Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Severity: normal
Dear release team,
I would like to fix 2 security issues and another open issue in
libmicrohttpd, as stated in Debian bug #731933. In this bug, Moritz
Muehlenhoff suggests to go through stable proposed updates instead of a DSA.
I prepared a new version and uploaded it to mentors [1] with the
following changes:
* Fix various security issues (closes: #731933):
+ out-of-bounds read in MHD_http_unescape(), patch picked upstream,
CVE-2013-7038.
+ stack overflow in MHD_digest_auth_check(), patch picked upstream,
CVE-2013-7039.
+ handle case that original allocation request was zero and fix
theoretical
overflow issue reported by Florian Weimer, patch picked upstream.
You will find attached a full debdiff to the current wheezy package.
Would you consider allowing it to go to wheezy ?
Thanks,
Bertrand
[1]
http://mentors.debian.net/debian/pool/main/libm/libmicrohttpd/libmicrohttpd_0.9.20-1+deb7u1.dsc
diff -Nru libmicrohttpd-0.9.20/debian/changelog libmicrohttpd-0.9.20/debian/changelog
--- libmicrohttpd-0.9.20/debian/changelog 2012-06-24 12:28:35.000000000 +0200
+++ libmicrohttpd-0.9.20/debian/changelog 2013-12-26 16:09:57.000000000 +0100
@@ -1,3 +1,15 @@
+libmicrohttpd (0.9.20-1+deb7u1) wheezy; urgency=medium
+
+ * Fix various security issues (closes: #731933):
+ + out-of-bounds read in MHD_http_unescape(), patch picked upstream,
+ CVE-2013-7038.
+ + stack overflow in MHD_digest_auth_check(), patch picked upstream,
+ CVE-2013-7039.
+ + handle case that original allocation request was zero and fix theoretical
+ overflow issue reported by Florian Weimer, patch picked upstream.
+
+ -- Bertrand Marc <beberking@gmail.com> Thu, 26 Dec 2013 15:41:39 +0100
+
libmicrohttpd (0.9.20-1) unstable; urgency=low
* debian/control: add Vcs-Git and Vcs-browser fields.
diff -Nru libmicrohttpd-0.9.20/debian/patches/allocation_request_was_zero.diff libmicrohttpd-0.9.20/debian/patches/allocation_request_was_zero.diff
--- libmicrohttpd-0.9.20/debian/patches/allocation_request_was_zero.diff 1970-01-01 01:00:00.000000000 +0100
+++ libmicrohttpd-0.9.20/debian/patches/allocation_request_was_zero.diff 2013-12-26 15:39:19.000000000 +0100
@@ -0,0 +1,82 @@
+Author: Christian Grothoff <christian@grothoff.org>
+Description: handle case that original allocation request was zero and fix
+ theoretical overflow issue reported by Florian Weimer.
+Origin: upstream, commit: 30926,30927
+--- a/src/daemon/memorypool.c
++++ b/src/daemon/memorypool.c
+@@ -135,19 +135,22 @@
+ size_t size, int from_end)
+ {
+ void *ret;
++ size_t asize;
+
+- size = ROUND_TO_ALIGN (size);
+- if ((pool->pos + size > pool->end) || (pool->pos + size < pool->pos))
++ asize = ROUND_TO_ALIGN (size);
++ if ( (0 == asize) && (0 != size) )
++ return NULL; /* size too close to SIZE_MAX */
++ if ((pool->pos + asize > pool->end) || (pool->pos + asize < pool->pos))
+ return NULL;
+ if (from_end == MHD_YES)
+ {
+- ret = &pool->memory[pool->end - size];
+- pool->end -= size;
++ ret = &pool->memory[pool->end - asize];
++ pool->end -= asize;
+ }
+ else
+ {
+ ret = &pool->memory[pool->pos];
+- pool->pos += size;
++ pool->pos += asize;
+ }
+ return ret;
+ }
+@@ -175,34 +178,37 @@
+ size_t new_size)
+ {
+ void *ret;
++ size_t asize;
+
+- new_size = ROUND_TO_ALIGN (new_size);
+- if ((pool->end < old_size) || (pool->end < new_size))
++ asize = ROUND_TO_ALIGN (new_size);
++ if ( (0 == asize) && (0 != new_size) )
++ return NULL; /* new_size too close to SIZE_MAX */
++ if ((pool->end < old_size) || (pool->end < asize))
+ return NULL; /* unsatisfiable or bogus request */
+
+ if ((pool->pos >= old_size) && (&pool->memory[pool->pos - old_size] == old))
+ {
