Debian Bug report logs - #484572
CVE-2008-2654: motion off-by-one in webhttpd.c

version graph

Package: motion; Maintainer for motion is Nicolas Mora <babelouest@debian.org>; Source for motion is src:motion (PTS, buildd, popcon).

Reported by: Nico Golde <nion@debian.org>

Date: Wed, 4 Jun 2008 23:48:01 UTC

Severity: important

Tags: security

Found in version motion/3.2.9-2

Fixed in version motion/3.2.9-3

Done: Juan Angulo Moreno <juan@apuntale.com>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Juan Angulo Moreno <juan@apuntale.com>:
Bug#484572; Package motion. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Juan Angulo Moreno <juan@apuntale.com>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: [motion] off-by-one in webhttpd.c
Date: Thu, 5 Jun 2008 01:42:56 +0200
[Message part 1 (text/plain, inline)]
Package: motion
Version: 3.2.9-2
Severity: minor

Hi,
there is an off-by-one programming error in webhttpd:
From webhttpd.c:
   1950 static int read_client(int client_socket, void *userdata, char *auth)
   ....
   1954         char buffer[1024] = {'\0'};
   1955         int length = 1024;
   ....
   1963                 int nread = 0, readb = -1; 
   1964·
   1965                 nread = read (client_socket, buffer, length);
   1966·
   1967                 if (nread <= 0) {
   1968                         motion_log(LOG_ERR, 1, "httpd First read");
   1969                         pthread_mutex_unlock(&httpd_mutex);
   1970                         return -1; 
   1971                 }   
   1972                 else {
   1973                         char method[sizeof (buffer)];
   1974                         char url[sizeof (buffer)];
   1975                         char protocol[sizeof (buffer)];
   1976                         char *authentication=NULL;
   1977·
   1978                         buffer[nread] = '\0';

This function reads an HTTP request by a client connecting to the administration port of motion.·
If the client send exactly or more than 1024 as an HTTP request line 1978
will write one byte too far, to buffer[1024] as read in line 1965 will
return 1024 bytes.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Juan Angulo Moreno <juan@apuntale.com>:
Bug#484572; Package motion. (full text, mbox, link).


Acknowledgement sent to ack@telefonica.net:
Extra info received and forwarded to list. Copy sent to Juan Angulo Moreno <juan@apuntale.com>. (full text, mbox, link).


Message #10 received at 484572@bugs.debian.org (full text, mbox, reply):

From: Angel Carpintero <ack@telefonica.net>
To: 484572@bugs.debian.org
Cc: nion@debian.org
Subject: Re: [motion] off-by-one in webhttpd.c
Date: Fri, 06 Jun 2008 08:46:59 +0200
[Message part 1 (text/plain, inline)]
Thanks Nico !

Added the patch to release notes of 3.2.9 :

http://www.lavrsen.dk/twiki/bin/view/Motion/ReleaseNoteMotion3x2x9

Here it's the patch :

http://www.lavrsen.dk/twiki/pub/Motion/ReleaseNoteMotion3x2x9/webhttpd-security-video2-backport.diff


Cheers,
-- 
Angel Carpintero
ack ( at ) telefonica ( dot ) net

Key fingerprint = 3FD3 9C90 149E 7824 CECD  6BCF AC2C CA61 6EF1 B90D

"No basta saber, hay que aplicar lo que se sabe; 
no basta querer hacerlas cosas, hay que hacerlas".

"Knowing is not enough; we must apply. 
 Willing is not enough; we must do"

 Johann Wolfgang von Goethe
[signature.asc (application/pgp-signature, inline)]

Severity set to `important' from `minor' Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Fri, 06 Jun 2008 06:57:05 GMT) (full text, mbox, link).


Tags added: security Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Fri, 06 Jun 2008 06:57:07 GMT) (full text, mbox, link).


Reply sent to Juan Angulo Moreno <juan@apuntale.com>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #19 received at 484572-close@bugs.debian.org (full text, mbox, reply):

From: Juan Angulo Moreno <juan@apuntale.com>
To: 484572-close@bugs.debian.org
Subject: Bug#484572: fixed in motion 3.2.9-3
Date: Sat, 07 Jun 2008 06:47:03 +0000
Source: motion
Source-Version: 3.2.9-3

We believe that the bug you reported is fixed in the latest version of
motion, which is due to be installed in the Debian FTP archive:

