From owner-freebsd-security Tue Dec 11 9: 1:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 8A7D237B420; Tue, 11 Dec 2001 09:00:57 -0800 (PST) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id fBBH0vM72097; Tue, 11 Dec 2001 09:00:57 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Tue, 11 Dec 2001 09:00:57 -0800 (PST) Message-Id: <200112111700.fBBH0vM72097@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:66.thttpd Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:66 Security Advisory FreeBSD, Inc. Topic: thttpd port contains remotely vulnerability Category: ports Module: thttpd Announced: 2001-12-11 Credits: GOBBLES SECURITY Affects: Ports collection prior to the correction date Corrected: 2001-11-22 00:10:56 UTC FreeBSD only: no I. Background thttpd is a simple, small, portable, fast, and secure HTTP server. II. Problem Description In auth_check(), there is an off-by-one error in computing the amount of memory needed for storing a NUL terminated string. Specifically, a stack buffer of 500 bytes is used to store a string of up to 501 bytes including the terminating NUL. III. Impact Due to the location of the affected buffer on the stack, this bug can be exploited using ``The poisoned NUL byte'' technique (see references). A remote attacker can hijack the thttpd process, obtaining whatever privileges it has. By default, the thttpd process runs as user `nobody'. IV. Workaround 1) Deinstall the thttpd port/package if you have it installed. V. Solution 1) Upgrade your entire ports collection and rebuild the port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/thttpd-2.22.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/thttpd-2.22.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) Download a new port skeleton for the thttpd port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. Path Revision - ------------------------------------------------------------------------- ports/www/thttpd/Makefile 1.23 ports/www/thttpd/distinfo 1.20 ports/www/thttpd/files/patch-fdwatch.c removed - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Comment: http://www.nectar.cc/pgp iQCVAwUBPBY6x1UuHi5z0oilAQEHrgQAgscqPT0AVJcotWgO1t8WuJQyNukLHnDS qGa8LT7ebuMY/Nl6JJzTYudwmr16RtJNPSYTfk1eHPWgAYzKyiNM7uMU87ZDplpM FOggQbjdhFPNUE3WK8P2cmdm+7mrZbdWGJmvZpYH4TRNn6yQVV4F8tENl+nPu3I+ 5IGxGqgr2vA= =1MCH -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message