Your message dated Fri, 11 Jan 2008 05:47:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#459961: fixed in mt-daapd 0.9~r1696-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: mt-daapd
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mt-daapd.
CVE-2007-5824[0]:
| webserver.c in mt-dappd in Firefly Media Server 0.2.4 and earlier
| allows remote attackers to cause a denial of service (NULL dereference
| and daemon crash) via a stats method action to /xml-rpc with (1) an
| empty Authorization header line, which triggers a crash in the
| ws_decodepassword function; or (2) a header line without a ':'
| character, which triggers a crash in the ws_getheaders function.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
A patch extracted from upstream CVS is attached.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5824
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
#! /bin/sh /usr/share/dpatch/dpatch-run
## CVE-2007-5825-2007-5825.dpatch by Nico Golde <[EMAIL PROTECTED]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad mt-daapd-0.9~r1586~/src/webserver.c
mt-daapd-0.9~r1586/src/webserver.c
--- mt-daapd-0.9~r1586~/src/webserver.c 2007-05-17 06:26:33.000000000 +0200
+++ mt-daapd-0.9~r1586/src/webserver.c 2008-01-09 22:19:22.000000000 +0100
@@ -758,7 +758,7 @@
free(value);
}
- if(!last) {
+ if(last == first) {
DPRINTF(E_DBG,L_WS,"Thread %d: Done parsing GET/POST args!\n",
pwsc->threadno);
done=1;
@@ -961,12 +961,11 @@
if((auth_handler) && (auth_handler(pwsc,NULL,NULL)==0)) {
/* do the auth thing */
auth=ws_getarg(&pwsc->request_headers,"Authorization");
- if(auth) {
- ws_decodepassword(auth,&username,&password);
+ if((auth) && (ws_decodepassword(auth,&username, &password))) {
if(auth_handler(pwsc,username,password))
can_dispatch=1;
- ws_addarg(&pwsc->request_vars,"HTTP_USER",username);
- ws_addarg(&pwsc->request_vars,"HTTP_PASSWD",password);
+ ws_addarg(&pwsc->request_vars,"HTTP_USER","%s", username);
+ ws_addarg(&pwsc->request_vars,"HTTP_PASSWD", "%s",
password);
free(username); /* this frees password too */
}
@@ -1430,6 +1429,7 @@
int pads=0;
unsigned char *decodebuffer;
unsigned char *pin, *pout;
+ char *type,*base64;
int lookup;
*username=NULL;
@@ -1458,21 +1458,34 @@
return -1;
/* xlat table is initialized */
- while(*header != ' ')
+ // Trim leading spaces
+ while((*header) && (*header == ' '))
header++;
- header++;
+ // Should be in the form "Basic <base-64 enc username/pw>"
+ type=header;
+ base64 = strchr(header,' ');
+ if(!base64) {
+ // invalid auth header
+ ws_dprintf(L_WS_DBG,"Bad authentication header: %s\n",header);
+ WS_EXIT();
+ return FALSE;
+ }
+
+ *base64 = '\0';
+ base64++;
+
+ decodebuffer=(unsigned char *)malloc(strlen(base64));
- decodebuffer=(unsigned char *)malloc(strlen(header));
if(!decodebuffer)
return -1;
- DPRINTF(E_DBG,L_WS,"Preparing to decode %s\n",header);
+ DPRINTF(E_DBG,L_WS,"Preparing to decode %s\n",base64);
- memset(decodebuffer,0,strlen(header));
+ memset(decodebuffer,0,strlen(base64));
len=0;
pout=decodebuffer;
- pin=(unsigned char *)header;
+ pin=(unsigned char *)base64;
/* this is more than a little sloppy */
while(pin[rack]) {
pgp3CPR0lBp3I.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: mt-daapd
Source-Version: 0.9~r1696-1
We believe that the bug you reported is fixed in the latest version of
mt-daapd, which is due to be installed in the Debian FTP archive:
mt-daapd_0.9~r1696-1.diff.gz
to pool/main/m/mt-daapd/mt-daapd_0.9~r1696-1.diff.gz
mt-daapd_0.9~r1696-1.dsc
to pool/main/m/mt-daapd/mt-daapd_0.9~r1696-1.dsc
mt-daapd_0.9~r1696-1_amd64.deb
to pool/main/m/mt-daapd/mt-daapd_0.9~r1696-1_amd64.deb
mt-daapd_0.9~r1696.orig.tar.gz
to pool/main/m/mt-daapd/mt-daapd_0.9~r1696.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joshua Kwan <[EMAIL PROTECTED]> (supplier of updated mt-daapd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 10 Jan 2008 20:48:24 -0800
Source: mt-daapd
Binary: mt-daapd
Architecture: source amd64
Version: 0.9~r1696-1
Distribution: unstable
Urgency: low
Maintainer: Joshua Kwan <[EMAIL PROTECTED]>
Changed-By: Joshua Kwan <[EMAIL PROTECTED]>
Description:
mt-daapd - iTunes-compatible DAAP server
Closes: 459444 459961
Changes:
mt-daapd (0.9~r1696-1) unstable; urgency=low
.
