Bug#1033529: unblock: libmicrohttpd/0.9.75-6
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: libmicrohttpd@packages.debian.org, Daniel Baumann <daniel.baumann@progress-linux.org>, carnil@debian.org
Control: affects -1 + src:libmicrohttpd
Dear release team,
Please unblock package libmicrohttpd
The new version in unstable fixes CVE-2023-27371 a denial of service
vulnerability, which got fixed targted by picking the upstream commit
for it. No other changes were applied.
As the package is a key package is needs now a manual approval for
unblock. It was already long enough in unstable, and passes the
autopkgtest runs.
unblock libmicrohttpd/0.9.75-6
Regards,
Salvatore
diff -Nru libmicrohttpd-0.9.75/debian/changelog libmicrohttpd-0.9.75/debian/changelog
--- libmicrohttpd-0.9.75/debian/changelog 2023-01-30 17:30:27.000000000 +0100
+++ libmicrohttpd-0.9.75/debian/changelog 2023-03-03 14:51:24.000000000 +0100
@@ -1,3 +1,11 @@
+libmicrohttpd (0.9.75-6) sid; urgency=high
+
+ * Uploading to sid.
+ * Adding patch from libmicrohttpd 0.9.76 to fix a parser bug that could
+ be used to crash servers using the MHD_PostProcessor [CVE-2023-27371].
+
+ -- Daniel Baumann <daniel.baumann@progress-linux.org> Fri, 03 Mar 2023 14:51:24 +0100
+
libmicrohttpd (0.9.75-5) sid; urgency=medium
* Uploading to sid.
diff -Nru libmicrohttpd-0.9.75/debian/patches/debian/0001-PostProcessor-DoS.patch libmicrohttpd-0.9.75/debian/patches/debian/0001-PostProcessor-DoS.patch
--- libmicrohttpd-0.9.75/debian/patches/debian/0001-PostProcessor-DoS.patch 1970-01-01 01:00:00.000000000 +0100
+++ libmicrohttpd-0.9.75/debian/patches/debian/0001-PostProcessor-DoS.patch 2023-03-03 14:47:29.000000000 +0100
@@ -0,0 +1,22 @@
+Author: Christian Grothoff <christian@grothoff.org>
+Description: fix parser bug that could be used to crash servers using the MHD_PostProcessor
+ Fix potential DoS vector in MHD_PostProcessor discovered
+ by Gynvael Coldwind and Dejan Alvadzijevic [CVE-2023-27371].
+ .
+ While the researchers have not been able to exploit this attack vector
+ when libmicrohttpd is compiled with the standard GNU C library, it is
+ recommended that you update MHD as soon as possible if PostProcessor
+ functionality is used in your applications.
+
+diff -Naurp libmicrohttpd.orig/src/microhttpd/postprocessor.c libmicrohttpd/src/microhttpd/postprocessor.c
+--- libmicrohttpd.orig/src/microhttpd/postprocessor.c
++++ libmicrohttpd/src/microhttpd/postprocessor.c
+@@ -297,7 +297,7 @@ MHD_create_post_processor (struct MHD_Co
+ return NULL; /* failed to determine boundary */
+ boundary += MHD_STATICSTR_LEN_ ("boundary=");
+ blen = strlen (boundary);
+- if ( (blen == 0) ||
++ if ( (blen < 2) ||
+ (blen * 2 + 2 > buffer_size) )
+ return NULL; /* (will be) out of memory or invalid boundary */
+ if ( (boundary[0] == '"') &&
diff -Nru libmicrohttpd-0.9.75/debian/patches/series libmicrohttpd-0.9.75/debian/patches/series
--- libmicrohttpd-0.9.75/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libmicrohttpd-0.9.75/debian/patches/series 2023-03-03 14:47:34.000000000 +0100
@@ -0,0 +1 @@
+debian/0001-PostProcessor-DoS.patch
Reply to: