| Summary: | www-servers/thttpd: potential oob write CVE-2007-0158 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Tavis Ormandy (RETIRED) <taviso> | ||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | normal | CC: | www-servers+disabled | ||||
| Priority: | High | ||||||
| Version: | unspecified | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | B2? [noglsa] | ||||||
| Package list: | Runtime testing required: | --- | |||||
| Attachments: |
|
||||||
Created attachment 105364 [details, diff]
patch for this issue
www-servers please advise. thttpd-2.25b-r6 applies the patch from taviso and is now in the tree. Arches, please test and mark stable thttpd-2.25b-r6 ppc stable x86 stable, we are last Please vote for glsa I tend to vote NO. padawan vote NO. NO as well from me, closing with noglsa. Thanks everyone. |
In libhttpd.c, expand_symlinks() around line 1492, this line assumes strlen(path) is always > 0, but this isnt the case: ... if ( rest[restlen - 1] == '/' ) rest[--restlen] = '\0'; /* trim trailing slash */ ... By sending a request that after normalization is empty, (eg GET /../), if the byte before the rest heap buffer is 0x2f a '\0' is written one byte before the buffer. restlen here could wrap to SIZE_MAX, and do some more damage. Theres a similar case earlier in the function but requires stat("", foo) to return success. I emailed the maintainer before christmas, and again after new year and no response. I think this would be very unlikely to be exploitable, but we should fix it to be safe. Patch attached.