Bug 729145 (CVE-2011-2900)

Summary: CVE-2011-2900 mongoose: stack-based buffer overflow flaw in put_dir()
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aquini
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-12 21:08:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 729146    
Bug Blocks:    

Description Vincent Danen 2011-08-08 20:22:33 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2900 to
the following vulnerability:

Name: CVE-2011-2900
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2900
Assigned: 20110727
Reference: http://www.openwall.com/lists/oss-security/2011/08/03/5
Reference: http://www.openwall.com/lists/oss-security/2011/08/03/9
Reference: https://code.google.com/p/mongoose/source/detail?r=556f4de91eae4bac40dc5d4ddbd9ec7c424711d0
Reference: http://www.securityfocus.com/bid/48980
Reference: http://secunia.com/advisories/45464
Reference: http://xforce.iss.net/xforce/xfdb/68991

Stack-based buffer overflow in the (1) put_dir function in mongoose.c
in Mongoose 3.0, (2) put_dir function in yasslEWS.c in yaSSL Embedded
Web Server (yasslEWS) 0.2, and (3) _shttpd_put_dir function in
io_dir.c in Simple HTTPD (shttpd) 1.42 allows remote attackers to
execute arbitrary code via an HTTP PUT request, as exploited in the
wild in 2011.


In mongoose, the only guard against a buffer overflow is the assert call in put_dir(), which is disabled if mongoose is compiled with -DNDEBUG (which is _not_ the case in Fedora).  This means that the assert is triggered, resulting in a denial of service only.  Fedora is compiled as follows:

/usr/bin/make 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -DSSL_LIB='''"libssl.so.10"''' -DCRYPTO_LIB='''"libcrypto.so.10"'''' linux

Comment 1 Vincent Danen 2011-08-08 20:23:29 UTC
Created mongoose tracking bugs for this issue

Affects: fedora-all [bug 729146]