Bug 191095 - multiple vulnerabilities in thttpds htpasswd utility
Summary: multiple vulnerabilities in thttpds htpasswd utility
Alias: None
Product: Fedora
Classification: Fedora
Component: thttpd (Show other bugs)
(Show other bugs)
Version: 5
Hardware: All Linux
Target Milestone: ---
Assignee: Matthias Saou
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2006-05-08 20:05 UTC by Chris Ricker
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-07-04 11:16:54 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
htpasswd.c from current Apache (18.31 KB, text/plain)
2006-05-26 15:23 UTC, Jason Tibbitts
no flags Details

Description Chris Ricker 2006-05-08 20:05:15 UTC

looks like FE4 and FE5 both affected

Comment 1 Matthias Saou 2006-05-09 08:48:39 UTC
The bug is present in the Extras packages, but they aren't really "affected"
since the "htpasswd.thttpd" utility isn't setuid nor setgid.

I'm not sure what to do now though, since there are no proposed fixes and the
osvdb entry reads "Currently, there are no known upgrades, patches, or
workarounds available to correct this issue."...

Comment 2 Jason Tibbitts 2006-05-23 17:15:46 UTC
Maybe we can pull htpasswd out of a current version of Apache.  I recall that's
where it comes from anyway.

Comment 3 Matthias Saou 2006-05-26 14:57:36 UTC
Yeah, I guess. Patch welcome if you want that done real quick :-)

Comment 4 Jason Tibbitts 2006-05-26 15:22:17 UTC
I did some comparisons but the htpasswd.c in thttpd is so old that it doesn't
resemble any of the code in the Apache versions I have around.

There's one comment in the thttpd htpasswd.c that concerns me:

/* Modified 29aug97 by Jef Poskanzer to accept new password on stdin,
** if stdin is a pipe or file.  This is necessary for use from CGI.

I don't know that the Apache htpasswd.c supports this; if not, it would have to
be hacked back in.

I'll attach the current Apache htpasswd.c.

Comment 5 Jason Tibbitts 2006-05-26 15:23:32 UTC
Created attachment 130028 [details]
htpasswd.c from current Apache

Comment 6 Matthias Saou 2006-07-03 17:03:00 UTC
I've just had another look at these htpasswd.c files, and the one from apache
2.x would add a requirement on apr, and the one from apache 1.3.x would add a
build requirement on apache-devel and possibly a runtime requirement on apache
too! Not to mention the license, which might change the entire package's license
since thttpd is BSD licensed, whereas Apache has its own (would have to look
into the details, though).

I really don't know if/when we can expect a new version of thttpd, and the
developer has apparently already acknowledged the issue and possibly worked on it.

My current choice would be between :
- Not doing anything, since by default no one should be affected... but if
someone runs htpasswd from their web server, they might be.
- Removing the htpasswd utility from the thttpd package for now. And let people
who needs to generate htpasswds use an online version of the binary from an
apache httpd installation.

Any preference?

Comment 7 Ville Skyttä 2006-07-03 17:35:41 UTC
One more thing to look into: the Debian testing security team has marked both
these CVE's fixed in their 2.23beta1-2.4, perhaps a patch could be "borrowed"
from there:


Comment 8 Matthias Saou 2006-07-03 17:53:13 UTC
Indeed, there are lots of nice fixes in that Debian patch! I'll merge all the
relevant bits ASAP, as some might not be needed since we ship 2.25b. Thanks
Ville for the pointers ;-)

Comment 9 Matthias Saou 2006-07-04 11:16:54 UTC
I've included the fixes to makeweb and htpasswd, which is now renamed thtpasswd
instead of htpasswd.thttpd too. I've tested both quickly, but will double check
the devel build, then push the changes to FC-4 and FC-5 too.

Comment 10 Jason Tibbitts 2006-08-07 19:35:18 UTC
Any reason these fixes couldn't go to the FC3 package as well?

Note You need to log in before you can comment on or make changes to this bug.