Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 301909

Summary: overflow in www-servers/mini_httpd
Product: Gentoo Security Reporter: ta2002 <throw_away_2002>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: www-servers+disabled
Priority: Normal Keywords: PMASKED
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description ta2002 2010-01-23 13:03:49 UTC 
www-servers/mini_httpd 1.19 (now more than six years old) apparently has a 32-bit limit on file sizes. Placing a larger file in the www directory produces random results (with extraneous characters retured in a directory listing, for example). This seems like an overflow. I don't really know about the ease with which one can exploit this issue, but I certainly don't feel willing to trust it at this point.
Comment 1 Pacho Ramos gentoo-dev 2012-03-20 11:44:02 UTC 
Will treeclean this then
Comment 2 Anthony Basile gentoo-dev 2012-03-24 13:01:32 UTC 
(In reply to comment #1)
> Will treeclean this then

I agree, that code base is ancient.

On a related note, I just asked upstream about thttpd which they also developed.  Although more popular, that code base is also old and we have eleven patches in the tree to address issues back to 2006.  If upstream is not willing to start incorporating some of the more fundamental fixes, then I think thttpd may be slated for the same fate.
Comment 3 Pacho Ramos gentoo-dev 2012-03-24 13:24:47 UTC 
(In reply to comment #2)
> (In reply to comment #1)
> > Will treeclean this then
> 
> I agree, that code base is ancient.
> 
> On a related note, I just asked upstream about thttpd which they also
> developed.  Although more popular, that code base is also old and we have
> eleven patches in the tree to address issues back to 2006.  If upstream is
> not willing to start incorporating some of the more fundamental fixes, then
> I think thttpd may be slated for the same fate.

Opened bug 409553 for that issue then ;)
Comment 4 Pacho Ramos gentoo-dev 2012-04-23 18:26:13 UTC 
dropped
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-05-11 17:25:07 UTC 
I am going to rate this as info leak. GLSA Vote: no.
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2012-05-16 00:54:19 UTC 
Sorry, I guess I missed this the other day when I did the GLSA for bug 303755.

GLSA vote: no.

Closing noglsa.