Bug 446994

Summary:	www-servers/thttpd : DoS
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	normal	CC:	blueness
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.novell.com/show_bug.cgi?id=783165
Whiteboard:
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2012-12-12 13:09:03 UTC

From $URL :

While reading source code, I noticed that local attackers with the ability to
alter .htpasswd files could cause a Denial of Service in thttpd by specially-
crafting them, with e.g.:

$ echo 'foo:$2a$a875CeSLbja8w' >> .htpasswd

Authenticating then triggers the issue:

Jun 20 17:12:02 g193 kernel: [716329.025980] thttpd[14458]: segfault at 0 ip
b7741f38 sp bfa5019c error 4 in libc-2.11.3.so[b76cc000+166000]

Comment 1 Anthony Basile gentoo-dev

2013-02-26 19:54:04 UTC

I can't reproduce this.  There are lots of differences between the original upstream code and the forked code, including about a dozen or so security fixes.  I didn't try to narrow it down, but given that I can't reproduce the original opensuse bug, I think its safe to close this.

Thanks for the report but there's nothing to fix.  I'll let you finish the security stuff.