Bug#540657: serveez: REMOTE BUFFER OVERFLOW
lvac lvac lvaclvacl...@gmail.com writes: Subject: serveez: REMOTE BUFFER OVERFLOW Package: serveez Version: 0.1.5-2.1 Severity: grave Justification: user security hole Tags: security *** Please type your report below this line *** I HAVE FOUND SERIOUS SATANIC SECURITY HOLE: http://packetstormsecurity.nl/0908-exploits/serveez-overflow.txt I can confirm this buffer overflow (but I'm not yet certain if it's really of satanic origin -- stay tuned, I've started investigating ;-). Regards, Rotty -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#540657: serveez: REMOTE BUFFER OVERFLOW
forwarded 540657 bug-serv...@gnu.org thanks [ To the Debian security team: I've just confirmed and have come up with (what I think is) a fix for the reported security issue. This affects serveez 0.1.5-2.1 (lenny) and 0.1.5-2 (etch). The bug is also present in 0.1.7 and 0.1.6, which are not packaged in Debian. I can provide fixed packages for lenny and etch tomorrow. ] Andreas Rottmann a.rottm...@gmx.at writes: lvac lvac lvaclvacl...@gmail.com writes: Subject: serveez: REMOTE BUFFER OVERFLOW Package: serveez Version: 0.1.5-2.1 Severity: grave Justification: user security hole Tags: security I HAVE FOUND SERIOUS SATANIC SECURITY HOLE: http://packetstormsecurity.nl/0908-exploits/serveez-overflow.txt I can confirm this buffer overflow (but I'm not yet certain if it's really of satanic origin -- stay tuned, I've started investigating ;-). OK, I think I've isolated the issue. It's a stack-based buffer overflow, which can be triggered by a malformed/malicious HTTP If-Modified-Since header. While the linked code triggering the issue just causes a segfault, I think remote code execution is just a tiny step away, but note that I'm not a security expert ;-). I think the attached patch should provide a fix: From 56d47085ba63a4059a806ce1e03804203bb40309 Mon Sep 17 00:00:00 2001 From: Andreas Rottmann a.rottm...@gmx.at Date: Sat, 22 Aug 2009 21:24:38 +0200 Subject: [PATCH] Fix potential buffer overflow in http_parse_date() --- src/http-server/http-core.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/http-server/http-core.c b/src/http-server/http-core.c index 7be11a5..6abb930 100644 --- a/src/http-server/http-core.c +++ b/src/http-server/http-core.c @@ -773,7 +773,7 @@ http_parse_date (char *date) break; /* RFC850-Date */ default: - sscanf (date, %s, %02d-%3s-%02d %02d:%02d:%02d GMT, + sscanf (date, %9s, %02d-%3s-%02d %02d:%02d:%02d GMT, _wkday, parse_time.tm_mday, _month, parse_time.tm_year, parse_time.tm_hour, parse_time.tm_min, parse_time.tm_sec); -- 1.6.3.3 Regards, Rotty
Processed: Re: Bug#540657: serveez: REMOTE BUFFER OVERFLOW
Processing commands for cont...@bugs.debian.org: forwarded 540657 bug-serv...@gnu.org Bug #540657 [serveez] serveez: REMOTE BUFFER OVERFLOW Set Bug forwarded-to-address to 'bug-serv...@gnu.org'. thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#540657: serveez: REMOTE BUFFER OVERFLOW
Subject: serveez: REMOTE BUFFER OVERFLOW Package: serveez Version: 0.1.5-2.1 Severity: grave Justification: user security hole Tags: security *** Please type your report below this line *** I HAVE FOUND SERIOUS SATANIC SECURITY HOLE: http://packetstormsecurity.nl/0908-exploits/serveez-overflow.txt LVAC! -- System Information: Debian Release: 5.0.2 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages serveez depends on: ii guile-1.6-libs 1.6.8-6.3 Main Guile libraries ii libbz2-1.0 1.0.5-1 high-quality block-sorting file co ii libc6 2.7-18GNU C Library: Shared libraries ii libguile-ltdl-11.6.8-6.3 Guile's patched version of libtool ii libqthreads-12 1.6.8-6.3 QuickThreads library for Guile ii libserveez-0.1.5 0.1.5-2.1 GNU Serveez server framework -- sh ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime serveez recommends no packages. serveez suggests no packages. -- no debconf information serveez.cfg Description: Binary data