Your message dated Fri, 29 Jan 2010 16:32:58 +0000
with message-id <e1natme-0004r7...@ries.debian.org>
and subject line Bug#566325: fixed in bozohttpd 20090522-2
has caused the Debian Bug report #566325,
regarding bozohttpd: crashes on invalid input
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
566325: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566325
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Subject: bozohttpd: crashes on invalid input
Package: bozohttpd
Version: 20090522-1
Severity: grave
Justification: user security hole
Tags: security
*** Please type your report below this line ***
bozohttpd crashes with the input 'GET HTTP/1.0\n\n'. (The correct input
would have a '/' after 'GET'). I marked this as grave because these
kinds of crashes often seem to produce security holes, but I have no
evidence to suggest that this one is actually a security hole (so change
the severity if necessary).
$ echo -ne "GET HTTP/1.0\n\n" | /usr/sbin/bozohttpd /var/www
avarner.servebeer.com
got request ``GET HTTP/1.0'' from host <local> to port <stdin>
HTTP/0.9 404 Not Found
Content-Type: text/html
Content-Length: 231
Server: bozohttpd/20090522
<html><head><title>404 Not Found</title></head>
<body><h1>404 Not Found</h1>
HTTP/1.0: <pre>This item has not been found</pre>
<hr><address><a
href="http://avarner.servebeer.com/";>avarner.servebeer.com</a></address>
</body></html>
*** glibc detected *** /usr/sbin/bozohttpd: free(): invalid pointer:
0x00000000018d80e4 ***
======= Backtrace: =========
/lib/libc.so.6[0x7f5537717d56]
/lib/libc.so.6(cfree+0x6c)[0x7f553771c9bc]
/usr/sbin/bozohttpd[0x40375b]
/usr/sbin/bozohttpd[0x403401]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f55376c5abd]
/usr/sbin/bozohttpd[0x402b79]
======= Memory map: ========
00400000-0040e000 r-xp 00000000 16:02 130862
/usr/sbin/bozohttpd
0060e000-00610000 rw-p 0000e000 16:02 130862
/usr/sbin/bozohttpd
00610000-00612000 rw-p 00000000 00:00 0
018d8000-018f9000 rw-p 00000000 00:00 0 [heap]
7f5530000000-7f5530021000 rw-p 00000000 00:00 0
7f5530021000-7f5534000000 ---p 00000000 00:00 0
7f5536cd7000-7f5536ced000 r-xp 00000000 16:02 2207523
/lib/libgcc_s.so.1
7f5536ced000-7f5536eec000 ---p 00016000 16:02 2207523
/lib/libgcc_s.so.1
7f5536eec000-7f5536eed000 rw-p 00015000 16:02 2207523
/lib/libgcc_s.so.1
7f5536eed000-7f5536f03000 r-xp 00000000 16:02 131581
/usr/lib/libz.so.1.2.3.3
7f5536f03000-7f5537103000 ---p 00016000 16:02 131581
/usr/lib/libz.so.1.2.3.3
7f5537103000-7f5537104000 rw-p 00016000 16:02 131581
/usr/lib/libz.so.1.2.3.3
7f5537104000-7f5537106000 r-xp 00000000 16:02 2209343
/lib/libdl-2.10.2.so
7f5537106000-7f5537306000 ---p 00002000 16:02 2209343
/lib/libdl-2.10.2.so
7f5537306000-7f5537307000 r--p 00002000 16:02 2209343
/lib/libdl-2.10.2.so
7f5537307000-7f5537308000 rw-p 00003000 16:02 2209343
/lib/libdl-2.10.2.so
7f5537308000-7f553747c000 r-xp 00000000 16:02 139080
/usr/lib/libcrypto.so.0.9.8
7f553747c000-7f553767c000 ---p 00174000 16:02 139080
/usr/lib/libcrypto.so.0.9.8
7f553767c000-7f55376a4000 rw-p 00174000 16:02 139080
/usr/lib/libcrypto.so.0.9.8
7f55376a4000-7f55376a7000 rw-p 00000000 00:00 0
7f55376a7000-7f55377f1000 r-xp 00000000 16:02 2209340
/lib/libc-2.10.2.so
7f55377f1000-7f55379f1000 ---p 0014a000 16:02 2209340
/lib/libc-2.10.2.so
7f55379f1000-7f55379f5000 r--p 0014a000 16:02 2209340
/lib/libc-2.10.2.so
7f55379f5000-7f55379f6000 rw-p 0014e000 16:02 2209340
/lib/libc-2.10.2.so
7f55379f6000-7f55379fb000 rw-p 00000000 00:00 0
