Summary: | Bump request for net-misc/htpdate to 1.0.4 (1.0.0 in portage) due to buffer overflows and memory leaks | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Daniel Lange <DLange> |
Component: | New packages | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | dertobi123, ikelos, web-apps |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.clevervest.com/twiki/bin/view/HTP/ChangelogC | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | htpdate-1.0.1-sumtimes-overflow.patch |
Description
Daniel Lange
2008-10-22 22:33:32 UTC
It's not clear if this overflow is exploitable, but I thought I'd send it through to security just in case... Original bug report: https://dev.openwrt.org/cgi-bin/trac.fcgi/ticket/3940 Looking at the code I could not convince myself that the integer overflow of the "sumtimes" variable would lead to a buffer overflow or underflow situation. I inquired upstream for more information. Created attachment 169570 [details, diff]
htpdate-1.0.1-sumtimes-overflow.patch
Why not just bump to the newest version? The patch if for an interim version which is again outdated. From the changelog linked above: Changes in 1.0.4: Fixed a memory leak (reported and fixed by Andreas Bohne-Lang) Adding the maintainer *cough* 1.0.4 is in CVS. (In reply to comment #4) > Why not just bump to the newest version? > The patch if for an interim version which is again outdated. > From the changelog linked above: > Changes in 1.0.4: Fixed a memory leak (reported and fixed by Andreas > Bohne-Lang) It is my understanding, this is a client (and not a daemon) application, so memory leaks do not constitute security issues. The patch was attached for future reference *if* the integer overflow was relevant for security. (In reply to comment #6) > It is my understanding, this is a client (and not a daemon) application, so > memory leaks do not constitute security issues. The patch was attached for > future reference *if* the integer overflow was relevant for security. htpdate can also run as a daemon, we provide an init skript. Sorry about that, no idea where I came up with web-apps from, thought they were the maintainer for some reason... (In reply to comment #2) > Original bug report: > https://dev.openwrt.org/cgi-bin/trac.fcgi/ticket/3940 > > Looking at the code I could not convince myself that the integer > overflow of the "sumtimes" variable would lead to a buffer overflow or > underflow situation. I inquired upstream for more information. Upstream states: 'Sorry for the wrong wordings, but it is indeed "only" an integer overflow.' (In reply to comment #7) > htpdate can also run as a daemon, we provide an init skript. It does not seem one can remotely trigger those memleaks, so I'm closing this bug from a security POV. |