Your message dated Wed, 19 Dec 2018 06:04:11 +0000
with message-id <[email protected]>
and subject line Bug#916190: fixed in mini-httpd 1.30-0.2
has caused the Debian Bug report #916190,
regarding mini-httpd (<= v1.30) is affected by a response discrepancy
information exposure (CWE-204)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
916190: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916190
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mini-httpd
Version: 1.23-1.2
Severity: important
Tags: patch
The mini-httpd daemon (version <= v1.30) is affected by a response discrepancy
information exposure (CWE-204) that allows a remote attacker to enumerate valid
htpasswd usernames (RFC 7617).
Detailed advisory can be found at:
https://speirofr.appspot.com/files/advisory/SPADV-2018-01.md
## Description
Requesting an .htpasswd protected URL with valid username part without
providing the corresponding password eg, "user:" per (RFC 7617)
causes the mini-httpd to unexpectedly terminate.
~~~
user@box $ curl http://[email protected]:8000/auth/
curl: (52) Empty reply from server
~~~
The problem is that the mini_httpd.c:2407 contains a NULL pointer dereference
bug
that allows a remote attacker to enumerate valid htpasswd usernames (RFC 7617).
## Fix
~~~
>From 62eff179b34cd1435017438ab99ed1906b6cc6c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Salva=20Peir=C3=B3?= <[email protected]>
Date: Wed, 5 Dec 2018 18:46:46 +0100
Subject: [PATCH] Fix NULL pointer dereference at mini_httpd.c:2407
(SPADV-2018-01)
---
mini_httpd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/mini_httpd.c b/mini_httpd.c
index 03d0cdd..77f030f 100644
--- a/mini_httpd.c
+++ b/mini_httpd.c
@@ -2404,7 +2404,8 @@ auth_check( char* dirname )
/* Yes. */
(void) fclose( fp );
/* So is the password right? */
- if ( strcmp( crypt( authpass, cryp ), cryp ) == 0 )
+ char *cryptpass = crypt( authpass, cryp );
+ if ((cryptpass != NULL) && (strcmp(cryptpass, cryp ) == 0) )
{
/* Ok! */
remoteuser = line;
--
2.11.0
~~~
-- System information
Versions of packages mini-httpd depends on:
ii libc6 2.24-11+deb9u3
ii libssl1.1 1.1.0j-1~deb9u1
Versions of packages mini-httpd recommends:
ii apache2-utils 2.4.25-3+deb9u6
mini-httpd suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: mini-httpd
Source-Version: 1.30-0.2
We believe that the bug you reported is fixed in the latest version of
mini-httpd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dmitry Bogatov <[email protected]> (supplier of updated mini-httpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 12 Dec 2018 05:19:14 +0000
Source: mini-httpd
Binary: mini-httpd
Architecture: source
Version: 1.30-0.2
Distribution: unstable
Urgency: medium
Maintainer: Jose dos Santos Junior <[email protected]>
Changed-By: Dmitry Bogatov <[email protected]>
Description:
mini-httpd - Small HTTP server
Closes: 893996 916190
Changes:
mini-httpd (1.30-0.2) unstable; urgency=medium
.
* Non-maintainer upload.
* Fix null pointer dereference (Closes: #916190)
+ Thanks: Salva Peiró <[email protected]>
* Fix typo in path to pidfile in `mini_httpd.conf' (Closes: #893996)
Checksums-Sha1:
fa6354170775cc10c4daa244eb642195fd97aea5 2010 mini-httpd_1.30-0.2.dsc
fd06c5785130865790bb9bdf5fa488ad1ba15cba 14708
mini-httpd_1.30-0.2.debian.tar.xz
Checksums-Sha256:
9ad8231bda19454015c0805f8577d612419edc0f1ee9ff7f44f5562fe667f78c 2010
mini-httpd_1.30-0.2.dsc
deae465da61c420ef27ff516c57d6bccdd86d9bacc0f1e5f5e782fb4330a2a83 14708
mini-httpd_1.30-0.2.debian.tar.xz
Files:
5c03f3678a4f48d83f091394fa1624b3 2010 web optional mini-httpd_1.30-0.2.dsc
1250b77e54d6eb48e67c94713f5c4430 14708 web optional
mini-httpd_1.30-0.2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCgAxFiEEhnHVzDbtdH7ktKj4SBLY3qgmEeYFAlwQmrYTHGthY3Rpb25A
ZGViaWFuLm9yZwAKCRBIEtjeqCYR5m5HD/oCxKHrPWra5yH3VBEBYt3lEVGPXfz3
+leaQtjpht2rWUt4yRaYiz1xOGIdR8PoHY1ZiwQV0xvp5LFt/ypZprj1oPUdF9mP
8UhdkPFxm/ixGPTeCzLWWlX4u76JEnrNAPGm+AL+T2h76ZCzaA17drpfUD3uWu9u
bbPTEosRmpGsVTZPOw53lYXBHwnJk6ZNnKnfYFqDeczE3afOIYTzhzmx496Y49WD
+IkV08jA7ToKn925OHxDC5i+xsfK2Bl1/onwRTLRq5cobjcbAhKnXObLf0tQ3qZm
t8puwVsdG8wraTFGseFmA/CbwO7HeDk5FUEbMRN0tqgmcTLa7ZK03o9IM6M77np7
krEo2saJiS/prlqWZoGIZrY6hlRTTGpyFJuWJmJrwXC2Q/wQEVpsYykg1Xpm0MHx
osTJnwZqKOw0N/fLVj+YruG5r1h0oFBB0IK0zCbK0H0Q+B/GCTVOMVvQkVN/TA2s
dYEqBelCni1Ki9kou9OrCmvB/gk/BL5ov0rkgCVsSCtsTPq4wcPbBeeffSeOziO+
GTJ+KgR81FszqXaB9VSAn4kZpEa8WbXFZi3Mt/MCEKsHeyL+e7TqXIRuVeihlIlf
H4YNMrT0gSyj8xXfNxzei20PerMSepeg2U9wKYM1aMUUK5CSqX7MIhk+pKDALeTU
bWzY+5iW51OeuQ==
=+FyO
-----END PGP SIGNATURE-----
--- End Message ---
