From oss-security Mailing list at $URL:
for http auth we need to base64-decode user input; the allowed character range includes non ASCII characters above 0x7f. The function to decode this string takes a "const char *in"; and reads each character into an "int ch", which is used as offset in the table.
So characters above 0x7f lead to negative indices (as char is signed on most platforms).
The only possible impact is a segfault, leading to DoS.
There is a proposed patch, but upstream said that they want to release 1.4.30 ASAP.
Upstream bug: https://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt
1.4.30 is out
*** Bug 395293 has been marked as a duplicate of this bug. ***
The ebuild is in portage but wait one week before you stabilize it so people can actually test it
6 days passed, I add arches since is out also an exploit.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
amd64 stable, thanks Elijah
Stable for HPPA.
Thanks everyone. @Security, please vote.
Thanks, folks. GLSA Vote: yes.
Integer signedness error in the base64_decode function in the HTTP
authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and
1.5 before SVN revision 2806 allows remote attackers to cause a denial of
service (segmentation fault) via crafted base64 input that triggers an
out-of-bounds read with a negative index.
Vot: Yes. GLSA request filed.
This issue was resolved and addressed in
GLSA 201406-10 at http://security.gentoo.org/glsa/glsa-201406-10.xml
by GLSA coordinator Sergey Popov (pinkbyte).