Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: libmicroht...@packages.debian.org, Daniel Baumann <daniel.baum...@progress-linux.org>, car...@debian.org Control: affects -1 + src:libmicrohttpd
Dear release team, Please unblock package libmicrohttpd The new version in unstable fixes CVE-2023-27371 a denial of service vulnerability, which got fixed targted by picking the upstream commit for it. No other changes were applied. As the package is a key package is needs now a manual approval for unblock. It was already long enough in unstable, and passes the autopkgtest runs. unblock libmicrohttpd/0.9.75-6 Regards, Salvatore
diff -Nru libmicrohttpd-0.9.75/debian/changelog libmicrohttpd-0.9.75/debian/changelog --- libmicrohttpd-0.9.75/debian/changelog 2023-01-30 17:30:27.000000000 +0100 +++ libmicrohttpd-0.9.75/debian/changelog 2023-03-03 14:51:24.000000000 +0100 @@ -1,3 +1,11 @@ +libmicrohttpd (0.9.75-6) sid; urgency=high + + * Uploading to sid. + * Adding patch from libmicrohttpd 0.9.76 to fix a parser bug that could + be used to crash servers using the MHD_PostProcessor [CVE-2023-27371]. + + -- Daniel Baumann <daniel.baum...@progress-linux.org> Fri, 03 Mar 2023 14:51:24 +0100 + libmicrohttpd (0.9.75-5) sid; urgency=medium * Uploading to sid. diff -Nru libmicrohttpd-0.9.75/debian/patches/debian/0001-PostProcessor-DoS.patch libmicrohttpd-0.9.75/debian/patches/debian/0001-PostProcessor-DoS.patch --- libmicrohttpd-0.9.75/debian/patches/debian/0001-PostProcessor-DoS.patch 1970-01-01 01:00:00.000000000 +0100 +++ libmicrohttpd-0.9.75/debian/patches/debian/0001-PostProcessor-DoS.patch 2023-03-03 14:47:29.000000000 +0100 @@ -0,0 +1,22 @@ +Author: Christian Grothoff <christ...@grothoff.org> +Description: fix parser bug that could be used to crash servers using the MHD_PostProcessor + Fix potential DoS vector in MHD_PostProcessor discovered + by Gynvael Coldwind and Dejan Alvadzijevic [CVE-2023-27371]. + . + While the researchers have not been able to exploit this attack vector + when libmicrohttpd is compiled with the standard GNU C library, it is + recommended that you update MHD as soon as possible if PostProcessor + functionality is used in your applications. + +diff -Naurp libmicrohttpd.orig/src/microhttpd/postprocessor.c libmicrohttpd/src/microhttpd/postprocessor.c +--- libmicrohttpd.orig/src/microhttpd/postprocessor.c ++++ libmicrohttpd/src/microhttpd/postprocessor.c +@@ -297,7 +297,7 @@ MHD_create_post_processor (struct MHD_Co + return NULL; /* failed to determine boundary */ + boundary += MHD_STATICSTR_LEN_ ("boundary="); + blen = strlen (boundary); +- if ( (blen == 0) || ++ if ( (blen < 2) || + (blen * 2 + 2 > buffer_size) ) + return NULL; /* (will be) out of memory or invalid boundary */ + if ( (boundary[0] == '"') && diff -Nru libmicrohttpd-0.9.75/debian/patches/series libmicrohttpd-0.9.75/debian/patches/series --- libmicrohttpd-0.9.75/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libmicrohttpd-0.9.75/debian/patches/series 2023-03-03 14:47:34.000000000 +0100 @@ -0,0 +1 @@ +debian/0001-PostProcessor-DoS.patch