Bug 729145 - (CVE-2011-2900) CVE-2011-2900 mongoose: stack-based buffer overflow flaw in put_dir()
CVE-2011-2900 mongoose: stack-based buffer overflow flaw in put_dir()
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20110803,reported=20110803,sou...
: Security
Depends On: 729146
Blocks:
  Show dependency treegraph
 
Reported: 2011-08-08 16:22 EDT by Vincent Danen
Modified: 2016-11-08 11:27 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-05-12 17:08:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-08-08 16:22:33 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2900 to
the following vulnerability:

Name: CVE-2011-2900
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2900
Assigned: 20110727
Reference: http://www.openwall.com/lists/oss-security/2011/08/03/5
Reference: http://www.openwall.com/lists/oss-security/2011/08/03/9
Reference: https://code.google.com/p/mongoose/source/detail?r=556f4de91eae4bac40dc5d4ddbd9ec7c424711d0
Reference: http://www.securityfocus.com/bid/48980
Reference: http://secunia.com/advisories/45464
Reference: http://xforce.iss.net/xforce/xfdb/68991

Stack-based buffer overflow in the (1) put_dir function in mongoose.c
in Mongoose 3.0, (2) put_dir function in yasslEWS.c in yaSSL Embedded
Web Server (yasslEWS) 0.2, and (3) _shttpd_put_dir function in
io_dir.c in Simple HTTPD (shttpd) 1.42 allows remote attackers to
execute arbitrary code via an HTTP PUT request, as exploited in the
wild in 2011.


In mongoose, the only guard against a buffer overflow is the assert call in put_dir(), which is disabled if mongoose is compiled with -DNDEBUG (which is _not_ the case in Fedora).  This means that the assert is triggered, resulting in a denial of service only.  Fedora is compiled as follows:

/usr/bin/make 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -DSSL_LIB='''"libssl.so.10"''' -DCRYPTO_LIB='''"libcrypto.so.10"'''' linux
Comment 1 Vincent Danen 2011-08-08 16:23:29 EDT
Created mongoose tracking bugs for this issue

Affects: fedora-all [bug 729146]

Note You need to log in before you can comment on or make changes to this bug.