Subject: [ASA-201802-5] sthttpd: arbitrary code execution Arch Linux Security Advisory ASA-201802-5 ========================================= Severity: High Date : 2018-02-09 CVE-ID : CVE-2017-10671 Package : sthttpd Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-333 Summary ======= The package sthttpd before version 2.27.1-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 2.27.1-1. # pacman -Syu "sthttpd>=2.27.1-1" The problem has been fixed upstream in version 2.27.1. Workaround ========== None. Description =========== Heap-based Buffer Overflow in the de_dotdot function in libhttpd.c in sthttpd before 2.27.1 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted filename. Impact ====== A remote attacker is able to crash and possibly execute arbitrary code on the server by requesting a maliciously-crafted request. References ========== https://github.com/blueness/sthttpd/commit/c0dc63a49d8605649f1d8e4a96c9b468b0bff660 http://seclists.org/oss-sec/2017/q2/481 https://security.archlinux.org/CVE-2017-10671