* New upstream snapshot.
* Includes fixes for security bugs CVE-2007-5825, CVE-2007-5824.
closes: #459961
* Fix crash brought on by long filenames, thanks Adrian Bridgett.
closes: #459444
* 03_plugins_in_libdir patch merged by upstream, so it's been removed.
* Bump Standards-Version to 3.7.3 - no changes required.
Files:
c0fe4cda1c32576805017f80bf9c7413 1437 sound optional mt-daapd_0.9~r1696-1.dsc
76cd13073c17bbb4ad11a8864caf47a9 1390499 sound optional
mt-daapd_0.9~r1696.orig.tar.gz
8009f9912c0922f62698bcaa4c73da4d 18508 sound optional
mt-daapd_0.9~r1696-1.diff.gz
6252709bd3119f155d0ba7caebe2b3b6 739426 sound optional
mt-daapd_0.9~r1696-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: http://triplehelix.org/~joshk/pubkey_gpg.asc
iQIVAwUBR4b+h6OILr94RG8mAQI9rBAAlatpD0j3pN16zd8qb+znaR+RRLSX2wkA
XOZZK2xFaWwgja/JbMyAgXSvf/QQussKKNQETzAv/5N36Z5vOIIKP8D0Zb/AQRtg
aIiyTYR5bgm8GqFQ9BHIKL8gofoeRG09Nk6I2orANlh/CIOi0bD+7r0CwkeqsEPA
Uq7c4IRcp6lkI/wPTXpGTQJV+hZRQ+vCANf2KJnZhQGloe9jy1y8T81Okh4Mz0NE
IZAjvULW+9DTUhZ7k/U95KtSd7Pji/QPCJ36zM4YZSr54L8tmEDE+DQPw+/qCcY7
oOjBoi5yJtiOD+NjqTdN381x/cW2GgjtOpN74fAIovY4P/14mACUcVAvNtVt+9dE
LyxwD0af9ac/q3qNek5EkhrSIqi1rzECH4NDADVE7lEzZAIXoH1ykLa0qVfZnxfm
zPZyqEm5RomKUKPyMYP6kNQW9RGgRLZFp6ljiRtXJpjq207S4mL6AaFlLdoZuPJc
WQL09gtX13hqTHFSCEj6v7t2f8AwfUjUd3TV+lOxnkuxPcwkeetdGOHElmKWUBWF
hS0HwELwhV/PZQZoqjcMqHMDMkUfKwjiX3KMqjNAVO40gTlff2MUhIPKHW9S9w9K
xAg4cMW+zvWnKjkRsBgNV99lk5UIfY80UZeYYsWYuTJbVM+BsgNaf/0O5sfL5MNa
gqk+Kv+sEWg=
=HGZM
-----END PGP SIGNATURE-----
--- End Message ---
