CVE-2008-1270 when mod_userdir is loaded but not configured, the server's whole disk becomes remotely readable

Bug #200987 reported by Emanuele Gentili
264
Affects Status Importance Assigned to Milestone
lighttpd (Ubuntu)
Fix Released
Medium
Emanuele Gentili
Dapper
Fix Released
Medium
Emanuele Gentili
Edgy
Fix Released
Medium
Emanuele Gentili
Feisty
Fix Released
Medium
Emanuele Gentili
Gutsy
Fix Released
Medium
Emanuele Gentili
Hardy
Fix Released
Medium
Emanuele Gentili

Bug Description

mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory.

http://trac.lighttpd.net/trac/ticket/1587
http://trac.lighttpd.net/trac/changeset/2120

Revision history for this message
Emanuele Gentili (emgent) wrote :
Changed in lighttpd:
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
Changed in lighttpd:
assignee: nobody → emgent
importance: Undecided → Medium
status: Confirmed → In Progress
Changed in lighttpd:
assignee: nobody → emgent
importance: Undecided → Medium
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.18-1ubuntu6

---------------
lighttpd (1.4.18-1ubuntu6) hardy; urgency=low

  * SECURITY UPDATE: (LP: #200987)
   + debian/patches/91_CVE-2008-1270.dpatch
    - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
      uses a default of $HOME, which might allow remote attackers to read arbitrary
      files, as demonstrated by accessing the ~nobody directory.
  * References
   + CVE-2008-1270
   + http://trac.lighttpd.net/trac/ticket/1587
   + http://trac.lighttpd.net/trac/changeset/2120

 -- Emanuele Gentili <email address hidden> Tue, 11 Mar 2008 14:16:48 +0100

Changed in lighttpd:
status: In Progress → Fix Released
Revision history for this message
Emanuele Gentili (emgent) wrote :
Revision history for this message
Emanuele Gentili (emgent) wrote :
Changed in lighttpd:
assignee: nobody → emgent
importance: Undecided → Medium
status: Confirmed → In Progress
Revision history for this message
Emanuele Gentili (emgent) wrote :
Changed in lighttpd:
assignee: nobody → emgent
importance: Undecided → Medium
status: Confirmed → In Progress
Revision history for this message
Emanuele Gentili (emgent) wrote :
Changed in lighttpd:
assignee: nobody → emgent
importance: Undecided → Medium
status: Confirmed → In Progress
Revision history for this message
Emanuele Gentili (emgent) wrote :

adding CVE-2008-0983

lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access.

Changed in lighttpd:
status: Fix Released → In Progress
Revision history for this message
Emanuele Gentili (emgent) wrote : Re: CVE-2008-0983 - CVE-2008-1270

hardy not vulnerable to CVE-2008-0983

Changed in lighttpd:
status: In Progress → Fix Released
Revision history for this message
Emanuele Gentili (emgent) wrote :

CVE-2008-0983 fixed in all Ubuntu version by 90_maxfds_crash_fix.dpatch, plese procede to upload attached debdiff.

Changed in lighttpd:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.18-1ubuntu1.3

---------------
lighttpd (1.4.18-1ubuntu1.3) gutsy-security; urgency=low

  * SECURITY UPDATE: (LP: #200987)
   + debian/patches/91_CVE-2008-1270.dpatch
    - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
      uses a default of $HOME, which might allow remote attackers to read arbitrary
      files, as demonstrated by accessing the ~nobody directory.
  * References
   + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
   + http://trac.lighttpd.net/trac/ticket/1587
   + http://trac.lighttpd.net/trac/changeset/2120

 -- Emanuele Gentili <email address hidden> Tue, 11 Mar 2008 14:37:58 +0100

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lighttpd - 1.4.13-9ubuntu4.5

---------------
lighttpd (1.4.13-9ubuntu4.5) feisty-security; urgency=low

  * SECURITY UPDATE: (LP: #200987)
   + debian/patches/91_CVE-2008-1270.dpatch
    - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
      uses a default of $HOME, which might allow remote attackers to read arbitrary
      files, as demonstrated by accessing the ~nobody directory.
  * References
   + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
   + http://trac.lighttpd.net/trac/ticket/1587
   + http://trac.lighttpd.net/trac/changeset/2120

 -- Emanuele Gentili <email address hidden> Tue, 11 Mar 2008 14:51:11 +0100

Changed in lighttpd:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

lighttpd (1.4.13~r1370-1ubuntu1.6) edgy-security; urgency=low

  * SECURITY UPDATE: (LP: #200987)
   + debian/patches/91_CVE-2008-1270.dpatch
    - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
      uses a default of $HOME, which might allow remote attackers to read arbitrary
      files, as demonstrated by accessing the ~nobody directory.
  * References
   + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
   + http://trac.lighttpd.net/trac/ticket/1587
   + http://trac.lighttpd.net/trac/changeset/2120

 -- Emanuele Gentili <email address hidden> Tue, 11 Mar 2008 14:58:14 +0100

Changed in lighttpd:
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

lighttpd (1.4.11-3ubuntu3.8) dapper-security; urgency=low

  * SECURITY UPDATE: (LP: #200987)
   + debian/patches/91_CVE-2008-1270.dpatch
    - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
      uses a default of $HOME, which might allow remote attackers to read arbitrary
      files, as demonstrated by accessing the ~nobody directory.
  * References
   + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
   + http://trac.lighttpd.net/trac/ticket/1587
   + http://trac.lighttpd.net/trac/changeset/2120

 -- Emanuele Gentili <email address hidden> Tue, 11 Mar 2008 15:03:17 +0100

Changed in lighttpd:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.