Package: mt-daapd Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for mt-daapd.
CVE-2007-5824[0]: | webserver.c in mt-dappd in Firefly Media Server 0.2.4 and earlier | allows remote attackers to cause a denial of service (NULL dereference | and daemon crash) via a stats method action to /xml-rpc with (1) an | empty Authorization header line, which triggers a crash in the | ws_decodepassword function; or (2) a header line without a ':' | character, which triggers a crash in the ws_getheaders function. If you fix this vulnerability please also include the CVE id in your changelog entry. A patch extracted from upstream CVS is attached. For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5824 Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
#! /bin/sh /usr/share/dpatch/dpatch-run
## CVE-2007-5825-2007-5825.dpatch by Nico Golde <[EMAIL PROTECTED]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad mt-daapd-0.9~r1586~/src/webserver.c
mt-daapd-0.9~r1586/src/webserver.c
--- mt-daapd-0.9~r1586~/src/webserver.c 2007-05-17 06:26:33.000000000 +0200
+++ mt-daapd-0.9~r1586/src/webserver.c 2008-01-09 22:19:22.000000000 +0100
@@ -758,7 +758,7 @@
free(value);
}
- if(!last) {
+ if(last == first) {
DPRINTF(E_DBG,L_WS,"Thread %d: Done parsing GET/POST args!\n",
pwsc->threadno);
done=1;
@@ -961,12 +961,11 @@
if((auth_handler) && (auth_handler(pwsc,NULL,NULL)==0)) {
/* do the auth thing */
auth=ws_getarg(&pwsc->request_headers,"Authorization");
- if(auth) {
- ws_decodepassword(auth,&username,&password);
+ if((auth) && (ws_decodepassword(auth,&username, &password))) {
if(auth_handler(pwsc,username,password))
can_dispatch=1;
- ws_addarg(&pwsc->request_vars,"HTTP_USER",username);
- ws_addarg(&pwsc->request_vars,"HTTP_PASSWD",password);
+ ws_addarg(&pwsc->request_vars,"HTTP_USER","%s", username);
+ ws_addarg(&pwsc->request_vars,"HTTP_PASSWD", "%s",
password);
free(username); /* this frees password too */
}
@@ -1430,6 +1429,7 @@
int pads=0;
unsigned char *decodebuffer;
unsigned char *pin, *pout;
+ char *type,*base64;
int lookup;
*username=NULL;
@@ -1458,21 +1458,34 @@
return -1;
/* xlat table is initialized */
- while(*header != ' ')
+ // Trim leading spaces
+ while((*header) && (*header == ' '))
header++;
- header++;
+ // Should be in the form "Basic <base-64 enc username/pw>"
+ type=header;
+ base64 = strchr(header,' ');
+ if(!base64) {
+ // invalid auth header
+ ws_dprintf(L_WS_DBG,"Bad authentication header: %s\n",header);
+ WS_EXIT();
+ return FALSE;
+ }
+
+ *base64 = '\0';
+ base64++;
+
+ decodebuffer=(unsigned char *)malloc(strlen(base64));
- decodebuffer=(unsigned char *)malloc(strlen(header));
if(!decodebuffer)
return -1;
- DPRINTF(E_DBG,L_WS,"Preparing to decode %s\n",header);
+ DPRINTF(E_DBG,L_WS,"Preparing to decode %s\n",base64);
- memset(decodebuffer,0,strlen(header));
+ memset(decodebuffer,0,strlen(base64));
len=0;
pout=decodebuffer;
- pin=(unsigned char *)header;
+ pin=(unsigned char *)base64;
/* this is more than a little sloppy */
while(pin[rack]) {
pgpvNs5myjSYx.pgp
Description: PGP signature
