150748 – www-servers/shttpd - buffer overflow and rce (CVE-2006-5216)

Bug 150748 - www-servers/shttpd - buffer overflow and rce (CVE-2006-5216)

Summary: www-servers/shttpd - buffer overflow and rce (CVE-2006-5216)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Auditing (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://www.milw0rm.com/exploits/2482
Whiteboard:	~1 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2006-10-10 07:41 UTC by Carsten Lohrke (RETIRED)
Modified:	2006-10-30 03:12 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carsten Lohrke (RETIRED) gentoo-dev

2006-10-10 07:41:07 UTC

The POC

Comment 1 Carsten Lohrke (RETIRED) gentoo-dev

2006-10-10 07:41:07 UTC

The POC¹ is against 1.34 tested on WinXP. We have only version ~ 1.25 in the tree. I don't know, if it is affected, too. Either replacing it with 1.35 or inviting treecleaners, if no one really cares for the package should suffice.


[1] http://www.milw0rm.com/exploits/2482

Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev

2006-10-11 06:44:52 UTC

www-servers, any interest in keeping this? if so, pls verify/bump

Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev

2006-10-19 06:09:13 UTC

www-servers, pls comment

Comment 4 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev

2006-10-22 08:54:16 UTC

i've put minimal (ie. cp) effort into creating a bump ebuild, but failed...

IMHO this can be punted. www-servers/fnord is an alternative.
thanks

Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev

2006-10-23 12:44:34 UTC

since this is not marked stable on any arch, pls feel free to mask->remove it

Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-10-23 13:13:08 UTC

i agree for masking/removing it if noone can resolve that bug.

I'll try to check if our version is really vulnerable during this week.

Comment 7 Stuart Herbert (RETIRED) gentoo-dev

2006-10-24 00:38:02 UTC

Sorry for the delay in replying.

I've bumped this package up to 1.35.  That was released back in April, long before the exploit was posted.  I can't tell whether this version is also vulnerable or not at the moment.

Anyone in the security team fancy auditing it?

Best regards,
Stu

Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-10-24 01:09:04 UTC

Thanks Stuart. I'll try to have a look on this

Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-10-24 05:46:45 UTC

finally remove treacleaner from Cc since Stuart has taken this package :)

Comment 10 Carsten Lohrke (RETIRED) gentoo-dev

2006-10-24 05:55:51 UTC

The update to 1.35 should suffice. Forgot to provide the advisory url, sorry.


http://secunia.com/advisories/22294/

Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-10-30 03:12:54 UTC

i couldn't determine if 1.25 was affected. That's not a problem since 1.35 is out after all.

I close that bug, as usual feel free to reopen if you disagree