bump request to newest version as 1.0.0 in tree is insecure Reproducible: Always
It's not clear if this overflow is exploitable, but I thought I'd send it through to security just in case...
Original bug report: https://dev.openwrt.org/cgi-bin/trac.fcgi/ticket/3940 Looking at the code I could not convince myself that the integer overflow of the "sumtimes" variable would lead to a buffer overflow or underflow situation. I inquired upstream for more information.
Created attachment 169570 [details, diff] htpdate-1.0.1-sumtimes-overflow.patch
Why not just bump to the newest version? The patch if for an interim version which is again outdated. From the changelog linked above: Changes in 1.0.4: Fixed a memory leak (reported and fixed by Andreas Bohne-Lang)
Adding the maintainer *cough* 1.0.4 is in CVS.
(In reply to comment #4) > Why not just bump to the newest version? > The patch if for an interim version which is again outdated. > From the changelog linked above: > Changes in 1.0.4: Fixed a memory leak (reported and fixed by Andreas > Bohne-Lang) It is my understanding, this is a client (and not a daemon) application, so memory leaks do not constitute security issues. The patch was attached for future reference *if* the integer overflow was relevant for security.
(In reply to comment #6) > It is my understanding, this is a client (and not a daemon) application, so > memory leaks do not constitute security issues. The patch was attached for > future reference *if* the integer overflow was relevant for security. htpdate can also run as a daemon, we provide an init skript.
Sorry about that, no idea where I came up with web-apps from, thought they were the maintainer for some reason...
(In reply to comment #2) > Original bug report: > https://dev.openwrt.org/cgi-bin/trac.fcgi/ticket/3940 > > Looking at the code I could not convince myself that the integer > overflow of the "sumtimes" variable would lead to a buffer overflow or > underflow situation. I inquired upstream for more information. Upstream states: 'Sorry for the wrong wordings, but it is indeed "only" an integer overflow.'
(In reply to comment #7) > htpdate can also run as a daemon, we provide an init skript. It does not seem one can remotely trigger those memleaks, so I'm closing this bug from a security POV.