>Number:         22863
>Category:       pkg
>Synopsis:       pkgsrc/www/thttpd - Buffer overflow, no known in-the-wild exploit.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Sep 19 17:23:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     Ross Patterson
>Release:        1.6
>Organization:
CatchFIRE Systems, Inc
>Environment:
Unrelated, problem is in original source of a pkgsrc package.
>Description:
FYI, from the thttpd mailing list (thttpd@bomb.acme.com) today, by the author of the package.  The patch applies atop 2.23beta1 (released w/ NetBSD 1.6) and should fit within fuzz against 2.21b (released w/ NetBSD 1.5).

Ross Patterson
Ross.Patterson@CatchFS.Com

[THTTPD] buffer overflow warning
From: Jef Poskanzer <jef@acme.com>
To: thttpd@bomb.acme.com

I have been informed by texonet.com of a possible buffer overflow
in the routine defang() in libhttpd.c.  While their advisory was
not very explicit, examining the code did reveal a weakness in
the bounds checking.  The following simple patch should fix it,
if this is what they were talking about.  I am waiting for confirmation
from the advisory's original authors, and will put out an official
release once I have that.  Comments from the thttpd mailing list
are of course also welcome.

*** libhttpd.c.old      Tue Jul 22 15:07:16 2003
--- libhttpd.c  Fri Sep 12 12:41:13 2003
***************
*** 768,774 ****
      char* cp2;
  
      for ( cp1 = str, cp2 = dfstr;
!         *cp1 != '\0' && cp2 - dfstr < dfsize - 1;
          ++cp1, ++cp2 )
        {
        switch ( *cp1 )
--- 768,774 ----
      char* cp2;
  
      for ( cp1 = str, cp2 = dfstr;
!         *cp1 != '\0' && cp2 - dfstr < dfsize - 5;
          ++cp1, ++cp2 )
        {
        switch ( *cp1 )
>How-To-Repeat:
No idea, sorry.
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: