Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 281956 (CVE-2009-2732) - <=net-analyzer/ntop-3.3.10: HTTP Authorization header DoS (CVE-2009-2732)
Summary: <=net-analyzer/ntop-3.3.10: HTTP Authorization header DoS (CVE-2009-2732)
Status: RESOLVED FIXED
Alias: CVE-2009-2732
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.securityfocus.com/archive/...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-08-18 19:36 UTC by Chris Rogers
Modified: 2010-08-14 14:25 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Rogers 2009-08-18 19:36:56 UTC 
When a null/invalid HTTP authorization header is received by ntop, it base64 decodes the null value.  Because no colon is present, the username string is left NULL.  During authentication, ntop uses strlen() for the username, which results in a segmentation fault.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-21 20:02:33 UTC 
CVE-2009-2732 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2732):
  The checkHTTPpassword function in http.c in ntop 3.3.10 and earlier
  allows remote attackers to cause a denial of service (NULL pointer
  dereference and daemon crash) via an Authorization HTTP header that
  lacks a : (colon) character in the base64-decoded string.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-21 20:04:39 UTC 
Emailed upstream for advice.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-06 23:36:24 UTC 
No new version yet.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-14 18:55:18 UTC 
Patch here (also in ntop SVN):

http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=CVE-2009-2732.patch;att=1;bug=543312

Please provide an updated ebuild.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2010-01-18 12:54:44 UTC 
That patch is applied in =net-analyzer/ntop-3.3.10-r2
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-18 19:38:53 UTC 
Arches, please test and mark stable:
=net-analyzer/ntop-3.3.10-r2
Target keywords : "amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2010-01-19 15:38:37 UTC 
x86 stable
Comment 8 Brent Baude (RETIRED) gentoo-dev 2010-01-19 15:59:46 UTC 
ppc and ppc64 done
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2010-01-19 17:15:53 UTC 
Stable for HPPA.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2010-01-22 18:39:30 UTC 
arm/ia64/s390/sh/sparc stable
Comment 11 Richard Freeman gentoo-dev 2010-01-31 13:36:47 UTC 
amd64 stable
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-07 20:41:10 UTC 
GLSA vote: NO.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2010-08-14 14:25:19 UTC 
NO too, closing.