Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 622306 (CVE-2017-10671) - <www-servers/thttpd-2.27.1: remote heap buffer overflow (CVE-2017-10671)
Summary: <www-servers/thttpd-2.27.1: remote heap buffer overflow (CVE-2017-10671)
Status: RESOLVED FIXED
Alias: CVE-2017-10671
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-20 14:26 UTC by Agostino Sarubbo
Modified: 2017-08-21 01:32 UTC (History)
1 user (show)

See Also:
Package list:
www-servers/thttpd-2.27.1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-06-20 14:26:49 UTC
From ${URL} :


sthttpd [1], is a fork of thttpd, a small, fast, multiplexing webserver.
Our fuzzing tools recently found a heap buffer overflow in the request
parsing code that can be triggered remotely. The patch was recently fixed
[2], and the bug was introduced in [3].  It seems that it's also affecting
thttpd 2.25b present in OpenSUSE [4].

Let us know if you need more information.

Thanks
Alex from ForAllSecure

[1] https://github.com/blueness/sthttpd
[2]
https://github.com/blueness/sthttpd/commit/c0dc63a49d8605649f1d8e4a96c9b468b0bff660
[3]
https://github.com/blueness/sthttpd/commit/aa3f36c0bf2aef1ffb17f5188ccf5e8afc13d3dc
[4]
https://build.opensuse.org/package/view_file/server:http/thttpd/thttpd-2.25b-strcpy.patch?expand=1


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-06-28 11:28:12 UTC
@ Arches,

please test and mark stable: =www-servers/thttpd-2.27.1
Comment 2 Agostino Sarubbo gentoo-dev 2017-06-28 13:20:22 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-06-30 11:11:40 UTC
x86 stable
Comment 4 Markus Meier gentoo-dev 2017-07-07 06:16:44 UTC
arm stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-07-07 09:10:38 UTC
sparc stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-07-07 13:25:45 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-07-07 14:51:15 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-07-15 22:14:52 UTC
Downgraded to B3.  No PoC for ACE/RCE.

GLSA Vote: No

@maintainer, please cleanup.
Comment 9 Anthony Basile gentoo-dev 2017-08-17 17:45:17 UTC
(In reply to Aaron Bauman from comment #8)
> Downgraded to B3.  No PoC for ACE/RCE.
> 
> GLSA Vote: No
> 
> @maintainer, please cleanup.

clean up done
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-08-21 01:32:53 UTC
(In reply to Anthony Basile from comment #9)
> (In reply to Aaron Bauman from comment #8)
> > Downgraded to B3.  No PoC for ACE/RCE.
> > 
> > GLSA Vote: No
> > 
> > @maintainer, please cleanup.
> 
> clean up done

Thanks!