First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 87916
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: rob holland (RETIRED) <tigger@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 87916 depends on: Show dependency tree
Bug 87916 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-04-04 08:26 0000 
Putting a zero byte file in htdocs somewhere and then requesting it repeatedly
will cause monkeyd to corrupt memory/blow up depending on MALLOC_CHECK_

Dodgy code is:

void M_free(void *ptr)
{
    if(ptr!=NULL){
        memset(ptr, '\0', sizeof(ptr));
        free(ptr);
        ptr=NULL;
    }
}

The memset doesn't do what was intended. This isn't normally visible but the 0
byte file causes monkeyd to malloc(0) which means there is no data allocated to
"absorb" the broken memset call. The ptr=NULL thing is also just plain weird :)

Problem was spotted by ciaranm and investigated by me.

The code is pretty scary, taviso is checking it over some more atm so hold fire
on any glsa etc ;)

------- Comment #1 From Luke Macken (RETIRED) 2005-04-04 08:33:25 0000 ------- 
*** Bug 87917 has been marked as a duplicate of this bug. ***

------- Comment #2 From Sune Kloppenborg Jeppesen 2005-04-11 23:49:26 0000 ------- 
Is upstream informed yet?

------- Comment #3 From Tavis Ormandy (RETIRED) 2005-04-12 02:26:11 0000 ------- 
there's a remotely exploitable double expansion in m_build_buffer_from_buffer()

example crash to get a bt:

printf "GET %%00 HTTP/1.1\nHost: %%500n%%500n\n\n" | nc localhost 2001

It looks like a nice project, but my confidence in the security of the code is low, perhaps we should consider masking it until it matures.

------- Comment #4 From Tavis Ormandy (RETIRED) 2005-04-12 02:37:53 0000 ------- 
there are alternatives available (i've used thttpd in the past), and there are
numerous mistakes like the one ciaran spotted.

I think we should mask for now.

------- Comment #5 From rob holland (RETIRED) 2005-04-12 03:23:01 0000 ------- 
I will inform upstream (having discussed it with taviso).

------- Comment #6 From rob holland (RETIRED) 2005-04-12 04:11:55 0000 ------- 
upstream emailed, cc'd security@

------- Comment #7 From Sune Kloppenborg Jeppesen 2005-04-12 04:16:03 0000 ------- 
Vapier it seems like your baby, please advise.

------- Comment #8 From SpanKY 2005-04-12 05:42:13 0000 ------- 
i dont mind masking it until upstream has had a chance to reply

------- Comment #9 From rob holland (RETIRED) 2005-04-13 08:03:39 0000 ------- 
upstream fixed the first issue and have been sent a patch for the second.

------- Comment #10 From Aaron Walker (RETIRED) 2005-04-14 05:05:17 0000 ------- 
0.9.1 in CVS, stable on x86.  CC'd archs please mark stable.

------- Comment #11 From Michael Hanselmann (hansmi) (RETIRED) 2005-04-14 11:50:56 0000 ------- 
Stable on ppc.

------- Comment #12 From Gustavo Zacarias (RETIRED) 2005-04-15 06:05:23 0000 ------- 
sparc stable.

------- Comment #13 From Sune Kloppenborg Jeppesen 2005-04-15 10:28:59 0000 ------- 
GLSA 200504-14
First Last Prev Next    No search results available      Search page      Enter new bug