446994 – www-servers/thttpd : DoS

Bug 446994 - www-servers/thttpd : DoS

Summary: www-servers/thttpd : DoS

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://bugzilla.novell.com/show_bug....
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-12-12 13:09 UTC by Agostino Sarubbo
Modified:	2013-02-26 20:01 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2012-12-12 13:09:03 UTC

From $URL :

While reading source code, I noticed that local attackers with the ability to
alter .htpasswd files could cause a Denial of Service in thttpd by specially-
crafting them, with e.g.:

$ echo 'foo:$2a$a875CeSLbja8w' >> .htpasswd

Authenticating then triggers the issue:

Jun 20 17:12:02 g193 kernel: [716329.025980] thttpd[14458]: segfault at 0 ip
b7741f38 sp bfa5019c error 4 in libc-2.11.3.so[b76cc000+166000]

Comment 1 Anthony Basile gentoo-dev

2013-02-26 19:54:04 UTC

I can't reproduce this.  There are lots of differences between the original upstream code and the forked code, including about a dozen or so security fixes.  I didn't try to narrow it down, but given that I can't reproduce the original opensuse bug, I think its safe to close this.

Thanks for the report but there's nothing to fix.  I'll let you finish the security stuff.