Your message dated Sun, 24 Jul 2005 17:40:27 +0200 with message-id <[EMAIL PROTECTED]> and subject line (no subject) has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 11 Jun 2004 09:38:36 +0000 >From [EMAIL PROTECTED] Fri Jun 11 02:38:36 2004 Return-path: <[EMAIL PROTECTED]> Received: from vsmtp14.tin.it [212.216.176.118] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1BYiUd-0006Is-00; Fri, 11 Jun 2004 02:38:36 -0700 Received: from npp (82.48.161.216) by vsmtp14.tin.it (7.0.027) id 40967D65005C27FD for [EMAIL PROTECTED]; Fri, 11 Jun 2004 11:38:04 +0200 Received: from pp by npp with local (masqmail 0.2.11) id 1BYiU4-12W-00 for <[EMAIL PROTECTED]>; Fri, 11 Jun 2004 11:38:00 +0200 Date: Fri, 11 Jun 2004 11:38:00 +0200 From: Paolo <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: thttpd: username and line bufoverflow in htpasswd.c Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.28i X-Reportbug-Version: 1.50 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: Package: thttpd Version: 2.21b-11.2 Severity: grave Justification: user security hole Tags: patch hello, well, the security issue might come from htpasswd use in CGI. Here are problems found, and hopefully fixed in patch: * didn't check username length before doing strcpy() * when getline() reads cpwfile, valid line length may actually be longer than MAX_STRING_LEN, 'cauz we have user:cpw in it. * -c flag didn't check for existing cpwfile (well, at least I like it tell me before overwriting...) * sanity check: cpwfile must be writeable when changing/adding lines patch follows inline to comply with reportbug warning ;) WFM oh, btw, that's actually from 2.23beta1 (latest?), not the one on my pc. 8<---[thtpasswd.diff, 2.23beta1]---------------------------------------------- --- thtpasswd.orig.c Fri Jun 11 09:07:23 2004 +++ thtpasswd.c Fri Jun 11 08:45:15 2004 @@ -21,7 +21,12 @@ #define LF 10 #define CR 13 +#define CPW_LEN 13 + +/* ie 'string' + '\0' */ #define MAX_STRING_LEN 256 +/* ie 'maxstring' + ':' + cpassword */ +#define MAX_LINE_LEN MAX_STRING_LEN+1+CPW_LEN int tfd; char temp_template[] = "/tmp/htp.XXXXXX"; @@ -137,8 +142,9 @@ } static void usage(void) { - fprintf(stderr,"Usage: htpasswd [-c] passwordfile username\n"); - fprintf(stderr,"The -c flag creates a new file.\n"); + fprintf(stderr,"Usage: htpasswd [-c] passwordfile username\n" + "The -c flag creates a new file.\n" + "Will prompt for password, unless given on stdin.\n"); exit(1); } @@ -151,17 +157,37 @@ int main(int argc, char *argv[]) { FILE *tfp,*f; char user[MAX_STRING_LEN]; - char line[MAX_STRING_LEN]; - char l[MAX_STRING_LEN]; + char line[MAX_LINE_LEN]; + char l[MAX_LINE_LEN]; char w[MAX_STRING_LEN]; char command[MAX_STRING_LEN]; - int found; + int found,u; tfd = -1; + u = 2; /* argv[u] is username, unless... */ signal(SIGINT,(void (*)(int))interrupted); if(argc == 4) { + u = 3; if(strcmp(argv[1],"-c")) usage(); + if((f=fopen(argv[2],"r")) != NULL) { + fclose(f); + fprintf(stderr, + "Password file %s already exists.\n" + "Delete it first, if you really want to overwrite it.\n", + argv[2]); + exit(1); + } + } else if(argc != 3) usage(); + /* check uname length; underlying system will take care of pwdfile + name too long */ + if (strlen(argv[u]) >= MAX_STRING_LEN) { + fprintf(stderr,"Username too long (max %i): %s\n", + MAX_STRING_LEN-1, argv[u]); + exit(1); + } + + if(argc == 4) { if(!(tfp = fopen(argv[2],"w"))) { fprintf(stderr,"Could not open passwd file %s for writing.\n", argv[2]); @@ -172,12 +198,6 @@ add_password(argv[3],tfp); fclose(tfp); exit(0); - } else if(argc != 3) usage(); - - tfd = mkstemp(temp_template); - if(!(tfp = fdopen(tfd,"w"))) { - fprintf(stderr,"Could not open temp file.\n"); - exit(1); } if(!