Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 243294

Summary: Bump request for net-misc/htpdate to 1.0.4 (1.0.0 in portage) due to buffer overflows and memory leaks
Product: Gentoo Linux Reporter: Daniel Lange <DLange>
Component: New packagesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: dertobi123, ikelos, web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.clevervest.com/twiki/bin/view/HTP/ChangelogC
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: htpdate-1.0.1-sumtimes-overflow.patch

Description Daniel Lange 2008-10-22 22:33:32 UTC 
bump request to newest version as 1.0.0 in tree is insecure

Reproducible: Always
Comment 1 Mike Auty (RETIRED) gentoo-dev 2008-10-23 09:30:54 UTC 
It's not clear if this overflow is exploitable, but I thought I'd send it through to security just in case...
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-10-23 14:31:43 UTC 
Original bug report:
https://dev.openwrt.org/cgi-bin/trac.fcgi/ticket/3940

Looking at the code I could not convince myself that the integer 
overflow of the "sumtimes" variable would lead to a buffer overflow or 
underflow situation. I inquired upstream for more information.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-10-23 14:32:28 UTC 
Created attachment 169570 [details, diff]
htpdate-1.0.1-sumtimes-overflow.patch
Comment 4 Daniel Lange 2008-10-23 15:13:50 UTC 
Why not just bump to the newest version?
The patch if for an interim version which is again outdated.
From the changelog linked above:
Changes in 1.0.4: Fixed a memory leak (reported and fixed by Andreas Bohne-Lang)
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-23 15:35:56 UTC 
Adding the maintainer *cough*

1.0.4 is in CVS.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-10-23 15:39:53 UTC 
(In reply to comment #4)
> Why not just bump to the newest version?
> The patch if for an interim version which is again outdated.
> From the changelog linked above:
> Changes in 1.0.4: Fixed a memory leak (reported and fixed by Andreas
> Bohne-Lang)

It is my understanding, this is a client (and not a daemon) application, so memory leaks do not constitute security issues. The patch was attached for future reference *if* the integer overflow was relevant for security.
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-23 15:47:14 UTC 
(In reply to comment #6)
> It is my understanding, this is a client (and not a daemon) application, so
> memory leaks do not constitute security issues. The patch was attached for
> future reference *if* the integer overflow was relevant for security.

htpdate can also run as a daemon, we provide an init skript.
Comment 8 Mike Auty (RETIRED) gentoo-dev 2008-10-23 16:20:50 UTC 
Sorry about that, no idea where I came up with web-apps from, thought they were the maintainer for some reason...
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-10-24 14:18:48 UTC 
(In reply to comment #2)
> Original bug report:
> https://dev.openwrt.org/cgi-bin/trac.fcgi/ticket/3940
> 
> Looking at the code I could not convince myself that the integer 
> overflow of the "sumtimes" variable would lead to a buffer overflow or 
> underflow situation. I inquired upstream for more information.

Upstream states:
'Sorry for the wrong wordings, but it is indeed "only" an integer overflow.'
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-10-24 14:22:30 UTC 
(In reply to comment #7)
> htpdate can also run as a daemon, we provide an init skript.

It does not seem one can remotely trigger those memleaks, so I'm closing this bug from a security POV.