+ /* was the previous allocation - optimize! */
+- if (pool->pos + new_size - old_size <= pool->end)
++ if (pool->pos + asize - old_size <= pool->end)
+ {
+ /* fits */
+- pool->pos += new_size - old_size;
+- if (new_size < old_size) /* shrinking - zero again! */
+- memset (&pool->memory[pool->pos], 0, old_size - new_size);
++ pool->pos += asize - old_size;
++ if (asize < old_size) /* shrinking - zero again! */
++ memset (&pool->memory[pool->pos], 0, old_size - asize);
+ return old;
+ }
+ /* does not fit */
+ return NULL;
+ }
+- if (new_size <= old_size)
++ if (asize <= old_size)
+ return old; /* cannot shrink, no need to move */
+- if ((pool->pos + new_size >= pool->pos) &&
+- (pool->pos + new_size <= pool->end))
++ if ((pool->pos + asize >= pool->pos) &&
++ (pool->pos + asize <= pool->end))
+ {
+ /* fits */
+ ret = &pool->memory[pool->pos];
+ memcpy (ret, old, old_size);
+- pool->pos += new_size;
++ pool->pos += asize;
+ return ret;
+ }
+ /* does not fit */
diff -Nru libmicrohttpd-0.9.20/debian/patches/CVE-2013-7038.diff libmicrohttpd-0.9.20/debian/patches/CVE-2013-7038.diff
--- libmicrohttpd-0.9.20/debian/patches/CVE-2013-7038.diff 1970-01-01 01:00:00.000000000 +0100
+++ libmicrohttpd-0.9.20/debian/patches/CVE-2013-7038.diff 2013-12-26 15:13:25.000000000 +0100
@@ -0,0 +1,21 @@
+Author: Christian Grothoff <christian@grothoff.org>
+Description: An out-of-bounds memory read flaw was found in the
+ MHD_http_unescape() function in libmicrohttpd. This could possibly lead to
+ information disclosure or allow a remote attacker to cause an application
+ using libmicrohttpd to crash.
+Origin: upstream, commit: 31024
+--- a/src/daemon/internal.c
++++ b/src/daemon/internal.c
+@@ -135,6 +135,12 @@
+ rpos++;
+ break;
+ case '%':
++ if ( ('\0' == rpos[1]) ||
++ ('\0' == rpos[2]) )
++ {
++ *wpos = '\0';
++ return wpos - val;
++ }
+ buf3[0] = rpos[1];
+ buf3[1] = rpos[2];
+ buf3[2] = '\0';
diff -Nru libmicrohttpd-0.9.20/debian/patches/CVE-2013-7039.diff libmicrohttpd-0.9.20/debian/patches/CVE-2013-7039.diff
--- libmicrohttpd-0.9.20/debian/patches/CVE-2013-7039.diff 1970-01-01 01:00:00.000000000 +0100
+++ libmicrohttpd-0.9.20/debian/patches/CVE-2013-7039.diff 2013-12-26 15:13:18.000000000 +0100
@@ -0,0 +1,29 @@
+Author: Christian Grothoff <christian@grothoff.org>
+Description: A stack overflow flaw was found in the MHD_digest_auth_check()
+ function in libmicrohttpd. If MHD_OPTION_CONNECTION_MEMORY_LIMIT was
+ configured to allow large allocations, a remote attacker could possibly use
+ this flaw to cause an application using libmicrohttpd to crash or,
+ potentially, execute arbitrary code with the privileges of the user running
+ the application.
+Origin: upstream, commit: 30983
+--- a/src/daemon/digestauth.c
++++ b/src/daemon/digestauth.c
+@@ -608,7 +608,17 @@
+ header, "nonce")))
+ return MHD_NO;
+ left -= strlen ("nonce") + len;
+-
++ if (left > 32 * 1024)
++ {
++ /* we do not permit URIs longer than 32k, as we want to
++ make sure to not blow our stack (or per-connection
++ heap memory limit). Besides, 32k is already insanely
++ large, but of course in theory the
++ #MHD_OPTION_CONNECTION_MEMORY_LIMIT might be very large
++ and would thus permit sending a >32k authorization
++ header value. */
++ return MHD_NO;
++ }
+ {
+ char uri[left];
+
diff -Nru libmicrohttpd-0.9.20/debian/patches/series libmicrohttpd-0.9.20/debian/patches/series
--- libmicrohttpd-0.9.20/debian/patches/series 2012-05-05 10:46:37.000000000 +0200
+++ libmicrohttpd-0.9.20/debian/patches/series 2013-12-26 15:37:30.000000000 +0100
@@ -1 +1,4 @@
01-manpage.patch
+CVE-2013-7038.diff
+CVE-2013-7039.diff
+allocation_request_was_zero.diff
Attachment:
signature.asc
Description: OpenPGP digital signature