oss-sec mailing list archives
CVE request: sthttpd remote heap buffer overflow
From: Alexandre Rebert <alex () forallsecure com>
Date: Thu, 15 Jun 2017 17:33:48 -0400
Hello, sthttpd [1], is a fork of thttpd, a small, fast, multiplexing webserver. Our fuzzing tools recently found a heap buffer overflow in the request parsing code that can be triggered remotely. The patch was recently fixed [2], and the bug was introduced in [3]. It seems that it's also affecting thttpd 2.25b present in OpenSUSE [4]. Let us know if you need more information. Thanks Alex from ForAllSecure [1] https://github.com/blueness/sthttpd [2] https://github.com/blueness/sthttpd/commit/c0dc63a49d8605649f1d8e4a96c9b468b0bff660 [3] https://github.com/blueness/sthttpd/commit/aa3f36c0bf2aef1ffb17f5188ccf5e8afc13d3dc [4] https://build.opensuse.org/package/view_file/server:http/thttpd/thttpd-2.25b-strcpy.patch?expand=1
Current thread:
- CVE request: sthttpd remote heap buffer overflow Alexandre Rebert (Jun 15)
- Re: CVE request: sthttpd remote heap buffer overflow Andrej Nemec (Jun 15)
- Re: CVE request: sthttpd remote heap buffer overflow Thomas Deutschmann (Jun 29)
- Re: CVE request: sthttpd remote heap buffer overflow Andrej Nemec (Jun 15)