7f55379fb000-7f5537a46000 r-xp 00000000 16:02 139081
/usr/lib/libssl.so.0.9.8
7f5537a46000-7f5537c46000 ---p 0004b000 16:02 139081
/usr/lib/libssl.so.0.9.8
7f5537c46000-7f5537c4d000 rw-p 0004b000 16:02 139081
/usr/lib/libssl.so.0.9.8
7f5537c4d000-7f5537c55000 r-xp 00000000 16:02 2207944
/lib/libcrypt-2.10.2.so
7f5537c55000-7f5537e54000 ---p 00008000 16:02 2207944
/lib/libcrypt-2.10.2.so
7f5537e54000-7f5537e55000 r--p 00007000 16:02 2207944
/lib/libcrypt-2.10.2.so
7f5537e55000-7f5537e56000 rw-p 00008000 16:02 2207944
/lib/libcrypt-2.10.2.so
7f5537e56000-7f5537e84000 rw-p 00000000 00:00 0
7f5537e84000-7f5537ea1000 r-xp 00000000 16:02 2209337
/lib/ld-2.10.2.so
7f5538083000-7f5538087000 rw-p 00000000 00:00 0
7f553809c000-7f55380a0000 rw-p 00000000 00:00 0
7f55380a0000-7f55380a1000 r--p 0001c000 16:02 2209337
/lib/ld-2.10.2.so
7f55380a1000-7f55380a2000 rw-p 0001d000 16:02 2209337
/lib/ld-2.10.2.so
7fffc037e000-7fffc0393000 rw-p 00000000 00:00 0 [stack]
7fffc03ff000-7fffc0400000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]
-- System Information:
Debian Release: 5.0.3
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages bozohttpd depends on:
ii libc6 2.10.2-2 GNU C Library: Shared libraries
ii libssl0.9.8 0.9.8k-8 SSL shared libraries
ii openbsd-inetd [inet-superse 0.20080125-2 The OpenBSD Internet Superserver
bozohttpd recommends no packages.
bozohttpd suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: bozohttpd
Source-Version: 20090522-2
We believe that the bug you reported is fixed in the latest version of
bozohttpd, which is due to be installed in the Debian FTP archive:
bozohttpd_20090522-2.diff.gz
to main/b/bozohttpd/bozohttpd_20090522-2.diff.gz
bozohttpd_20090522-2.dsc
to main/b/bozohttpd/bozohttpd_20090522-2.dsc
bozohttpd_20090522-2_amd64.deb
to main/b/bozohttpd/bozohttpd_20090522-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 566...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mattias Nordstrom <mnord...@debian.org> (supplier of updated bozohttpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 29 Jan 2010 18:19:36 +0200
Source: bozohttpd
Binary: bozohttpd
Architecture: source amd64
Version: 20090522-2
Distribution: unstable
Urgency: low
Maintainer: Mattias Nordstrom <mnord...@debian.org>
Changed-By: Mattias Nordstrom <mnord...@debian.org>
Description:
bozohttpd - Bozotic HTTP server
Closes: 566325
Changes:
bozohttpd (20090522-2) unstable; urgency=low
.
* Applied patch from Matthew Green to fix input parse bug (closes: #566325)
Checksums-Sha1:
0ba7ae629626c834169c282f358dadb4fdb2ed7e 1003 bozohttpd_20090522-2.dsc
a55f9ee16b8e6e361ada1415f8fbc45bcf8d5ff1 5131 bozohttpd_20090522-2.diff.gz
8a0dfcfca9921dd567da569809e43db4f8b4bcd7 39846 bozohttpd_20090522-2_amd64.deb
Checksums-Sha256:
0f7bbf85f4bb12daaa9a2ada4868e36017677109df77a658f4aeb85aa15ee779 1003
bozohttpd_20090522-2.dsc
2b4f79372a91d63a5e96a590ae64240eb716d2187a2d2662f0aed8fba67261f8 5131
bozohttpd_20090522-2.diff.gz
d09f0340f842ede4de36ce60d5ce1ed82db8fa9df797bcb52ac9bc8db59b5983 39846
bozohttpd_20090522-2_amd64.deb
Files:
8d1be12d55b55d5d33c13590955232c8 1003 httpd extra bozohttpd_20090522-2.dsc
02e8f8d227c5450dda653c8af398006a 5131 httpd extra bozohttpd_20090522-2.diff.gz
e7db542a346289728d4cf80e6dcd028e 39846 httpd extra
bozohttpd_20090522-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFLYwtgwKTxHeBrP5cRAhE7AKCL0BkE28Z2os3cH7Sbj3+nDfH+sACglwrR
V0Va5rprfSHvOgiNZBCLf7U=
=rn1f
-----END PGP SIGNATURE-----
--- End Message ---
