mini_httpd: Arbitrary code execution — GLSA 201206-27

A vulnerability in mini_httpd could allow remote attackers to execute arbitrary code.

Affected packages

www-servers/mini_httpd on all architectures
Affected versions revision <= 1.19
Unaffected versions

Background

mini_httpd is a small webserver with optional SSL and IPv6 support.

Description

mini_httpd does not properly check for shell escapes when parsing HTTP requests.

Impact

A remote attacker could send specially crafted HTTP requests, possibly resulting in execution of arbitrary code with the privileges of the process, or allowing for overwriting of files.

Workaround

There is no known workaround at this time.

Resolution

Gentoo discontinued support for mini_httpd. We recommend that users unmerge mini_httpd:

 # emerge --unmerge "www-servers/mini_httpd"
 

References

Release date
June 24, 2012

Latest revision
June 24, 2012: 1

Severity
normal

Exploitable
remote

Bugzilla entries