FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2013-4559

This CVE name corresponds to:

Entered Topic
2014-02-14 lighttpd -- multiple vulnerabilities

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

Details

Type Candidate
Name CVE-2013-4559
Phase Assigned(20130612)

Description

lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached.

References

Source Reference
MLIST [oss-security] 20131112 Re: CVE Request: lighttpd multiple issues (setuid/... unchecked return value, FAM: read after free)
CONFIRM http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_02.txt
DEBIAN DSA-2795
SUSE openSUSE-SU-2014:0072
SECUNIA 55682