769758 – (CVE-2021-26843) www-servers/thttpd: Invalid memory allocations (CVE-2021-26843)

Bug 769758 (CVE-2021-26843) - www-servers/thttpd: Invalid memory allocations (CVE-2021-26843)

Summary: www-servers/thttpd: Invalid memory allocations (CVE-2021-26843)

Status:	RESOLVED FIXED

Alias:	CVE-2021-26843

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/blueness/sthttpd/i...
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2021-02-09 15:34 UTC by Sam James
Modified:	2022-09-18 21:24 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2021-02-09 15:34:20 UTC

Description:
"An issue was discovered in sthttpd through 2.27.1. On systems where the strcpy function is implemented with memcpy, the de_dotdot function may cause a Denial-of-Service (daemon crash) due to overlapping memory ranges being passed to memcpy. This can triggered with an HTTP GET request for a crafted filename. NOTE: this is similar to CVE-2017-10671, but occurs in a different part of the de_dotdot function."

Comment 1 NATTkA bot gentoo-dev

2021-07-29 17:24:12 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:32:37 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:40:32 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:48:42 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 18:04:37 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 18:12:55 UTC

Package list is empty or all packages have requested keywords.

Comment 7 Larry the Git Cow gentoo-dev

2022-08-16 20:05:16 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9a837f2817c7045a3155e186f23df725f5518a69

commit 9a837f2817c7045a3155e186f23df725f5518a69
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-08-16 18:30:06 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-16 20:05:07 +0000

    profiles: last rite thttpd
    
    Bug: https://bugs.gentoo.org/769758
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)

Comment 8 Anthony Basile gentoo-dev

2022-08-16 21:33:40 UTC

(In reply to Larry the Git Cow from comment #7)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=9a837f2817c7045a3155e186f23df725f5518a69
> 
> commit 9a837f2817c7045a3155e186f23df725f5518a69
> Author:     John Helmert III <ajak@gentoo.org>
> AuthorDate: 2022-08-16 18:30:06 +0000
> Commit:     John Helmert III <ajak@gentoo.org>
> CommitDate: 2022-08-16 20:05:07 +0000
> 
>     profiles: last rite thttpd
>     
>     Bug: https://bugs.gentoo.org/769758
>     Signed-off-by: John Helmert III <ajak@gentoo.org>
> 
>  profiles/package.mask | 5 +++++
>  1 file changed, 5 insertions(+)

Good bye my old friend ;)

Comment 9 Larry the Git Cow gentoo-dev

2022-09-18 21:23:34 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=44bfe46214a944653ef401cc30789b44b71e1957

commit 44bfe46214a944653ef401cc30789b44b71e1957
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-09-18 21:13:44 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-18 21:13:44 +0000

    www-servers/thttpd: treeclean
    
    Bug: https://bugs.gentoo.org/769758
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 profiles/package.mask                              |   5 -
 www-servers/thttpd/Manifest                        |   1 -
 .../thttpd/files/thttpd-renamed-htpasswd.patch     | 108 ---------------------
 www-servers/thttpd/files/thttpd.conf.sample        |  38 --------
 www-servers/thttpd/files/thttpd.confd.1            |  35 -------
 www-servers/thttpd/files/thttpd.init.1             |  34 -------
 www-servers/thttpd/files/thttpd.logrotate          |  12 ---
 www-servers/thttpd/metadata.xml                    |  11 ---
 www-servers/thttpd/thttpd-2.27.1-r2.ebuild         |  67 -------------
 www-servers/thttpd/thttpd-9999.ebuild              |  67 -------------
 10 files changed, 378 deletions(-)