Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [month] [year] [list] 
Date: Sat, 25 Oct 2008 15:11:56 +0200
From: Robert Buchholz <rbu@...too.org>
To: oss-security@...ts.openwall.com
Subject: Not a security issue: htpdate "buffer overflow"

Hi,

a user reported[1] an apparant security issue to use regarding htpdate, 
which states in their changelog[2]:
" - Fixed a buffer overflow when time offset gets to large
    https://dev.openwrt.org/cgi-bin/trac.fcgi/ticket/3940 "

However, the diff upstream applied shows this only is an integer 
overflow, which they also confirmed via mail:
'Sorry for the wrong wordings, but it is indeed "only" an integer 
overflow.'

Since other distros also seem to ship htpdate, hopefully this helps to 
save some time.


Robert

[1] https://bugs.gentoo.org/show_bug.cgi?id=243294
[2] http://www.clevervest.com/twiki/bin/view/HTP/ChangelogC
[3] http://bugs.gentoo.org/attachment.cgi?id=169570&action=view

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux