Bug 191095 - multiple vulnerabilities in thttpds htpasswd utility
multiple vulnerabilities in thttpds htpasswd utility
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: thttpd (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Matthias Saou
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-08 16:05 EDT by Chris Ricker
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-07-04 07:16:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
htpasswd.c from current Apache (18.31 KB, text/plain)
2006-05-26 11:23 EDT, Jason Tibbitts
no flags Details

  None (edit)
Description Chris Ricker 2006-05-08 16:05:15 EDT
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1078>
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1079>

looks like FE4 and FE5 both affected
Comment 1 Matthias Saou 2006-05-09 04:48:39 EDT
The bug is present in the Extras packages, but they aren't really "affected"
since the "htpasswd.thttpd" utility isn't setuid nor setgid.

I'm not sure what to do now though, since there are no proposed fixes and the
osvdb entry reads "Currently, there are no known upgrades, patches, or
workarounds available to correct this issue."...
Comment 2 Jason Tibbitts 2006-05-23 13:15:46 EDT
Maybe we can pull htpasswd out of a current version of Apache.  I recall that's
where it comes from anyway.
Comment 3 Matthias Saou 2006-05-26 10:57:36 EDT
Yeah, I guess. Patch welcome if you want that done real quick :-)
Comment 4 Jason Tibbitts 2006-05-26 11:22:17 EDT
I did some comparisons but the htpasswd.c in thttpd is so old that it doesn't
resemble any of the code in the Apache versions I have around.

There's one comment in the thttpd htpasswd.c that concerns me:

/* Modified 29aug97 by Jef Poskanzer to accept new password on stdin,
** if stdin is a pipe or file.  This is necessary for use from CGI.

I don't know that the Apache htpasswd.c supports this; if not, it would have to
be hacked back in.

I'll attach the current Apache htpasswd.c.
Comment 5 Jason Tibbitts 2006-05-26 11:23:32 EDT
Created attachment 130028 [details]
htpasswd.c from current Apache
Comment 6 Matthias Saou 2006-07-03 13:03:00 EDT
I've just had another look at these htpasswd.c files, and the one from apache
2.x would add a requirement on apr, and the one from apache 1.3.x would add a
build requirement on apache-devel and possibly a runtime requirement on apache
too! Not to mention the license, which might change the entire package's license
since thttpd is BSD licensed, whereas Apache has its own (would have to look
into the details, though).

I really don't know if/when we can expect a new version of thttpd, and the
developer has apparently already acknowledged the issue and possibly worked on it.

My current choice would be between :
- Not doing anything, since by default no one should be affected... but if
someone runs htpasswd from their web server, they might be.
- Removing the htpasswd utility from the thttpd package for now. And let people
who needs to generate htpasswds use an online version of the binary from an
apache httpd installation.

Any preference?
Comment 7 Ville Skyttä 2006-07-03 13:35:41 EDT
One more thing to look into: the Debian testing security team has marked both
these CVE's fixed in their 2.23beta1-2.4, perhaps a patch could be "borrowed"
from there:

http://svn.debian.org/wsvn/secure-testing/data/CVE/list?op=file&rev=0&sc=0
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=253816
http://ftp.debian.org/debian/pool/main/t/thttpd/thttpd_2.23beta1-4.diff.gz
Comment 8 Matthias Saou 2006-07-03 13:53:13 EDT
Indeed, there are lots of nice fixes in that Debian patch! I'll merge all the
relevant bits ASAP, as some might not be needed since we ship 2.25b. Thanks
Ville for the pointers ;-)
Comment 9 Matthias Saou 2006-07-04 07:16:54 EDT
I've included the fixes to makeweb and htpasswd, which is now renamed thtpasswd
instead of htpasswd.thttpd too. I've tested both quickly, but will double check
the devel build, then push the changes to FC-4 and FC-5 too.
Comment 10 Jason Tibbitts 2006-08-07 15:35:18 EDT
Any reason these fixes couldn't go to the FC3 package as well?

Note You need to log in before you can comment on or make changes to this bug.