Stefan Bühler of the lighthttpd project reports: Use after free if FAMMonitorDirectory fails ============================================= Description ------------- If the "fam" is enabled: server.stat-cache-engine = "fam" and there are directories reachable from configured doc roots and aliases on which FAMMonitorDirectory fails (probably depends on file system), a remote client could trigger a DoS. This bug was found with the clang static analyzer. Detailed analysis ------------------- If FAMMonitorDirectory fails, the memory intended to store the context is released; some lines below the "version" compoment of that context is read. Reading invalid data doesn't matter, but the memory access could trigger a segfault. Affected versions ------------------- All versions before 1.4.33. Patch ------- See http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.33_fix_fam_use_after_free.patch Fixed in ---------- 1.4.x: http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2921 1.4.34: not released yet (http://www.lighttpd.net/) Solutions or workaround ------------------------- Don't enable "fam". References ------------ [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-XXXX (TBD) [2] http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2921/diff/ GPG signatures ---------------- * http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.33_fix_fam_use_after_free.patch.asc * http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_03.txt.asc
Created lighttpd tracking bugs for this issue: Affects: fedora-all [bug 1029666]
Created lighttpd tracking bugs for this issue: Affects: epel-all [bug 1029667]