Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 217986 (CVE-2008-1771) - <media-sound/mt-daapd- ws_getpostvars() Integer overflow (CVE-2008-1771)
Summary: <media-sound/mt-daapd- ws_getpostvars() Integer overflow (CVE-2008-1771)
Alias: CVE-2008-1771
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [noglsa]
Depends on:
Reported: 2008-04-16 17:32 UTC by Robert Buchholz (RETIRED)
Modified: 2014-02-09 11:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-04-16 17:32:40 UTC
CVE-2008-1771 (
  Integer overflow in the ws_getpostvars function in Firefly Media Server
  (formerly mt-daapd) (0.9~r1696-1.2 on Debian) allows remote attackers
  to cause a denial of service (crash) and possibly execute arbitrary code via
  an HTTP POST request with a large Content-Length.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-04-17 19:50:48 UTC
nion proposed a fix for the 0.9 svn trunk.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-05-12 00:53:45 UTC was released with a fix. Please update the ebuild
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-06 21:04:16 UTC
(In reply to comment #2)
> was released with a fix. Please update the ebuild

Comment 4 Peter Alfredsen (RETIRED) gentoo-dev 2008-07-06 22:03:50 UTC
+*mt-daapd- (06 Jul 2008)
+  06 Jul 2008; Peter Alfredsen <>
+  +files/mt-daapd-, +mt-daapd-
+  Security bump for CVE-2008-1771 wrt bug #217986.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-07-06 22:11:07 UTC
Arches, please test and mark stable:
Target keywords : "amd64 arm ppc sh sparc x86"
Comment 6 Markus Meier gentoo-dev 2008-07-07 20:45:12 UTC
amd64/x86 stable
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2008-07-08 17:02:14 UTC
ppc stable
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2008-07-09 11:07:06 UTC
sparc stable
Comment 9 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-09 11:11:33 UTC
arches stable... ready for GLSA

But there is still bug 204063, could someone verify if this version is still affected by that issue or not please. To me it appeared to be.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2008-09-27 16:25:09 UTC
arm/sh stable
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2009-01-11 17:36:18 UTC
I would like to issue a glsa for it, since the severity of the current bug is higher than bug 204063.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 16:40:07 UTC
GLSA request was filed (but no one wrote the glsa yet).
Comment 13 Sergey Popov gentoo-dev 2014-02-09 11:08:14 UTC
Fixed long time ago