592832 – (CVE-2015-8212) <www-servers/bozohttpd-20170201: CGI handlers potential remote code execution (CVE-2015-8212)

Bug 592832 (CVE-2015-8212) - <www-servers/bozohttpd-20170201: CGI handlers potential remote code execution (CVE-2015-8212)

Summary: <www-servers/bozohttpd-20170201: CGI handlers potential remote code execution...

Status:	RESOLVED FIXED

Alias:	CVE-2015-8212

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	http://www.eterna.com.au/bozohttpd/CH...
Whiteboard:	~2 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2016-09-04 01:18 UTC by Kelly Price
Modified:	2017-03-18 12:45 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kelly Price 2016-09-04 01:18:23 UTC

Please revbump www-servers/bozohttpd due to a CGI vulnerability. Per the site:

*snip*
please note that bozohttpd versions prior to 20160415 have a flaw in the handling of CGI in some cases, if the -C option has been used to setup a CGI handler. please update to 20160415 or newer as soon as possible. 
*snip*

http://www.eterna.com.au/bozohttpd/

Comment 1 Coacher 2016-09-04 09:02:33 UTC

From https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2016-005.txt.asc:

Running programs as CGI handlers that were not designed to serve as such
may create a vulnerability since bozohttpd would pass any arguments
to the executed binary.  In the worst case scenario this may lead to
remote code execution.

This vulnerability has been assigned CVE-2015-8212.

Comment 2 Michael Palimaka (kensington) gentoo-dev

2017-03-18 07:56:21 UTC

Bumped and vulnerable removed.

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2017-03-18 12:45:21 UTC

All done, repository is clean.