(f = fopen(argv[1],"r"))) { @@ -186,16 +206,43 @@ fprintf(stderr,"Use -c option to create new one.\n"); exit(1); } + if(freopen(argv[1],"a",f) == NULL) { + fprintf(stderr, + "Could not open passwd file %s for writing!.\n" + "Changes would be lost.\n",argv[1]); + exit(1); + } + f = freopen(argv[1],"r",f); + + /* pwdfile is there, go on with tempfile now ... */ + tfd = mkstemp(temp_template); + if(!(tfp = fdopen(tfd,"w"))) { + fprintf(stderr,"Could not open temp file.\n"); + exit(1); + } + /* already checked for boflw ... */ strcpy(user,argv[2]); found = 0; - while(!(getline(line,MAX_STRING_LEN,f))) { + /* line we get is username:pwd, or possibly any other cruft */ + while(!(getline(line,MAX_LINE_LEN,f))) { + char *i; + if(found || (line[0] == '#') || (!line[0])) { putline(tfp,line); continue; } - strcpy(l,line); - getword(w,l,':'); + i = index(line,':'); + w[0] = '\0'; + /* actually, cpw is CPW_LEN chars and never null, hence ':' should + always be at line[strlen(line)-CPW_LEN-1] in a valid user:cpw line + Here though we may allow for pre-hancrafted pwdfile (!)... + But still need to check for length limits. + */ + if (i != 0 && i-line <= MAX_STRING_LEN-1) { + strcpy(l,line); + getword(w,l,':'); + } if(strcmp(user,w)) { putline(tfp,line); continue; @@ -210,10 +257,28 @@ printf("Adding user %s\n",user); add_password(user,tfp); } + /* close, rewind & copy */ + fclose(f); + fclose(tfp); + f = fopen(argv[1],"w"); + if(f==NULL) { + fprintf(stderr,"Failed re-opening %s!?\n",argv[1]); + exit(1); + } + tfp = fopen(temp_template,"r"); + if(tfp==NULL) { + fprintf(stderr,"Failed re-opening tempfile!?\n"); + exit(1); + } + { + int c; + while((c=fgetc(tfp))!=EOF && !feof(tfp)) { + fputc(c,f); + /* fputc(c,stderr); */ + } + } fclose(f); fclose(tfp); - sprintf(command,"cp %s %s",temp_template,argv[1]); - system(command); unlink(temp_template); exit(0); } 8<---------------------------------------------------------------------------- -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux npp 2.4.24-pre2 #3 mer dic 24 02:50:45 CET 2003 i686 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] Versions of packages thttpd depends on: ii debconf 1.2.21 Debian configuration management sy ii libc6 2.2.5-14.3 GNU C Library: Shared libraries an ii logrotate 3.5.9-8 Log rotation utility ii mime-support 3.23-1 MIME files 'mime.types' & 'mailcap -- paolo GPG/PGP id:0x21426690 kfp:EDFB 0103 A8D8 4180 8AB5 D59E 9771 0F28 2142 6690 --------------------------------------- Received: (at 253816-close) by bugs.debian.org; 24 Jul 2005 15:40:32 +0000 >From [EMAIL PROTECTED] Sun Jul 24 08:40:32 2005 Return-path: <[EMAIL PROTECTED]> Received: from panthera-systems.net [213.239.209.134] by spohr.debian.org with esmtp (Exim 3.36 1 (Debian)) id 1Dwiae-0007cY-00; Sun, 24 Jul 2005 08:40:32 -0700 Received: from [10.0.0.4] (217-162-105-182.dclient.hispeed.ch [217.162.105.182]) by panthera-systems.net (Postfix) with ESMTP id 1B9CC2DC012 for <[EMAIL PROTECTED]>; Sun, 24 Jul 2005 17:38:29 +0200 (CEST) Message-ID: <[EMAIL PROTECTED]> Date: Sun, 24 Jul 2005 17:40:27 +0200 From: Daniel Baumann <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Organization: Panthera Systems User-Agent: Debian Thunderbird 1.0.2 (X11/20050602) X-Accept-Language: en-us, en MIME-Version: 1.0 To: [EMAIL PROTECTED] X-Enigmail-Version: 0.91.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-1.5 required=4.0 tests=BAYES_00,NOSUBJECT autolearn=no version=2.60-bugs.debian.org_2005_01_02 Bug fixed since several revisions ago. -- Address: Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist Email: [EMAIL PROTECTED] Internet: http://people.panthera-systems.net/~daniel-baumann/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]