[PATCH] Re: Possible Vulnerability in httpd.c
walter harms
wharms at bfs.de
Mon Nov 21 17:08:39 UTC 2016
Nice,
but i have an other question, based to the comments in the code:
* The arguments are combined and sent as one write operation. Note that
* IE will puke big-time if the headers are not sent in one packet and the
* second packet is delayed for any reason.
the only reason we need to buffer everything is because of IE whatever.
Can someone confirm that this is still needed ?
re,
wh
Am 21.11.2016 16:50, schrieb Jody Bruchon:
> On 2016-11-21 09:53, Raphael de Carvalho Muniz wrote:
>> We understand that the resulting program may have vulnerabilities when
>> the macro "#if ENABLE_FEATURE_HTTPD_RANGES" is enabled, by the fact of
>> utilization that sprintf() function. Second the CWE Project, is the
>> classified by CWE-134, where the use this function that accepts a
>> format string as an argument, but the format string can originate from
>> an external source.
>>
>> Still second the CWE Project, this vulnerability can cause
>> consequences related a with confidentiality, integrity and
>> availability, like allow for information disclosure which can severely
>> simplify exploitation of the program and the execution of arbitrary code.
>>
>> We'd very grateful if you could say to us if are you understand this
>> how a vulnerability and if you have a motivation to correct.
>>
> I'm offering up this patch to fix the problem you've reported. I haven't
> tested it but it should be functionally identical and close the most
> obvious sprintf security holes I found on a cursory examination. Hope
> this helps.
>
> -Jody Bruchon
>
>
>
More information about the busybox
mailing list