Your message dated Sun, 24 Jul 2005 17:40:27 +0200
with message-id <[EMAIL PROTECTED]>
and subject line (no subject)
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 11 Jun 2004 09:38:36 +0000
>From [EMAIL PROTECTED] Fri Jun 11 02:38:36 2004
Return-path: <[EMAIL PROTECTED]>
Received: from vsmtp14.tin.it [212.216.176.118]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BYiUd-0006Is-00; Fri, 11 Jun 2004 02:38:36 -0700
Received: from npp (82.48.161.216) by vsmtp14.tin.it (7.0.027)
id 40967D65005C27FD for [EMAIL PROTECTED]; Fri, 11 Jun 2004 11:38:04
+0200
Received: from pp by npp with local (masqmail 0.2.11) id 1BYiU4-12W-00
for <[EMAIL PROTECTED]>; Fri, 11 Jun 2004 11:38:00 +0200
Date: Fri, 11 Jun 2004 11:38:00 +0200
From: Paolo <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: thttpd: username and line bufoverflow in htpasswd.c
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
X-Reportbug-Version: 1.50
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: thttpd
Version: 2.21b-11.2
Severity: grave
Justification: user security hole
Tags: patch
hello,
well, the security issue might come from htpasswd use in CGI.
Here are problems found, and hopefully fixed in patch:
* didn't check username length before doing strcpy()
* when getline() reads cpwfile, valid line length may actually be longer than
MAX_STRING_LEN, 'cauz we have user:cpw in it.
* -c flag didn't check for existing cpwfile (well, at least I like it tell
me before overwriting...)
* sanity check: cpwfile must be writeable when changing/adding lines
patch follows inline to comply with reportbug warning ;)
WFM
oh, btw, that's actually from 2.23beta1 (latest?), not the one on my pc.
8<---[thtpasswd.diff, 2.23beta1]----------------------------------------------
--- thtpasswd.orig.c Fri Jun 11 09:07:23 2004
+++ thtpasswd.c Fri Jun 11 08:45:15 2004
@@ -21,7 +21,12 @@
#define LF 10
#define CR 13
+#define CPW_LEN 13
+
+/* ie 'string' + '\0' */
#define MAX_STRING_LEN 256
+/* ie 'maxstring' + ':' + cpassword */
+#define MAX_LINE_LEN MAX_STRING_LEN+1+CPW_LEN
int tfd;
char temp_template[] = "/tmp/htp.XXXXXX";
@@ -137,8 +142,9 @@
}
static void usage(void) {
- fprintf(stderr,"Usage: htpasswd [-c] passwordfile username\n");
- fprintf(stderr,"The -c flag creates a new file.\n");
+ fprintf(stderr,"Usage: htpasswd [-c] passwordfile username\n"
+ "The -c flag creates a new file.\n"
+ "Will prompt for password, unless given on stdin.\n");
exit(1);
}
@@ -151,17 +157,37 @@
int main(int argc, char *argv[]) {
FILE *tfp,*f;
char user[MAX_STRING_LEN];
- char line[MAX_STRING_LEN];
- char l[MAX_STRING_LEN];
+ char line[MAX_LINE_LEN];
+ char l[MAX_LINE_LEN];
char w[MAX_STRING_LEN];
char command[MAX_STRING_LEN];
- int found;
+ int found,u;
tfd = -1;
+ u = 2; /* argv[u] is username, unless... */
signal(SIGINT,(void (*)(int))interrupted);
if(argc == 4) {
+ u = 3;
if(strcmp(argv[1],"-c"))
usage();
+ if((f=fopen(argv[2],"r")) != NULL) {
+ fclose(f);
+ fprintf(stderr,
+ "Password file %s already exists.\n"
+ "Delete it first, if you really want to overwrite it.\n",
+ argv[2]);
+ exit(1);
+ }
+ } else if(argc != 3) usage();
+ /* check uname length; underlying system will take care of pwdfile
+ name too long */
+ if (strlen(argv[u]) >= MAX_STRING_LEN) {
+ fprintf(stderr,"Username too long (max %i): %s\n",
+ MAX_STRING_LEN-1, argv[u]);
+ exit(1);
+ }
+
+ if(argc == 4) {
if(!(tfp = fopen(argv[2],"w"))) {
fprintf(stderr,"Could not open passwd file %s for writing.\n",
argv[2]);
@@ -172,12 +198,6 @@
add_password(argv[3],tfp);
fclose(tfp);
exit(0);
- } else if(argc != 3) usage();
-
- tfd = mkstemp(temp_template);
- if(!(tfp = fdopen(tfd,"w"))) {
- fprintf(stderr,"Could not open temp file.\n");
- exit(1);
}
