Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 243294 - Bump request for net-misc/htpdate to 1.0.4 (1.0.0 in portage) due to buffer overflows and memory leaks
Summary: Bump request for net-misc/htpdate to 1.0.4 (1.0.0 in portage) due to buffer o...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.clevervest.com/twiki/bin/v...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-10-22 22:33 UTC by Daniel Lange
Modified: 2008-10-24 14:22 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
htpdate-1.0.1-sumtimes-overflow.patch (htpdate-1.0.1-sumtimes-overflow.patch,733 bytes, patch)
2008-10-23 14:32 UTC, Robert Buchholz (RETIRED)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Lange 2008-10-22 22:33:32 UTC
bump request to newest version as 1.0.0 in tree is insecure

Reproducible: Always
Comment 1 Mike Auty gentoo-dev 2008-10-23 09:30:54 UTC
It's not clear if this overflow is exploitable, but I thought I'd send it through to security just in case...
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-10-23 14:31:43 UTC
Original bug report:
https://dev.openwrt.org/cgi-bin/trac.fcgi/ticket/3940

Looking at the code I could not convince myself that the integer 
overflow of the "sumtimes" variable would lead to a buffer overflow or 
underflow situation. I inquired upstream for more information.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-10-23 14:32:28 UTC
Created attachment 169570 [details, diff]
htpdate-1.0.1-sumtimes-overflow.patch
Comment 4 Daniel Lange 2008-10-23 15:13:50 UTC
Why not just bump to the newest version?
The patch if for an interim version which is again outdated.
From the changelog linked above:
Changes in 1.0.4: Fixed a memory leak (reported and fixed by Andreas Bohne-Lang)
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-23 15:35:56 UTC
Adding the maintainer *cough*

1.0.4 is in CVS.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-10-23 15:39:53 UTC
(In reply to comment #4)
> Why not just bump to the newest version?
> The patch if for an interim version which is again outdated.
> From the changelog linked above:
> Changes in 1.0.4: Fixed a memory leak (reported and fixed by Andreas
> Bohne-Lang)

It is my understanding, this is a client (and not a daemon) application, so memory leaks do not constitute security issues. The patch was attached for future reference *if* the integer overflow was relevant for security.
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-23 15:47:14 UTC
(In reply to comment #6)
> It is my understanding, this is a client (and not a daemon) application, so
> memory leaks do not constitute security issues. The patch was attached for
> future reference *if* the integer overflow was relevant for security.

htpdate can also run as a daemon, we provide an init skript.
Comment 8 Mike Auty gentoo-dev 2008-10-23 16:20:50 UTC
Sorry about that, no idea where I came up with web-apps from, thought they were the maintainer for some reason...
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-10-24 14:18:48 UTC
(In reply to comment #2)
> Original bug report:
> https://dev.openwrt.org/cgi-bin/trac.fcgi/ticket/3940
> 
> Looking at the code I could not convince myself that the integer 
> overflow of the "sumtimes" variable would lead to a buffer overflow or 
> underflow situation. I inquired upstream for more information.

Upstream states:
'Sorry for the wrong wordings, but it is indeed "only" an integer overflow.'
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-10-24 14:22:30 UTC
(In reply to comment #7)
> htpdate can also run as a daemon, we provide an init skript.

It does not seem one can remotely trigger those memleaks, so I'm closing this bug from a security POV.