Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 392581 (CVE-2011-4362)

Summary: <www-servers/lighttpd-1.4.30 : mod_auth out-of-bounds read vulnerability (CVE-2011-4362)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: anton.kochkov, hwoarang, wired, www-servers+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2011/11/29/13
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2011-11-30 10:10:03 UTC
From oss-security Mailing list at $URL:

for http auth we need to base64-decode user input; the allowed character range includes non ASCII characters above 0x7f. The function to decode this string takes a "const char *in"; and reads each character into an "int ch", which is used as offset in the table.
So characters above 0x7f lead to negative indices (as char is signed on most platforms).

The only possible impact is a segfault, leading to DoS.

There is a proposed patch, but upstream said that they want to release 1.4.30 ASAP.

Upstream bug: https://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt

Proposed patch:
https://redmine.lighttpd.net/attachments/1323/lighttpd-fix-base64-signedness.patch
Comment 1 Agostino Sarubbo gentoo-dev 2011-12-19 19:21:13 UTC
1.4.30 is out
Comment 2 Agostino Sarubbo gentoo-dev 2011-12-19 19:21:33 UTC
*** Bug 395293 has been marked as a duplicate of this bug. ***
Comment 3 Markos Chandras (RETIRED) gentoo-dev 2011-12-20 08:36:13 UTC
The ebuild is in portage but wait one week before you stabilize it so people can actually test it
Comment 4 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-12-20 18:44:42 UTC
amd64: pass
Comment 5 Agostino Sarubbo gentoo-dev 2011-12-25 23:22:46 UTC
6 days passed, I add arches since is out also an exploit.

Arches, please test and mark stable:
=www-servers/lighttpd-1.4.30
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
Comment 6 Agostino Sarubbo gentoo-dev 2011-12-25 23:24:31 UTC
amd64 stable, thanks Elijah
Comment 7 Markus Meier gentoo-dev 2011-12-26 12:31:05 UTC
x86 stable
Comment 8 Mark Loeser (RETIRED) gentoo-dev 2011-12-27 00:25:52 UTC
ppc/ppc64 done
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2011-12-27 20:39:24 UTC
Stable for HPPA.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2012-01-01 15:05:27 UTC
alpha/arm/ia64/sh/sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2012-01-01 16:14:31 UTC
Thanks everyone. @Security, please vote.
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2012-01-01 17:45:35 UTC
Thanks, folks. GLSA Vote: yes.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 01:28:41 UTC
CVE-2011-4362 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4362):
  Integer signedness error in the base64_decode function in the HTTP
  authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and
  1.5 before SVN revision 2806 allows remote attackers to cause a denial of
  service (segmentation fault) via crafted base64 input that triggers an
  out-of-bounds read with a negative index.
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2012-03-06 01:14:08 UTC
Vot: Yes. GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-06-13 20:44:07 UTC
This issue was resolved and addressed in
 GLSA 201406-10 at http://security.gentoo.org/glsa/glsa-201406-10.xml
by GLSA coordinator Sergey Popov (pinkbyte).