Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
The attached debdiff for libmicrohttpd fixes CVE-2023-27371 in Bullseye.
It is marked as no-dsa by the security team.
The fix was uploaded to Buster about a year ago and nobody complained yet.
For whatever reason, the upload to Bullseye was forgotten back then, so I
catch up on this now.
Thorsten
diff -Nru libmicrohttpd-0.9.72/debian/changelog
libmicrohttpd-0.9.72/debian/changelog
--- libmicrohttpd-0.9.72/debian/changelog 2021-02-27 06:47:48.000000000
+0100
+++ libmicrohttpd-0.9.72/debian/changelog 2024-03-23 12:03:02.000000000
+0100
@@ -1,3 +1,12 @@
+libmicrohttpd (0.9.72-2+deb11u1) bullseye; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2023-27371
+ parsing crafted POST requests result in an out of bounds read, which
+ might cause a DoS (Denial of Service)
+
+ -- Thorsten Alteholz <deb...@alteholz.de> Sat, 23 Mar 2024 12:03:02 +0100
+
libmicrohttpd (0.9.72-2) sid; urgency=medium
* Uploading to sid.
diff -Nru libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch
libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch
--- libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch 1970-01-01
01:00:00.000000000 +0100
+++ libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch 2023-03-29
19:22:12.000000000 +0200
@@ -0,0 +1,23 @@
+From e0754d1638c602382384f1eface30854b1defeec Mon Sep 17 00:00:00 2001
+From: Christian Grothoff <christ...@grothoff.org>
+Date: Sun, 26 Feb 2023 17:51:24 +0100
+Subject: fix parser bug that could be used to crash servers using the
+ MHD_PostProcessor
+
+---
+ src/microhttpd/postprocessor.c | 2 +-
+ 1 file changed, 1 insertions(+), 1 deletions(-)
+
+Index: libmicrohttpd-0.9.72/src/microhttpd/postprocessor.c
+===================================================================
+--- libmicrohttpd-0.9.72.orig/src/microhttpd/postprocessor.c 2023-03-29
19:22:08.888629726 +0200
++++ libmicrohttpd-0.9.72/src/microhttpd/postprocessor.c 2023-03-29
19:22:08.884629728 +0200
+@@ -321,7 +321,7 @@
+ return NULL; /* failed to determine boundary */
+ boundary += MHD_STATICSTR_LEN_ ("boundary=");
+ blen = strlen (boundary);
+- if ( (blen == 0) ||
++ if ( (blen < 2) ||
+ (blen * 2 + 2 > buffer_size) )
+ return NULL; /* (will be) out of memory or invalid
boundary */
+ if ( (boundary[0] == '"') &&
diff -Nru libmicrohttpd-0.9.72/debian/patches/series
libmicrohttpd-0.9.72/debian/patches/series
--- libmicrohttpd-0.9.72/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ libmicrohttpd-0.9.72/debian/patches/series 2023-03-29 19:21:28.000000000
+0200
@@ -0,0 +1 @@
+CVE-2023-27371.patch