Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2900 to
the following vulnerability:

Name: CVE-2011-2900
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2900
Assigned: 20110727
Reference: http://www.openwall.com/lists/oss-security/2011/08/03/5
Reference: http://www.openwall.com/lists/oss-security/2011/08/03/9
Reference: https://code.google.com/p/mongoose/source/detail?r=556f4de91eae4bac40dc5d4ddbd9ec7c424711d0
Reference: http://www.securityfocus.com/bid/48980
Reference: http://secunia.com/advisories/45464
Reference: http://xforce.iss.net/xforce/xfdb/68991

Stack-based buffer overflow in the (1) put_dir function in mongoose.c
in Mongoose 3.0, (2) put_dir function in yasslEWS.c in yaSSL Embedded
Web Server (yasslEWS) 0.2, and (3) _shttpd_put_dir function in
io_dir.c in Simple HTTPD (shttpd) 1.42 allows remote attackers to
execute arbitrary code via an HTTP PUT request, as exploited in the
wild in 2011.


In mongoose, the only guard against a buffer overflow is the assert call in put_dir(), which is disabled if mongoose is compiled with -DNDEBUG (which is _not_ the case in Fedora).  This means that the assert is triggered, resulting in a denial of service only.  Fedora is compiled as follows:

/usr/bin/make 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -DSSL_LIB='''"libssl.so.10"''' -DCRYPTO_LIB='''"libcrypto.so.10"'''' linux