Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 491154 (CVE-2013-4559) - <www-servers/lighttpd-1.4.33 : two vulnerabilities (CVE-2013-{4559,4560})
Summary: <www-servers/lighttpd-1.4.33 : two vulnerabilities (CVE-2013-{4559,4560})
Status: RESOLVED FIXED
Alias: CVE-2013-4559
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-11-13 09:23 UTC by Agostino Sarubbo
Modified: 2014-06-13 20:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-11-13 09:23:10 UTC
1. setuid/setgid/setgroups return values are not checked

If setuid() fails for any reason (RLIMIT_NPROC) lighttpd runs as root.

http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt


2. If FAMMonitorDirectory fails, lighttpd reads a value from already
free()d memory.

http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-11-27 21:36:37 UTC
CVE-2013-4560 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4560):
  Use-after-free vulnerability in lighttpd before 1.4.33 allows remote
  attackers to cause a denial of service (segmentation fault and crash) via
  unspecified vectors that trigger FAMMonitorDirectory failures.

CVE-2013-4559 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4559):
  lighttpd before 1.4.33 does not check the return value of the (1) setuid,
  (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as
  root if it is restarted and allows remote attackers to gain privileges, as
  demonstrated by multiple calls to the clone function that cause setuid to
  fail when the user process limit is reached.
Comment 2 Sergey Popov gentoo-dev 2014-06-13 20:31:41 UTC
Added to existing GLSA draft
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-06-13 20:44:15 UTC
This issue was resolved and addressed in
 GLSA 201406-10 at http://security.gentoo.org/glsa/glsa-201406-10.xml
by GLSA coordinator Sergey Popov (pinkbyte).