When a null/invalid HTTP authorization header is received by ntop, it base64 decodes the null value. Because no colon is present, the username string is left NULL. During authentication, ntop uses strlen() for the username, which results in a segmentation fault.
CVE-2009-2732 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2732): The checkHTTPpassword function in http.c in ntop 3.3.10 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an Authorization HTTP header that lacks a : (colon) character in the base64-decoded string.
Emailed upstream for advice.
No new version yet.
Patch here (also in ntop SVN): http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=CVE-2009-2732.patch;att=1;bug=543312 Please provide an updated ebuild.
That patch is applied in =net-analyzer/ntop-3.3.10-r2
Arches, please test and mark stable: =net-analyzer/ntop-3.3.10-r2 Target keywords : "amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
x86 stable
ppc and ppc64 done
Stable for HPPA.
arm/ia64/s390/sh/sparc stable
amd64 stable
GLSA vote: NO.
NO too, closing.