Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 296334

Summary: net-proxy/polipo: httpClientDiscardBody() Signedness Error Denial of Service
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal CC: net-proxy+disabled, radhermit
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.exploit-db.com/exploits/10338
Whiteboard: B4 [ebuild]
Package list:
Runtime testing required: ---
Bug Depends on: 300173    
Bug Blocks:    

Description Stefan Behte (RETIRED) gentoo-dev Security 2009-12-09 18:13:55 UTC 
Remote DOS is possible.

# polipo-20080907/client.c [1001-1009]:
#
#     if(connection->reqlen > connection->reqbegin) {
#         memmove(connection->reqbuf, connection->reqbuf + connection->reqbegin,
#                 connection->reqlen - connection->reqbegin);
#         connection->reqlen -= connection->reqbegin;
#         connection->reqbegin = 0;
#     } else {
#         connection->reqlen = 0;
#         connection->reqbegin = 0;
#     }
Comment 1 Tim Harder gentoo-dev 2010-04-11 09:55:35 UTC 
This appears to be fixed in polipo-1.0.4.1. See bug #300173 for simple ebuild updates from polipo-1.0.4 to 1.0.4.1.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 12:40:26 UTC 

*** This bug has been marked as a duplicate of bug 300173 ***