From oss-security Mailing list at $URL: for http auth we need to base64-decode user input; the allowed character range includes non ASCII characters above 0x7f. The function to decode this string takes a "const char *in"; and reads each character into an "int ch", which is used as offset in the table. So characters above 0x7f lead to negative indices (as char is signed on most platforms). The only possible impact is a segfault, leading to DoS. There is a proposed patch, but upstream said that they want to release 1.4.30 ASAP. Upstream bug: https://download.lighttpd.net/lighttpd/security/lighttpd_sa_2011_01.txt Proposed patch: https://redmine.lighttpd.net/attachments/1323/lighttpd-fix-base64-signedness.patch
1.4.30 is out
*** Bug 395293 has been marked as a duplicate of this bug. ***
The ebuild is in portage but wait one week before you stabilize it so people can actually test it
amd64: pass
6 days passed, I add arches since is out also an exploit. Arches, please test and mark stable: =www-servers/lighttpd-1.4.30 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
amd64 stable, thanks Elijah
x86 stable
ppc/ppc64 done
Stable for HPPA.
alpha/arm/ia64/sh/sparc stable
Thanks everyone. @Security, please vote.
Thanks, folks. GLSA Vote: yes.
CVE-2011-4362 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4362): Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index.
Vot: Yes. GLSA request filed.
This issue was resolved and addressed in GLSA 201406-10 at http://security.gentoo.org/glsa/glsa-201406-10.xml by GLSA coordinator Sergey Popov (pinkbyte).