Accepting request 157924 from server:http

- added checks for crypt() return value (CVE-2012-5640) (bnc#783165)
  * thttpd-2.25b-CVE-2012-5640-check_crypt_return_value.patch (forwarded request 157355 from vitezslav_cizek)

OBS-URL: https://build.opensuse.org/request/show/157924
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/thttpd?expand=0&rev=27

thttpd-2.25b-CVE-2012-5640-check_crypt_return_value.patch

@@ -0,0 +1,52 @@
+Index: thttpd-2.25b/libhttpd.c
+===================================================================
+--- thttpd-2.25b.orig/libhttpd.c	2013-03-04 18:01:55.209721739 +0100
++++ thttpd-2.25b/libhttpd.c	2013-03-04 18:01:55.244722735 +0100
+@@ -1024,6 +1024,7 @@ auth_check2( httpd_conn* hc, char* dirna
+     static size_t maxprevuser = 0;
+     static char* prevcryp;
+     static size_t maxprevcryp = 0;
++    char *crypt_result;
+ 
+     /* Construct auth filename. */
+     httpd_realloc_str(
+@@ -1072,7 +1073,10 @@ auth_check2( httpd_conn* hc, char* dirna
+ 	 strcmp( authinfo, prevuser ) == 0 )
+ 	{
+ 	/* Yes.  Check against the cached encrypted password. */
+-	if ( strcmp( crypt( authpass, prevcryp ), prevcryp ) == 0 )
++        crypt_result = crypt( authpass, prevcryp );
++        if ( ! crypt_result )
++            return -1;
++	if ( strcmp( crypt_result, prevcryp ) == 0 )
+ 	    {
+ 	    /* Ok! */
+ 	    httpd_realloc_str(
+@@ -1121,7 +1125,10 @@ auth_check2( httpd_conn* hc, char* dirna
+ 	    /* Yes. */
+ 	    (void) fclose( fp );
+ 	    /* So is the password right? */
+-	    if ( strcmp( crypt( authpass, cryp ), cryp ) == 0 )
++            crypt_result = crypt( authpass, cryp );
++            if ( ! crypt_result )
++                return -1;
++	    if ( strcmp( crypt_result, cryp ) == 0 )
+ 		{
+ 		/* Ok! */
+ 		httpd_realloc_str(
+Index: thttpd-2.25b/extras/htpasswd.c
+===================================================================
+--- thttpd-2.25b.orig/extras/htpasswd.c	2013-03-04 18:01:55.226722223 +0100
++++ thttpd-2.25b/extras/htpasswd.c	2013-03-04 18:02:15.755306445 +0100
+@@ -133,7 +133,10 @@ add_password( char* user, FILE* f )
+     (void) srandom( (int) time( (time_t*) 0 ) );
+     to64( &salt[0], random(), 2 );
+     cpw = crypt( pw, salt );
+-    (void) fprintf( f, "%s:%s\n", user, cpw );
++    if (cpw)
++        (void) fprintf( f, "%s:%s\n", user, cpw );
++    else
++        (void) fprintf( stderr, "crypt() returned NULL, sorry\n" );
+     }
+ 
+ static void usage(void) {

thttpd.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Mar  4 16:04:08 UTC 2013 - vcizek@suse.com
+
+- added checks for crypt() return value (CVE-2012-5640) (bnc#783165)
+  * thttpd-2.25b-CVE-2012-5640-check_crypt_return_value.patch
+
 -------------------------------------------------------------------
 Wed Oct 24 21:20:29 UTC 2012 - suse@ammler.ch
 

thttpd.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package thttpd
 #
-# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -36,6 +36,8 @@ Patch9:         %{name}-%{version}-chown.diff
 Patch10:        %{name}-%{version}-zerolen.patch
 Patch11:        %{name}-%{version}-strcpy.patch
 Patch12:        thttpd-2.25b-getline.patch
+# PATCH-FIX-SUSE CVE-2012-5640
+Patch13:        thttpd-2.25b-CVE-2012-5640-check_crypt_return_value.patch
 Url:            http://www.acme.com/software/thttpd/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Summary:        Small and very simple webserver
@@ -75,6 +77,7 @@ Authors:
 %patch10
 %patch11
 %patch12
+%patch13 -p1
 
 %build
 cp /usr/share/automake-1.*/config.* .