Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 671034 (CVE-2018-19052) - www-servers/lighttpd: path traversal in mod_alias_physical_handler in mod_alias.c (CVE-2018-19052)
Summary: www-servers/lighttpd: path traversal in mod_alias_physical_handler in mod_ali...
Status: RESOLVED FIXED
Alias: CVE-2018-19052
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
: 668828 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-11-12 23:45 UTC by Marvin Wolf
Modified: 2018-11-24 10:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marvin Wolf 2018-11-12 23:45:39 UTC 
An issue was discovered in mod_alias_physical_handler in mod_alias.c in
lighttpd before 1.4.50. There is potential ../ path traversal of a single
directory above an alias target, with a specific mod_alias configuration where
the matched alias lacks a trailing '/' character, but the alias target
filesystem path does have a trailing '/' character. 


References:
https://github.com/lighttpd/lighttpd1.4/commit/2105dae0f9d7a964375ce681e53cb165375f84c1
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2018-11-13 00:39:53 UTC 
CVE-2018-19052 (https://nvd.nist.gov/vuln/detail/CVE-2018-19052):
  An issue was discovered in mod_alias_physical_handler in mod_alias.c in
  lighttpd before 1.4.50. There is potential ../ path traversal of a single
  directory above an alias target, with a specific mod_alias configuration
  where the matched alias lacks a trailing '/' character, but the alias target
  filesystem path does have a trailing '/' character.
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-11-24 10:56:52 UTC 
*** Bug 668828 has been marked as a duplicate of this bug. ***