Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 90851 - www-servers/pound: "add_port()" Function Buffer Overflow Vulnerability
Summary: www-servers/pound: "add_port()" Function Buffer Overflow Vulnerability
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa] koon
Depends on:
Reported: 2005-04-29 06:23 UTC by Jean-François Brunette (RETIRED)
Modified: 2005-04-30 07:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Jean-François Brunette (RETIRED) gentoo-dev 2005-04-29 06:23:05 UTC
Steven Van Acker has reported a vulnerability in Pound, which potentially can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error in the "add_port()" function and can be exploited to cause a buffer overflow by supplying an overly long hostname.

Successful exploitation may allow execution of arbitrary code.

The vulnerability has been reported in version 1.8.2. Prior versions may also be affected.

Update to version 1.8.3.

Provided and/or discovered by:
Steven Van Acker

Original Advisory:
Comment 1 solar (RETIRED) gentoo-dev 2005-04-29 06:27:57 UTC
Existing Keywords: pound-1.7:  ppc ~hppa x86 ~mips ~sparc alpha
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-04-29 06:33:34 UTC
web-apps herd, please bump to 0.8.3
Comment 3 Aaron Walker (RETIRED) gentoo-dev 2005-04-29 07:50:40 UTC
In cvs, x86 stable.  CC'd archs please mark stable.
Comment 4 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-04-29 10:24:03 UTC
Stable on ppc.
Comment 5 Bryan Østergaard (RETIRED) gentoo-dev 2005-04-30 01:03:26 UTC
Stable on alpha.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-04-30 07:41:57 UTC
GLSA 200504-29
Thanks Jean-Fran
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-04-30 07:41:57 UTC
GLSA 200504-29
Thanks Jean-François for the draft :)