Bug 729145 (CVE-2011-2900) - CVE-2011-2900 mongoose: stack-based buffer overflow flaw in put_dir()
Summary: CVE-2011-2900 mongoose: stack-based buffer overflow flaw in put_dir()
Alias: CVE-2011-2900
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 729146
TreeView+ depends on / blocked
Reported: 2011-08-08 20:22 UTC by Vincent Danen
Modified: 2019-09-29 12:46 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-05-12 21:08:43 UTC

Attachments (Terms of Use)

Description Vincent Danen 2011-08-08 20:22:33 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2900 to
the following vulnerability:

Name: CVE-2011-2900
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2900
Assigned: 20110727
Reference: http://www.openwall.com/lists/oss-security/2011/08/03/5
Reference: http://www.openwall.com/lists/oss-security/2011/08/03/9
Reference: https://code.google.com/p/mongoose/source/detail?r=556f4de91eae4bac40dc5d4ddbd9ec7c424711d0
Reference: http://www.securityfocus.com/bid/48980
Reference: http://secunia.com/advisories/45464
Reference: http://xforce.iss.net/xforce/xfdb/68991

Stack-based buffer overflow in the (1) put_dir function in mongoose.c
in Mongoose 3.0, (2) put_dir function in yasslEWS.c in yaSSL Embedded
Web Server (yasslEWS) 0.2, and (3) _shttpd_put_dir function in
io_dir.c in Simple HTTPD (shttpd) 1.42 allows remote attackers to
execute arbitrary code via an HTTP PUT request, as exploited in the
wild in 2011.

In mongoose, the only guard against a buffer overflow is the assert call in put_dir(), which is disabled if mongoose is compiled with -DNDEBUG (which is _not_ the case in Fedora).  This means that the assert is triggered, resulting in a denial of service only.  Fedora is compiled as follows:

/usr/bin/make 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -DSSL_LIB='''"libssl.so.10"''' -DCRYPTO_LIB='''"libcrypto.so.10"'''' linux

Comment 1 Vincent Danen 2011-08-08 20:23:29 UTC
Created mongoose tracking bugs for this issue

Affects: fedora-all [bug 729146]

Note You need to log in before you can comment on or make changes to this bug.