CVE-2021-3466 (https://bugzilla.redhat.com/show_bug.cgi?id=1939127): A flaw was found in libmicrohttpd in versions before 0.9.71. A missing bounds check in the post_process_urlencoded function leads to a buffer overflow, allowing a remote attacker to write arbitrary data in an application that uses libmicrohttpd. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Please stabilize 0.9.71.
The only one version is affected, it is 0.9.70. See redhat bugtracker.
Version 0.9.71 has some breaking (for C++ applications) API changes (return type changed from 'int' to 'enum'). .build for 0.9.71 was not fixed and contains unneeded 'libgcrypt' dependency. ebuild files for 0.9.65-r1, 0.9.68-r1, and 0.9.72 are correct and do not have unneeded dependencies. Version 0.9.72 has additional fixes: https://lists.gnu.org/archive/html/info-gnu/2020-12/msg00012.html I suggest to mask version 0.9.70, stabilize version 0.9.72 and correct .ebuild files for old dependent packages to depend on <=0.9.69. New packages (including Kodi) work fine with new libmicrohttpd versions (>=0.9.71).
Is there a tracker for the breakage, then? Stabilization here will be blocked by packages which are broken with the stabilization candidate.
No bug has been created so far as tracker for the breakage.
Tracker bug: https://bugs.gentoo.org/779151
(In reply to Karlson2k from comment #5) > Tracker bug: > https://bugs.gentoo.org/779151 Thanks!
I've checked the all MHD dependent packages. See https://bugs.gentoo.org/779151#c18 There are only two packages (and one masked) are not ready for 0.9.72: dev-cpp/libjson-rpc-cpp-1.3.0[http-server] and net-p2p/xmr-stak-rx[webserver] (1.0.4, 1.0.5). Both packages are unstable. (And nothing in repo is using libjson-rpc-cpp) I suggest to make them dependent on '<libmicrohttpd-0.9.70' and stabilize 0.9.72.
Go ahead and stabilize libmicrohttpd-0.9.72.
x86 stable
sparc stable
arm64 done
arm done
amd64 done
ppc done
ppc64 done all arches done
(In reply to Sam James from comment #15) > ppc64 done > > all arches done I've removed the vulnerable versions.
sc2mpd-1.1.7.ebuild has: > <=net-libs/libmicrohttpd-0.9.70
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f8a8f3ecf02f25260c1728abaafe4ddcdd7b0e5 commit 9f8a8f3ecf02f25260c1728abaafe4ddcdd7b0e5 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2021-04-06 12:36:54 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2021-04-06 12:43:02 +0000 net-libs/libmicrohttpd: Revert remove vulnerable 0.9.68-r1, bug #778296 Partially reverts commit 79c54c122b2d260d80716930b04c66d43affa411 to fix CI, with KEYWORDS="amd64 x86" just for media-sound/sc2mpd. Bug: https://bugs.gentoo.org/778296 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> net-libs/libmicrohttpd/Manifest | 1 + .../libmicrohttpd/libmicrohttpd-0.9.68-r1.ebuild | 56 ++++++++++++++++++++++ 2 files changed, 57 insertions(+)
There is the only one vulnerable version, it is 0.9.70. Versions <=0.9.69 and >=0.9.71 are fine. See https://bugzilla.redhat.com/show_bug.cgi?id=1939127#c3 (Comment 3) There is no need to remove anything except 0.9.70.
(In reply to Andreas Sturmlechner from comment #17) > sc2mpd-1.1.7.ebuild has: > > > <=net-libs/libmicrohttpd-0.9.70 sc2mpd needs to be updated to the new upstream version 1.1.8, which adapted new libmicrohttpd API.
Package list is empty or all packages have requested keywords.
The CVE should be updated soon to indicate a single vulnerable version 0.9.71. After my request, Red Hat security team updated internal records and requested Mitre to update CVE description. As soon as CVE is updated, this bug should be renamed to '=net-libs/libmicrohttpd-0.9.70: buffer overflow vulnerability (CVE-2021-3466)'
(In reply to Karlson2k from comment #27) > The CVE should be updated soon to indicate a single vulnerable version > 0.9.71. > After my request, Red Hat security team updated internal records and > requested Mitre to update CVE description. > As soon as CVE is updated, this bug should be renamed to > '=net-libs/libmicrohttpd-0.9.70: buffer overflow vulnerability > (CVE-2021-3466)' You're right. Thanks!
The vulnerable version was removed. Is it time to close this bug?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=3d0750616dcb6c14747e2f197551d91997c56fc6 commit 3d0750616dcb6c14747e2f197551d91997c56fc6 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-11-25 08:29:39 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-11-25 08:30:39 +0000 [ GLSA 202311-08 ] GNU Libmicrohttpd: Buffer Overflow Vulnerability Bug: https://bugs.gentoo.org/778296 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202311-08.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