motion_3.2.9-3.diff.gz
  to pool/main/m/motion/motion_3.2.9-3.diff.gz
motion_3.2.9-3.dsc
  to pool/main/m/motion/motion_3.2.9-3.dsc
motion_3.2.9-3_amd64.deb
  to pool/main/m/motion/motion_3.2.9-3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 484572@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Juan Angulo Moreno <juan@apuntale.com> (supplier of updated motion package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 06 Jun 2008 23:29:02 -0430
Source: motion
Binary: motion
Architecture: source amd64
Version: 3.2.9-3
Distribution: unstable
Urgency: low
Maintainer: Juan Angulo Moreno <juan@apuntale.com>
Changed-By: Juan Angulo Moreno <juan@apuntale.com>
Description: 
 motion     - V4L capture program supporting motion detection
Closes: 419158 484148 484410 484566 484570 484572
Changes: 
 motion (3.2.9-3) unstable; urgency=low
 .
   * Debconf translation: Galician (Closes: #484148).
     Thanks Jacobo Tarrio.
   * Fixed: Document removal of motion-control (Closes: #419158).
   * Fixed: Bashism in debian/rules (Closes: #484410).
   * Fixed: Off-by-one in webhttpd.c (Closes: #484572).
     Thanks Angel Carpintero.
   * Fixed: Motion crashes after some time of running
     (Closes: #484566). Thanks Angel Carpintero.
   * Fixed: motion.conf world readable and thus writable through web
     interface by default (Closes: #484570).
Checksums-Sha1: 
 c8ddb940da379521e549188fd7ef22c3a4a54821 1088 motion_3.2.9-3.dsc
 ae6bc7ba19d3045a03c03588979bad44901d1671 32337 motion_3.2.9-3.diff.gz
 360695a99151d8b30731d733e6b9d60e12b4ed53 276226 motion_3.2.9-3_amd64.deb
Checksums-Sha256: 
 305a4c93ca4f9552faf41281a7a09c22068d9b08c0bae7f455edb80917c2c8b7 1088 motion_3.2.9-3.dsc
 6bf1d3f85327c74b6a26add1611fbf01afabc2df6616b68cce5a67b88444f953 32337 motion_3.2.9-3.diff.gz
 e82af6379207561b1cde1887f6e7149f50eaffc6fdb26691e47d966b2d4ebb3b 276226 motion_3.2.9-3_amd64.deb
Files: 
 719b48db77f743d22135c496706032b0 1088 graphics optional motion_3.2.9-3.dsc
 1263211501b214bc98339f19d45b3260 32337 graphics optional motion_3.2.9-3.diff.gz
 04930970bf1f1d55cc1b2c899397e1b0 276226 graphics optional motion_3.2.9-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkhKKowACgkQgY5NIXPNpFVDUgCdFOINCkt/Cy+xcKN0OLOl18wK
a54AoJW3M4jImPnXR+FvZwfczpL6YXes
=3b1a
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Juan Angulo Moreno <juan@apuntale.com>:
Bug#484572; Package motion. (full text, mbox, link).


Acknowledgement sent to ack@telefonica.net:
Extra info received and forwarded to list. Copy sent to Juan Angulo Moreno <juan@apuntale.com>. (full text, mbox, link).


Message #24 received at 484572@bugs.debian.org (full text, mbox, reply):

From: Angel Carpintero <ack@telefonica.net>
To: 484572@bugs.debian.org
Subject: [bug 484572] Fixed and ready to be released
Date: Tue, 10 Jun 2008 23:39:16 +0200
[Message part 1 (text/plain, inline)]
Added note and patch that fix the issue here :

http://www.lavrsen.dk/twiki/bin/view/Motion/ReleaseNoteMotion3x2x9

http://www.lavrsen.dk/twiki/pub/Motion/ReleaseNoteMotion3x2x9/webhttpd-security-video2-backport.diff


Ready to be added to 3.2.9-4 .

Cheers,

-- 
Angel Carpintero
ack ( at ) telefonica ( dot ) net

Key fingerprint = 3FD3 9C90 149E 7824 CECD  6BCF AC2C CA61 6EF1 B90D

"No basta saber, hay que aplicar lo que se sabe; 
no basta querer hacerlas cosas, hay que hacerlas".

"Knowing is not enough; we must apply. 
 Willing is not enough; we must do"

 Johann Wolfgang von Goethe
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Juan Angulo Moreno <juan@apuntale.com>:
Bug#484572; Package motion. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Juan Angulo Moreno <juan@apuntale.com>. (full text, mbox, link).


Message #29 received at 484572@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 484572@bugs.debian.org
Subject: Re: [motion] off-by-one in webhttpd.c
Date: Wed, 11 Jun 2008 01:01:14 +0200
[Message part 1 (text/plain, inline)]
Hi,
comments on the exploitability are welcome, see:
http://www.openwall.com/lists/oss-security/2008/06/10/1

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#484572; Package motion. (full text, mbox, link).


Acknowledgement sent to Juan Angulo Moreno <juan@apuntale.com>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #34 received at 484572@bugs.debian.org (full text, mbox, reply):

From: Juan Angulo Moreno <juan@apuntale.com>
To: Nico Golde <nion@debian.org>, 484572@bugs.debian.org, 484566@bugs.debian.org
Subject: Re: Bug#484572: [motion] off-by-one in webhttpd.c
Date: Tue, 10 Jun 2008 18:55:38 -0430
Hi,

Since the bugs were repaired[1]. Please do tests.

Thank you.


[1] http://0x29.com.ve/debian/motion/motion_3.2.9-4.dsc

--
Juan Angulo Moreno


Nico Golde escribió:
> Hi,
> comments on the exploitability are welcome, see:
> http://www.openwall.com/lists/oss-security/2008/06/10/1
>
> Cheers
> Nico
>
>   





Information forwarded to debian-bugs-dist@lists.debian.org, Juan Angulo Moreno <juan@apuntale.com>:
Bug#484572; Package motion. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Juan Angulo Moreno <juan@apuntale.com>. (full text, mbox, link).


Message #39 received at 484572@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 484572@bugs.debian.org
Subject: Re: [motion] off-by-one in webhttpd.c
Date: Wed, 11 Jun 2008 03:12:45 +0200
[Message part 1 (text/plain, inline)]
retitle 484572 CVE-2008-2654: motion off-by-one in webhttpd.c
thanks

Hi,

Just to let you know, CVE-2008-2654 was assigned to this 
issue.

Kind regards
NIco


-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Changed Bug title to `CVE-2008-2654: motion off-by-one in webhttpd.c' from `[motion] off-by-one in webhttpd.c'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Wed, 11 Jun 2008 01:15:03 GMT) (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 18 Jul 2008 07:41:07 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 01:38:42 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.