In libhttpd.c, expand_symlinks() around line 1492, this line assumes strlen(path) is always > 0, but this isnt the case: ... if ( rest[restlen - 1] == '/' ) rest[--restlen] = '\0'; /* trim trailing slash */ ... By sending a request that after normalization is empty, (eg GET /../), if the byte before the rest heap buffer is 0x2f a '\0' is written one byte before the buffer. restlen here could wrap to SIZE_MAX, and do some more damage. Theres a similar case earlier in the function but requires stat("", foo) to return success. I emailed the maintainer before christmas, and again after new year and no response. I think this would be very unlikely to be exploitable, but we should fix it to be safe. Patch attached.
Created attachment 105364 [details, diff] patch for this issue
www-servers please advise.
thttpd-2.25b-r6 applies the patch from taviso and is now in the tree.
Arches, please test and mark stable thttpd-2.25b-r6
ppc stable
x86 stable, we are last
Please vote for glsa
I tend to vote NO.
padawan vote NO.
NO as well from me, closing with noglsa. Thanks everyone.
