Summary: | www-servers/thttpd init script/config file fails to set docroot | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Laurence Withers <l> |
Component: | New packages | Assignee: | www-servers Herd (OBSOLETE) <www-servers+disabled> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | dsd, security, wschlich |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 144335 | ||
Attachments: |
strace session
thttpd init.d patch |
Description
Laurence Withers
2006-07-28 16:38:54 UTC
Created attachment 92964 [details]
strace session
On line 33, you can see a chdir("/"); on line 34, you can see start-stop-daemon execute thttpd.
Created attachment 96170 [details, diff]
thttpd init.d patch
ebuild should also be bumped
in portage I just stumbled over this and have some news :) This only seems to happen with newer baselayout versions (and thus, start-stop-daemon versions): --chdir or dir= in config not necessary with: =sys-apps/baselayout-1.11.14-r6 --chdir or dir= in config not necessary with: =sys-apps/baselayout-1.12.6 whoops! (In reply to comment #4) > --chdir or dir= in config not necessary with: > =sys-apps/baselayout-1.11.14-r6 > > --chdir or dir= in config not necessary with: > =sys-apps/baselayout-1.12.6 the second 'not' is misplaced :) so --chdir or dir= in config *are* necessary with newer baselayouts. this issue just opened up a root (/) on one webserver I am taking care of! so, older versions of the thttpd package combined with newer versions of baselayout open up a f***ing big security hole! :-( @security: please think about issuing a GLSA for older thttpd package versions. we must not leave the user alone here. Requesting GLSA... old GLSA 200701-28 |