<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1078> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1079> looks like FE4 and FE5 both affected
The bug is present in the Extras packages, but they aren't really "affected" since the "htpasswd.thttpd" utility isn't setuid nor setgid. I'm not sure what to do now though, since there are no proposed fixes and the osvdb entry reads "Currently, there are no known upgrades, patches, or workarounds available to correct this issue."...
Maybe we can pull htpasswd out of a current version of Apache. I recall that's where it comes from anyway.
Yeah, I guess. Patch welcome if you want that done real quick :-)
I did some comparisons but the htpasswd.c in thttpd is so old that it doesn't resemble any of the code in the Apache versions I have around. There's one comment in the thttpd htpasswd.c that concerns me: /* Modified 29aug97 by Jef Poskanzer to accept new password on stdin, ** if stdin is a pipe or file. This is necessary for use from CGI. I don't know that the Apache htpasswd.c supports this; if not, it would have to be hacked back in. I'll attach the current Apache htpasswd.c.
Created attachment 130028 [details] htpasswd.c from current Apache
I've just had another look at these htpasswd.c files, and the one from apache 2.x would add a requirement on apr, and the one from apache 1.3.x would add a build requirement on apache-devel and possibly a runtime requirement on apache too! Not to mention the license, which might change the entire package's license since thttpd is BSD licensed, whereas Apache has its own (would have to look into the details, though). I really don't know if/when we can expect a new version of thttpd, and the developer has apparently already acknowledged the issue and possibly worked on it. My current choice would be between : - Not doing anything, since by default no one should be affected... but if someone runs htpasswd from their web server, they might be. - Removing the htpasswd utility from the thttpd package for now. And let people who needs to generate htpasswds use an online version of the binary from an apache httpd installation. Any preference?
One more thing to look into: the Debian testing security team has marked both these CVE's fixed in their 2.23beta1-2.4, perhaps a patch could be "borrowed" from there: http://svn.debian.org/wsvn/secure-testing/data/CVE/list?op=file&rev=0&sc=0 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=253816 http://ftp.debian.org/debian/pool/main/t/thttpd/thttpd_2.23beta1-4.diff.gz
Indeed, there are lots of nice fixes in that Debian patch! I'll merge all the relevant bits ASAP, as some might not be needed since we ship 2.25b. Thanks Ville for the pointers ;-)
I've included the fixes to makeweb and htpasswd, which is now renamed thtpasswd instead of htpasswd.thttpd too. I've tested both quickly, but will double check the devel build, then push the changes to FC-4 and FC-5 too.
Any reason these fixes couldn't go to the FC3 package as well?