if(!(f = fopen(argv[1],"r"))) {
@@ -186,16 +206,43 @@
fprintf(stderr,"Use -c option to create new one.\n");
exit(1);
}
+ if(freopen(argv[1],"a",f) == NULL) {
+ fprintf(stderr,
+ "Could not open passwd file %s for writing!.\n"
+ "Changes would be lost.\n",argv[1]);
+ exit(1);
+ }
+ f = freopen(argv[1],"r",f);
+
+ /* pwdfile is there, go on with tempfile now ... */
+ tfd = mkstemp(temp_template);
+ if(!(tfp = fdopen(tfd,"w"))) {
+ fprintf(stderr,"Could not open temp file.\n");
+ exit(1);
+ }
+ /* already checked for boflw ... */
strcpy(user,argv[2]);
found = 0;
- while(!(getline(line,MAX_STRING_LEN,f))) {
+ /* line we get is username:pwd, or possibly any other cruft */
+ while(!(getline(line,MAX_LINE_LEN,f))) {
+ char *i;
+
if(found || (line[0] == '#') || (!line[0])) {
putline(tfp,line);
continue;
}
- strcpy(l,line);
- getword(w,l,':');
+ i = index(line,':');
+ w[0] = '\0';
+ /* actually, cpw is CPW_LEN chars and never null, hence ':' should
+ always be at line[strlen(line)-CPW_LEN-1] in a valid user:cpw line
+ Here though we may allow for pre-hancrafted pwdfile (!)...
+ But still need to check for length limits.
+ */
+ if (i != 0 && i-line <= MAX_STRING_LEN-1) {
+ strcpy(l,line);
+ getword(w,l,':');
+ }
if(strcmp(user,w)) {
putline(tfp,line);
continue;
@@ -210,10 +257,28 @@
printf("Adding user %s\n",user);
add_password(user,tfp);
}
+ /* close, rewind & copy */
+ fclose(f);
+ fclose(tfp);
+ f = fopen(argv[1],"w");
+ if(f==NULL) {
+ fprintf(stderr,"Failed re-opening %s!?\n",argv[1]);
+ exit(1);
+ }
+ tfp = fopen(temp_template,"r");
+ if(tfp==NULL) {
+ fprintf(stderr,"Failed re-opening tempfile!?\n");
+ exit(1);
+ }
+ {
+ int c;
+ while((c=fgetc(tfp))!=EOF && !feof(tfp)) {
+ fputc(c,f);
+ /* fputc(c,stderr); */
+ }
+ }
fclose(f);
fclose(tfp);
- sprintf(command,"cp %s %s",temp_template,argv[1]);
- system(command);
unlink(temp_template);
exit(0);
}
8<----------------------------------------------------------------------------
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux npp 2.4.24-pre2 #3 mer dic 24 02:50:45 CET 2003 i686
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED]
Versions of packages thttpd depends on:
ii debconf 1.2.21 Debian configuration management sy
ii libc6 2.2.5-14.3 GNU C Library: Shared libraries an
ii logrotate 3.5.9-8 Log rotation utility
ii mime-support 3.23-1 MIME files 'mime.types' & 'mailcap
--
paolo
GPG/PGP id:0x21426690 kfp:EDFB 0103 A8D8 4180 8AB5 D59E 9771 0F28 2142 6690
---------------------------------------
Received: (at 253816-close) by bugs.debian.org; 24 Jul 2005 15:40:32 +0000
>From [EMAIL PROTECTED] Sun Jul 24 08:40:32 2005
Return-path: <[EMAIL PROTECTED]>
Received: from panthera-systems.net [213.239.209.134]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1Dwiae-0007cY-00; Sun, 24 Jul 2005 08:40:32 -0700
Received: from [10.0.0.4] (217-162-105-182.dclient.hispeed.ch [217.162.105.182])
by panthera-systems.net (Postfix) with ESMTP id 1B9CC2DC012
for <[EMAIL PROTECTED]>; Sun, 24 Jul 2005 17:38:29 +0200 (CEST)
Message-ID: <[EMAIL PROTECTED]>
Date: Sun, 24 Jul 2005 17:40:27 +0200
From: Daniel Baumann <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Organization: Panthera Systems
User-Agent: Debian Thunderbird 1.0.2 (X11/20050602)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: [EMAIL PROTECTED]
X-Enigmail-Version: 0.91.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-1.5 required=4.0 tests=BAYES_00,NOSUBJECT
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Bug fixed since several revisions ago.
--
Address: Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email: [EMAIL PROTECTED]
Internet: http://people.panthera-systems.net/~daniel-baumann/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
