CVE-2009-2732: Basic Authentication Null Pointer Denial of Service

Debian Bug report logs - #543312
CVE-2009-2732: Basic Authentication Null Pointer Denial of Service

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2009-2732: Basic Authentication Null Pointer Denial of Service

Date: Mon, 24 Aug 2009 08:46:17 +0200

Package: ntop
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ntop.

CVE-2009-2732[0]:
| The checkHTTPpassword function in http.c in ntop 3.3.10 and earlier
| allows remote attackers to cause a denial of service (NULL pointer
| dereference and daemon crash) via an Authorization HTTP header that
| lacks a : (colon) character in the base64-decoded string.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2732
    http://security-tracker.debian.net/tracker/CVE-2009-2732

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqSNzUACgkQNxpp46476aqaRwCePEnRlTpotXKtcCnxSRnqbSoX
imEAnRKiKt/JAzk57KKzHsAMFEo/v66K
=DhPT
-----END PGP SIGNATURE-----

Message #10 received at 543312@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <opal@debian.org>

To: Giuseppe Iuculano <giuseppe@iuculano.it>, 543312@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#543312: CVE-2009-2732: Basic Authentication Null Pointer Denial of Service

Date: Sun, 27 Sep 2009 11:35:46 +0200

[Message part 1 (text/plain, inline)]

Hi Giuseppe

Thanks a lot for the report. The attached patch should solve
this problem.

To the security team. Do you want me to upload this to stable in
addition to unstable?

Please also review if you think this solution is good enough?

// Ola



On Mon, Aug 24, 2009 at 08:46:17AM +0200, Giuseppe Iuculano wrote:
> Package: ntop
> Severity: serious
> Tags: security
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for ntop.
> 
> CVE-2009-2732[0]:
> | The checkHTTPpassword function in http.c in ntop 3.3.10 and earlier
> | allows remote attackers to cause a denial of service (NULL pointer
> | dereference and daemon crash) via an Authorization HTTP header that
> | lacks a : (colon) character in the base64-decoded string.
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
> 
> For further information see:
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2732
>     http://security-tracker.debian.net/tracker/CVE-2009-2732
> 
> Cheers,
> Giuseppe.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> 
> iEYEARECAAYFAkqSNzUACgkQNxpp46476aqaRwCePEnRlTpotXKtcCnxSRnqbSoX
> imEAnRKiKt/JAzk57KKzHsAMFEo/v66K
> =DhPT
> -----END PGP SIGNATURE-----
> 
> 
> 

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Annebergsslingan 37      \
|  ola@inguza.com                      654 65 KARLSTAD          |
|  http://inguza.com/                  +46 (0)70-332 1551       |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------

[CVE-2009-2732.patch (text/x-diff, attachment)]

Message #15 received at 543312@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Ola Lundqvist <opal@debian.org>

Cc: Giuseppe Iuculano <giuseppe@iuculano.it>, 543312@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#543312: CVE-2009-2732: Basic Authentication Null Pointer Denial of Service

Date: Sun, 27 Sep 2009 12:40:54 +0200

On Sun, Sep 27, 2009 at 11:35:46AM +0200, Ola Lundqvist wrote:
> Hi Giuseppe
> 
> Thanks a lot for the report. The attached patch should solve
> this problem.
> 
> To the security team. Do you want me to upload this to stable in
> addition to unstable?

This doesn't warrant a DSA, but you could propose it for a point
update.

Cheers,
        Moritz

Message #20 received at 543312@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: Giuseppe Iuculano <giuseppe@iuculano.it>, 543312@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#543312: CVE-2009-2732: Basic Authentication Null Pointer Denial of Service

Date: Sun, 27 Sep 2009 12:52:58 +0200

Hi Mirtz

On Sun, Sep 27, 2009 at 12:40:54PM +0200, Moritz Muehlenhoff wrote:
> On Sun, Sep 27, 2009 at 11:35:46AM +0200, Ola Lundqvist wrote:
> > Hi Giuseppe
> > 
> > Thanks a lot for the report. The attached patch should solve
> > this problem.
> > 
> > To the security team. Do you want me to upload this to stable in
> > addition to unstable?
> 
> This doesn't warrant a DSA, but you could propose it for a point
> update.

Sure. In that case where do I upload it. To lenny-proposed-updates?

Best regards,

// Ola

> Cheers,
>         Moritz
> 

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Annebergsslingan 37        \
|  opal@debian.org                   654 65 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Message #25 received at 543312-close@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <opal@debian.org>

To: 543312-close@bugs.debian.org

Subject: Bug#543312: fixed in ntop 3:3.3-12

Date: Tue, 29 Sep 2009 05:47:18 +0000

Source: ntop
Source-Version: 3:3.3-12

We believe that the bug you reported is fixed in the latest version of
ntop, which is due to be installed in the Debian FTP archive:

ntop_3.3-12.diff.gz
  to pool/main/n/ntop/ntop_3.3-12.diff.gz
ntop_3.3-12.dsc
  to pool/main/n/ntop/ntop_3.3-12.dsc
ntop_3.3-12_i386.deb
  to pool/main/n/ntop/ntop_3.3-12_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 543312@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ola Lundqvist <opal@debian.org> (supplier of updated ntop package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 27 Sep 2009 09:20:27 +0200
Source: ntop
Binary: ntop
Architecture: source i386
Version: 3:3.3-12
Distribution: unstable
Urgency: low
Maintainer: Ola Lundqvist <opal@debian.org>
Changed-By: Ola Lundqvist <opal@debian.org>
Description: 
 ntop       - display network usage in web browser
Closes: 501754 527757 534779 543312
Changes: 
 ntop (3:3.3-12) unstable; urgency=low
 .
   * Correction for CVE-2009-2732. Closes: #543312.
   * Brazilian translation added. Closes: #501754.
   * Russian translation added. Closes: #534779.
   * Added autogen.sh -p to the clean target to make sure that the
     build works fine. Closes: #527757.
Checksums-Sha1: 
 10dd6694592090dc5c80fadb57a55d1ee9d9a594 1097 ntop_3.3-12.dsc
 6be06339b6b90c75e0c8e6867218fda594ef5376 227781 ntop_3.3-12.diff.gz
 4f6d8291c223a438a22ada6fd5ce27e3f1450630 2640516 ntop_3.3-12_i386.deb
Checksums-Sha256: 
 f30d555cf87a545bc3679a39b51859a51294c29fac68f439d25d1a1dce9a3b3a 1097 ntop_3.3-12.dsc
 dc3e1fc035e788ccb242ed9e859bf90ca2b3fa89dc3f6a3226c13366a11c964a 227781 ntop_3.3-12.diff.gz
 ab91aa73d8fc987c4d9249ce38c7ec5d17356fe928652407c6e2e0f13df1b6b4 2640516 ntop_3.3-12_i386.deb
Files: 
 f8fc0e5b124dedeb5fbb0a7bb7e4079b 1097 net optional ntop_3.3-12.dsc
 d0ac9d0b5836534a515024cd335e56de 227781 net optional ntop_3.3-12.diff.gz
 a3ea60cbdd3e2561405ebb131c0036a6 2640516 net optional ntop_3.3-12_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkrBnhoACgkQGKGxzw/lPdkD8gCfXC0uvL8g5cxZYNo6RG+lH4jI
xhAAnjJEnysjaFBhTH/EhcbBXqtyy938
=r24m
-----END PGP SIGNATURE-----

Message #30 received at 543312@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: ola@inguza.com

Cc: Moritz Muehlenhoff <jmm@inutil.org>, 543312@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#543312: CVE-2009-2732: Basic Authentication Null Pointer Denial of Service

Date: Tue, 29 Sep 2009 14:58:22 +0200

[Message part 1 (text/plain, inline)]

Ola Lundqvist ha scritto:
> Sure. In that case where do I upload it. To lenny-proposed-updates?

stable-proposed-updates for lenny and oldstable-proposed-updates for etch.[1]
Please contact the stable release team before you upload.

[1]http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable

Cheers,
Giuseppe.

[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.