Following https://bugs.gentoo.org/show_bug.cgi?id=746356, I noticed a reproducible segfault when loading a file then refreshing the page in my browser. After investigation, this was due to these warnings: bozohttpd.c: In function ‘parse_http_date’: bozohttpd.c:957:19: warning: implicit declaration of function ‘strptime’; did you mean ‘strftime’? [-Wimplicit-function-declaration] 957 | if ((remainder = strptime(val, "%a, %d %b %Y %T GMT", &tm)) == NULL && | ^~~~~~~~ | strftime bozohttpd.c:957:17: warning: assignment to ‘char *’ from ‘int’ makes pointer from integer without a cast [-Wint-conversion] 957 | if ((remainder = strptime(val, "%a, %d %b %Y %T GMT", &tm)) == NULL && | ^ bozohttpd.c:958:17: warning: assignment to ‘char *’ from ‘int’ makes pointer from integer without a cast [-Wint-conversion] 958 | (remainder = strptime(val, "%a, %d-%b-%y %T GMT", &tm)) == NULL && | ^ bozohttpd.c:959:17: warning: assignment to ‘char *’ from ‘int’ makes pointer from integer without a cast [-Wint-conversion] 959 | (remainder = strptime(val, "%a %b %d %T %Y", &tm)) == NULL) | ^ bozohttpd.c: In function ‘bozoasprintf’: bozohttpd.c:2053:6: warning: implicit declaration of function ‘vasprintf’; did you mean ‘vsprintf’? [-Wimplicit-function-declaration] 2053 | e = vasprintf(str, fmt, ap); | ^~~~~~~~~ | vsprintf daemon-bozo.c: In function ‘bozo_daemon_init’: daemon-bozo.c:172:3: warning: ignoring return value of ‘daemon’, declared with attribute warn_unused_result [-Wunused-result] 172 | daemon(1, 0); | ^~~~~~~~~~~~ ssl-bozo.c: In function ‘bozo_ssl_printf’: ssl-bozo.c:170:16: warning: implicit declaration of function ‘vasprintf’; did you mean ‘vsprintf’? [-Wimplicit-function-declaration] 170 | if ((nbytes = vasprintf(&buf, fmt, ap)) != -1) { | ^~~~~~~~~ | vsprintf How the application managed to link with strptime not being defined is quite curious (some C89 vs C99 thing?), but my debugging pointed to the return of that "function". Here's the commit that solved it in my overlay: Need to add the following feature test macros: _XOPEN_SOURCE to avoid segfault at bozohttpd.c:962 when refreshing page after loading, due to bad strpftime definition _DEFAULT_SOURCE to allow compilation after _XOPEN_SOURCE was defined _GNU_SOURCE for vasprintf As _GNU_SOURCE defines "_XOPEN_SOURCE with the value 700 (600 in glibc versions before 2.10; 500 in glibc versions before 2.2)" and "since glibc 2.19, defining _GNU_SOURCE also has the effect of implicitly defining _DEFAULT_SOURCE", no need for the others. diff --git a/www-servers/bozohttpd/bozohttpd-20190228-r1.ebuild b/www-servers/bozohttpd/bozohttpd-20190228-r1.ebuild index 4aa2e95..8afeb77 100644 --- a/www-servers/bozohttpd/bozohttpd-20190228-r1.ebuild +++ b/www-servers/bozohttpd/bozohttpd-20190228-r1.ebuild @@ -26,7 +26,8 @@ src_prepare() { } src_compile() { - emake CC="$(tc-getCC)" OPT="${CFLAGS}" CPPFLAGS="${CPPFLAGS} -DDO_HTPASSWD" LDLIBS=-lcrypt + emake CC="$(tc-getCC)" OPT="${CFLAGS}" LDLIBS=-lcrypt \ + CPPFLAGS="${CPPFLAGS} -DDO_HTPASSWD -D_GNU_SOURCE" } src_install() { PS: bozohttpd seems quite wonky, anyone knows another minimalist (like bozohttpd or thttpd) but maintainted HTTP server with CGI, HTTP basic auth and directory listing?
Since the default service configuration makes it run as root (need to uncomment the "USER=daemon" line in /etc/conf.d/bozohttpd), maybe a security news is warranted?
(In reply to Hadrien Lacour from comment #1) > Since the default service configuration makes it run as root (need to > uncomment the "USER=daemon" line in /etc/conf.d/bozohttpd), maybe a security > news is warranted? I'm not sure what you mean by "security news", but since it seems this crash comes about after building with a modified ebuild, so that would be an invalid bug for Gentoo. Please reopen if you can reproduce this issue with the ebuild that Gentoo ships. If that is a valid build configuration to upstream, I would also encourage you to report the issue upstream too.
The segault can be reproduced with the default ebuild: $ mkdir www $ echo 'hello world' >www/test.txt $ bozohttpd -b -f -i localhost -I 8000 -s -X www & $ firefox 'http://localhost:8000/test.txt' After loading, refresh the page $ dmesg | tail -n2 [ 9743.332360] bozohttpd[10826]: segfault at 666cb75d ip 0000556f6648e6a2 sp 00007fff0eb36540 error 4 in bozohttpd[556f66485000+15000] [ 9743.332368] Code: 6f 78 4d 85 ed 74 3e 4c 8d 64 24 50 31 c0 48 8d 35 6e 6d 00 00 4c 89 ef 4c 89 e2 e8 68 c4 ff ff 85 c0 0f 84 30 05 00 00 48 98 <80> 38 00 75 16 4c 89 e7 e8 61 c4 ff ff 48 39 84 24 e8 00 00 00 0f The command line is the same as the bundled server with default configuration, only with -f (foreground) and -s (stderr logging) added.
bundled service*
http://www.eterna.com.au/bozohttpd/CHANGES .. changes in bozohttpd 20201014: o also set -D_GNU_SOURCE in Makefile.boot. from hadrien.lacour@posteo.net. o fix array size botch (assertion, not exploitable.) from martin@netbsd.org. o also match %2F as well as %2f. from leah@vuxu.org. o many manual and help fixes. clean ups for higher lint levels, consistency/style clean ups. various option fixes including made -f imply -b. from <henrik@gulbra.net> for freebsd.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab1a41182e784453a1e46048a0c963e161b1e99c commit ab1a41182e784453a1e46048a0c963e161b1e99c Author: Jakov Smolić <jsmolic@gentoo.org> AuthorDate: 2022-03-02 12:23:09 +0000 Commit: Jakov Smolić <jsmolic@gentoo.org> CommitDate: 2022-03-02 12:26:12 +0000 www-servers/bozohttpd: treeclean Closes: https://bugs.gentoo.org/830428 Closes: https://bugs.gentoo.org/713614 Closes: https://bugs.gentoo.org/746356 Closes: https://bugs.gentoo.org/746404 Closes: https://bugs.gentoo.org/746416 Signed-off-by: Jakov Smolić <jsmolic@gentoo.org> profiles/package.mask | 5 ---- www-servers/bozohttpd/Manifest | 1 - www-servers/bozohttpd/bozohttpd-20190228.ebuild | 35 ---------------------- www-servers/bozohttpd/files/bozohttpd.conffile | 11 ------- www-servers/bozohttpd/files/bozohttpd.initscript | 37 ------------------------ www-servers/bozohttpd/metadata.xml | 9 ------ 6 files changed, 98 deletions(-)