Luiz Fernando wrote an article in the Full-Disclosure Mailing List (see: http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0547.html), publishing a PoC how to crash htpasswd. This could become a problem, if htpasswd is run suid root with user supplied arguments at the command line. Larry Cashdollar <lwc@vapid.ath.cx> replied to this message via BUQTRAQ, giving a patch, which replaces all calls to strcpy() with calls to strncpy(). Looking at the code, I found that this wasn't neccessary, because the strcpy()-calls in the original are protected by if-statements. Well, almost all strcpy()-calls are protected. At one place the protecting if-statement slipped into another one, becoming useless in some situations. So I created this little patch against src/support/htpasswd.c shipped with apache-1.3.33.tar.gz: --- cut --- cut --- cut --- --- src/support/htpasswd.c.orig Fri Feb 20 23:02:24 2004 +++ src/support/htpasswd.c Fri Oct 29 21:13:36 2004 @@ -411,11 +411,11 @@ return ERR_OVERFLOW; } strcpy(pwfilename, argv[i]); - if (strlen(argv[i + 1]) > (sizeof(user) - 1)) { - fprintf(stderr, "%s: username too long (>%lu)\n", argv[0], - (unsigned long)(sizeof(user) - 1)); - return ERR_OVERFLOW; - } + } + if (strlen(argv[i + 1]) > (sizeof(user) - 1)) { + fprintf(stderr, "%s: username too long (>%lu)\n", argv[0], + (unsigned long)(sizeof(user) - 1)); + return ERR_OVERFLOW; } strcpy(user, argv[i + 1]); if ((arg = strchr(user, ':')) != NULL) { --- cut --- cut --- cut --- Larry told us, that there is a nessus plugin which recognizes this buffer overflow and recommends an update to apache httpd 1.3.32. But I couldn't find a corresponding entry in the bug database. :-( Comparing the versions 1.3.31, 1.3.32 and 1.3.33, I found no differences between the files. ...
Apache HTTP Server 1.3.x is not supported anymore and no bugs will be fixed in the old codebase (cf. <http://mail-archives.apache.org/mod_mbox/httpd-announce/201002.mbox/%3C20100203000334.GA19021@infiltrator.stdlib.net%3E>). Since this bug seems to affect only 1.3.x, I'm closing it as WONTFIX. If this bug still affects you in a recent version (version 2.2.x or the upcoming version 2.4), please open a new bug. Thank you for reporting the bug.