[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1067544: marked as done (bullseye-pu: libmicrohttpd/0.9.72-2+deb11u1)

Your message dated Sat, 29 Jun 2024 10:47:46 +0000
with message-id <E1sNVcQ-002bqo-TD@coccia.debian.org>
and subject line Released with 11.10
has caused the Debian Bug report #1067544,
regarding bullseye-pu: libmicrohttpd/0.9.72-2+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1067544: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067544
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for libmicrohttpd fixes CVE-2023-27371 in Bullseye. It is marked as no-dsa by the security team. 

The fix was uploaded to Buster about a year ago and nobody complained yet.
For whatever reason, the upload to Bullseye was forgotten back then, so I catch up on this now. 

  Thorsten

diff -Nru libmicrohttpd-0.9.72/debian/changelog libmicrohttpd-0.9.72/debian/changelog
--- libmicrohttpd-0.9.72/debian/changelog	2021-02-27 06:47:48.000000000 +0100
+++ libmicrohttpd-0.9.72/debian/changelog	2024-03-23 12:03:02.000000000 +0100
@@ -1,3 +1,12 @@
+libmicrohttpd (0.9.72-2+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2023-27371
+    parsing crafted POST requests result in an out of bounds read, which
+    might cause a DoS (Denial of Service)
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Sat, 23 Mar 2024 12:03:02 +0100
+
 libmicrohttpd (0.9.72-2) sid; urgency=medium
 
   * Uploading to sid.
diff -Nru libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch
--- libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch	1970-01-01 01:00:00.000000000 +0100
+++ libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch	2023-03-29 19:22:12.000000000 +0200
@@ -0,0 +1,23 @@
+From e0754d1638c602382384f1eface30854b1defeec Mon Sep 17 00:00:00 2001
+From: Christian Grothoff <christian@grothoff.org>
+Date: Sun, 26 Feb 2023 17:51:24 +0100
+Subject: fix parser bug that could be used to crash servers using the
+ MHD_PostProcessor
+
+---
+ src/microhttpd/postprocessor.c |  2 +-
+ 1 file changed, 1 insertions(+), 1 deletions(-)
+
+Index: libmicrohttpd-0.9.72/src/microhttpd/postprocessor.c
+===================================================================
+--- libmicrohttpd-0.9.72.orig/src/microhttpd/postprocessor.c	2023-03-29 19:22:08.888629726 +0200
++++ libmicrohttpd-0.9.72/src/microhttpd/postprocessor.c	2023-03-29 19:22:08.884629728 +0200
+@@ -321,7 +321,7 @@
+       return NULL; /* failed to determine boundary */
+     boundary += MHD_STATICSTR_LEN_ ("boundary=");
+     blen = strlen (boundary);
+-    if ( (blen == 0) ||
++    if ( (blen < 2) ||
+          (blen * 2 + 2 > buffer_size) )
+       return NULL;              /* (will be) out of memory or invalid boundary */
+     if ( (boundary[0] == '"') &&
diff -Nru libmicrohttpd-0.9.72/debian/patches/series libmicrohttpd-0.9.72/debian/patches/series
--- libmicrohttpd-0.9.72/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libmicrohttpd-0.9.72/debian/patches/series	2023-03-29 19:21:28.000000000 +0200
@@ -0,0 +1 @@
+CVE-2023-27371.patch

--- End Message ---
--- Begin Message --- 
Version: 11.10

The upload requested in this bug has been released as part of 11.10.

--- End Message ---
Reply to: