Summary: | www-servers/bozohttpd segmentation fault (PATCH was merged upstream. Need version bump) | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Hadrien Lacour <hadrien.lacour> |
Component: | Current packages | Assignee: | No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it <maintainer-needed> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | jstein, sam |
Priority: | Normal | Keywords: | PATCH, PMASKED |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Hadrien Lacour
2020-10-04 00:09:07 UTC
Since the default service configuration makes it run as root (need to uncomment the "USER=daemon" line in /etc/conf.d/bozohttpd), maybe a security news is warranted? (In reply to Hadrien Lacour from comment #1) > Since the default service configuration makes it run as root (need to > uncomment the "USER=daemon" line in /etc/conf.d/bozohttpd), maybe a security > news is warranted? I'm not sure what you mean by "security news", but since it seems this crash comes about after building with a modified ebuild, so that would be an invalid bug for Gentoo. Please reopen if you can reproduce this issue with the ebuild that Gentoo ships. If that is a valid build configuration to upstream, I would also encourage you to report the issue upstream too. The segault can be reproduced with the default ebuild: $ mkdir www $ echo 'hello world' >www/test.txt $ bozohttpd -b -f -i localhost -I 8000 -s -X www & $ firefox 'http://localhost:8000/test.txt' After loading, refresh the page $ dmesg | tail -n2 [ 9743.332360] bozohttpd[10826]: segfault at 666cb75d ip 0000556f6648e6a2 sp 00007fff0eb36540 error 4 in bozohttpd[556f66485000+15000] [ 9743.332368] Code: 6f 78 4d 85 ed 74 3e 4c 8d 64 24 50 31 c0 48 8d 35 6e 6d 00 00 4c 89 ef 4c 89 e2 e8 68 c4 ff ff 85 c0 0f 84 30 05 00 00 48 98 <80> 38 00 75 16 4c 89 e7 e8 61 c4 ff ff 48 39 84 24 e8 00 00 00 0f The command line is the same as the bundled server with default configuration, only with -f (foreground) and -s (stderr logging) added. bundled service* http://www.eterna.com.au/bozohttpd/CHANGES .. changes in bozohttpd 20201014: o also set -D_GNU_SOURCE in Makefile.boot. from hadrien.lacour@posteo.net. o fix array size botch (assertion, not exploitable.) from martin@netbsd.org. o also match %2F as well as %2f. from leah@vuxu.org. o many manual and help fixes. clean ups for higher lint levels, consistency/style clean ups. various option fixes including made -f imply -b. from <henrik@gulbra.net> for freebsd. The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab1a41182e784453a1e46048a0c963e161b1e99c commit ab1a41182e784453a1e46048a0c963e161b1e99c Author: Jakov Smolić <jsmolic@gentoo.org> AuthorDate: 2022-03-02 12:23:09 +0000 Commit: Jakov Smolić <jsmolic@gentoo.org> CommitDate: 2022-03-02 12:26:12 +0000 www-servers/bozohttpd: treeclean Closes: https://bugs.gentoo.org/830428 Closes: https://bugs.gentoo.org/713614 Closes: https://bugs.gentoo.org/746356 Closes: https://bugs.gentoo.org/746404 Closes: https://bugs.gentoo.org/746416 Signed-off-by: Jakov Smolić <jsmolic@gentoo.org> profiles/package.mask | 5 ---- www-servers/bozohttpd/Manifest | 1 - www-servers/bozohttpd/bozohttpd-20190228.ebuild | 35 ---------------------- www-servers/bozohttpd/files/bozohttpd.conffile | 11 ------- www-servers/bozohttpd/files/bozohttpd.initscript | 37 ------------------------ www-servers/bozohttpd/metadata.xml | 9 ------ 6 files changed, 98 deletions(-) |