www-servers/mini_httpd 1.19 (now more than six years old) apparently has a 32-bit limit on file sizes. Placing a larger file in the www directory produces random results (with extraneous characters retured in a directory listing, for example). This seems like an overflow. I don't really know about the ease with which one can exploit this issue, but I certainly don't feel willing to trust it at this point.
Will treeclean this then
(In reply to comment #1) > Will treeclean this then I agree, that code base is ancient. On a related note, I just asked upstream about thttpd which they also developed. Although more popular, that code base is also old and we have eleven patches in the tree to address issues back to 2006. If upstream is not willing to start incorporating some of the more fundamental fixes, then I think thttpd may be slated for the same fate.
(In reply to comment #2) > (In reply to comment #1) > > Will treeclean this then > > I agree, that code base is ancient. > > On a related note, I just asked upstream about thttpd which they also > developed. Although more popular, that code base is also old and we have > eleven patches in the tree to address issues back to 2006. If upstream is > not willing to start incorporating some of the more fundamental fixes, then > I think thttpd may be slated for the same fate. Opened bug 409553 for that issue then ;)
dropped
I am going to rate this as info leak. GLSA Vote: no.
Sorry, I guess I missed this the other day when I did the GLSA for bug 303755. GLSA vote: no. Closing noglsa.
