Putting a zero byte file in htdocs somewhere and then requesting it repeatedly will cause monkeyd to corrupt memory/blow up depending on MALLOC_CHECK_ Dodgy code is: void M_free(void *ptr) { if(ptr!=NULL){ memset(ptr, '\0', sizeof(ptr)); free(ptr); ptr=NULL; } } The memset doesn't do what was intended. This isn't normally visible but the 0 byte file causes monkeyd to malloc(0) which means there is no data allocated to "absorb" the broken memset call. The ptr=NULL thing is also just plain weird :) Problem was spotted by ciaranm and investigated by me. The code is pretty scary, taviso is checking it over some more atm so hold fire on any glsa etc ;)
*** Bug 87917 has been marked as a duplicate of this bug. ***
Is upstream informed yet?
there's a remotely exploitable double expansion in m_build_buffer_from_buffer() example crash to get a bt: printf "GET %%00 HTTP/1.1\nHost: %%500n%%500n\n\n" | nc localhost 2001 It looks like a nice project, but my confidence in the security of the code is low, perhaps we should consider masking it until it matures.
there are alternatives available (i've used thttpd in the past), and there are numerous mistakes like the one ciaran spotted. I think we should mask for now.
I will inform upstream (having discussed it with taviso).
upstream emailed, cc'd security@
Vapier it seems like your baby, please advise.
i dont mind masking it until upstream has had a chance to reply
upstream fixed the first issue and have been sent a patch for the second.
0.9.1 in CVS, stable on x86. CC'd archs please mark stable.
Stable on ppc.
sparc stable.
GLSA 200504-14