Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 778296 (CVE-2021-3466)

Summary: =net-libs/libmicrohttpd-0.9.70: buffer overflow vulnerability (CVE-2021-3466)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: major CC: blueness, k2k, stasibear
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa?]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-26 01:34:28 UTC
CVE-2021-3466 (https://bugzilla.redhat.com/show_bug.cgi?id=1939127):

A flaw was found in libmicrohttpd in versions before 0.9.71. A missing bounds check in the post_process_urlencoded function leads to a buffer overflow, allowing a remote attacker to write arbitrary data in an application that uses libmicrohttpd. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.


Please stabilize 0.9.71.
Comment 1 Karlson2k 2021-03-26 05:40:30 UTC
The only one version is affected, it is 0.9.70.
See redhat bugtracker.
Comment 2 Karlson2k 2021-03-26 09:03:09 UTC
Version 0.9.71 has some breaking (for C++ applications) API changes (return type changed from 'int' to 'enum').
.build for 0.9.71 was not fixed and contains unneeded 'libgcrypt' dependency. ebuild files for 0.9.65-r1, 0.9.68-r1, and 0.9.72 are correct and do not have unneeded dependencies.

Version 0.9.72 has additional fixes:
https://lists.gnu.org/archive/html/info-gnu/2020-12/msg00012.html

I suggest to mask version 0.9.70, stabilize version 0.9.72 and correct .ebuild files for old dependent packages to depend on <=0.9.69.
New packages (including Kodi) work fine with new libmicrohttpd versions (>=0.9.71).
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-26 14:30:17 UTC
Is there a tracker for the breakage, then? Stabilization here will be blocked by packages which are broken with the stabilization candidate.
Comment 4 Karlson2k 2021-03-27 13:17:54 UTC
No bug has been created so far as tracker for the breakage.
Comment 5 Karlson2k 2021-03-29 21:05:44 UTC
Tracker bug:
https://bugs.gentoo.org/779151
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-03-29 21:09:38 UTC
(In reply to Karlson2k from comment #5)
> Tracker bug:
> https://bugs.gentoo.org/779151

Thanks!
Comment 7 Karlson2k 2021-03-30 16:31:50 UTC
I've checked the all MHD dependent packages.
See https://bugs.gentoo.org/779151#c18

There are only two packages (and one masked) are not ready for 0.9.72: dev-cpp/libjson-rpc-cpp-1.3.0[http-server] and net-p2p/xmr-stak-rx[webserver] (1.0.4, 1.0.5).
Both packages are unstable. (And nothing in repo is using libjson-rpc-cpp)
I suggest to make them dependent on '<libmicrohttpd-0.9.70' and stabilize 0.9.72.
Comment 8 Anthony Basile gentoo-dev 2021-04-01 11:37:10 UTC
Go ahead and stabilize libmicrohttpd-0.9.72.
Comment 9 Thomas Deutschmann gentoo-dev 2021-04-01 21:36:31 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2021-04-02 10:35:58 UTC
sparc stable
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-02 14:07:57 UTC
arm64 done
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-02 14:08:55 UTC
arm done
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-02 14:11:02 UTC
amd64 done
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-02 14:14:48 UTC
ppc done
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-02 14:14:56 UTC
ppc64 done

all arches done
Comment 16 Anthony Basile gentoo-dev 2021-04-06 11:11:48 UTC
(In reply to Sam James from comment #15)
> ppc64 done
> 
> all arches done

I've removed the vulnerable versions.
Comment 17 Andreas Sturmlechner gentoo-dev 2021-04-06 11:38:54 UTC
sc2mpd-1.1.7.ebuild has:

> <=net-libs/libmicrohttpd-0.9.70
Comment 18 Larry the Git Cow gentoo-dev 2021-04-06 12:43:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f8a8f3ecf02f25260c1728abaafe4ddcdd7b0e5

commit 9f8a8f3ecf02f25260c1728abaafe4ddcdd7b0e5
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-04-06 12:36:54 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-04-06 12:43:02 +0000

    net-libs/libmicrohttpd: Revert remove vulnerable 0.9.68-r1, bug #778296
    
    Partially reverts commit 79c54c122b2d260d80716930b04c66d43affa411 to fix CI,
    with KEYWORDS="amd64 x86" just for media-sound/sc2mpd.
    
    Bug: https://bugs.gentoo.org/778296
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 net-libs/libmicrohttpd/Manifest                    |  1 +
 .../libmicrohttpd/libmicrohttpd-0.9.68-r1.ebuild   | 56 ++++++++++++++++++++++
 2 files changed, 57 insertions(+)
Comment 19 Karlson2k 2021-04-06 12:54:51 UTC
There is the only one vulnerable version, it is 0.9.70.

Versions <=0.9.69 and >=0.9.71 are fine.

See https://bugzilla.redhat.com/show_bug.cgi?id=1939127#c3 (Comment 3)

There is no need to remove anything except 0.9.70.
Comment 20 Karlson2k 2021-04-06 12:56:33 UTC
(In reply to Andreas Sturmlechner from comment #17)
> sc2mpd-1.1.7.ebuild has:
> 
> > <=net-libs/libmicrohttpd-0.9.70

sc2mpd needs to be updated to the new upstream version 1.1.8, which adapted new libmicrohttpd API.
Comment 21 NATTkA bot gentoo-dev 2021-07-29 17:23:31 UTC Comment hidden (obsolete)
Comment 22 NATTkA bot gentoo-dev 2021-07-29 17:31:53 UTC Comment hidden (obsolete)
Comment 23 NATTkA bot gentoo-dev 2021-07-29 17:39:48 UTC Comment hidden (obsolete)
Comment 24 NATTkA bot gentoo-dev 2021-07-29 17:47:58 UTC Comment hidden (obsolete)
Comment 25 NATTkA bot gentoo-dev 2021-07-29 18:03:55 UTC Comment hidden (obsolete)
Comment 26 NATTkA bot gentoo-dev 2021-07-29 18:12:13 UTC
Package list is empty or all packages have requested keywords.
Comment 27 Karlson2k 2021-12-04 13:46:23 UTC
The CVE should be updated soon to indicate a single vulnerable version 0.9.71.
After my request, Red Hat security team updated internal records and requested Mitre to update CVE description.
As soon as CVE is updated, this bug should be renamed to '=net-libs/libmicrohttpd-0.9.70: buffer overflow vulnerability (CVE-2021-3466)'
Comment 28 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-12-04 17:08:20 UTC
(In reply to Karlson2k from comment #27)
> The CVE should be updated soon to indicate a single vulnerable version
> 0.9.71.
> After my request, Red Hat security team updated internal records and
> requested Mitre to update CVE description.
> As soon as CVE is updated, this bug should be renamed to
> '=net-libs/libmicrohttpd-0.9.70: buffer overflow vulnerability
> (CVE-2021-3466)'

You're right. Thanks!