) gentoo-dev

2005-11-16 11:27:41 UTC

Marked ppc stable.

Comment 13 Thierry Carrez (RETIRED) gentoo-dev

2005-11-17 01:51:37 UTC

Ready for GLSA vote.
I don't know. This is a misc script for sure, but it's still in path... half yes
from here.

Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-11-17 02:06:04 UTC

I tend to vote NO.

Comment 15 Kurt Lieber (RETIRED) gentoo-dev

2005-11-19 10:29:46 UTC

I'd vote no as well.

Comment 16 Thierry Carrez (RETIRED) gentoo-dev

2005-11-21 01:05:49 UTC

Reverting vote and closing.