CVE-2011-4362

NameCVE-2011-4362
DescriptionInteger signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-2368-1
NVD severitymedium (attack range: remote)
Debian Bugs652726
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lighttpd (PTS)squeeze (security), squeeze1.4.28-2+squeeze1.6fixed
wheezy, wheezy (security)1.4.31-4+deb7u3fixed
jessie, sid1.4.35-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lighttpdsource(unstable)1.4.30-1low652726
lighttpdsourcelenny1.4.19-5+lenny3mediumDSA-2368-1
lighttpdsourcesqueeze1.4.28-2+squeeze1mediumDSA-2368-1

Notes

http://openwall.com/lists/oss-security/2011/11/29/8
http://redmine.lighttpd.net/issues/2370
the announcement says that the debian package is not affected, but there are no additional patches that would cause different behavior (i.e. the base64_reverse_table is the same in debian and upstream), so if upstream is affected, so too is the debian package

Search for package or bug name: Reporting problems