Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 493450 (CVE-2013-7038) - <net-libs/libmicrohttpd-0.9.32 : Two Vulnerabilities (CVE-2013-{7038,7039})
Summary: <net-libs/libmicrohttpd-0.9.32 : Two Vulnerabilities (CVE-2013-{7038,7039})
Status: RESOLVED FIXED
Alias: CVE-2013-7038
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/55903/
Whiteboard: C2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-06 15:31 UTC by Agostino Sarubbo
Modified: 2014-02-02 17:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-12-06 15:31:40 UTC
From ${URL} :

Two vulnerabilities have been reported in libmicrohttpd, where one has an unknown impact and the other one 
can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an 
application using the library.

1) A boundary error when unescaping strings can be exploited to trigger an out-of-bound read.

2) A boundary error when handling authentication headers can be exploited to cause a stack-based buffer 
overflow by providing an overly long authentication header.

Successful exploitation of this vulnerability may allow execution of arbitrary code, but requires the 
application to explicitly raise memory limits and use MHD_digest_auth_check.

The vulnerabilities are reported in versions prior to 0.9.32.


Solution:
Update to version 0.9.32.

Provided and/or discovered by:
The vendor credits Florian Weimer.


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Anthony Basile gentoo-dev 2013-12-06 17:28:49 UTC
*libmicrohttpd-0.9.32 (03 Dec 2013)

  03 Dec 2013; Anthony G. Basile <blueness@gentoo.org>
  +libmicrohttpd-0.9.32.ebuild:
  Version bump
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2013-12-10 03:14:18 UTC
Arches, please test and mark stable:

=net-libs/libmicrohttpd-0.9.32

Target Keywords : "amd64 arm ppc ppc64 x86"
Comment 3 Agostino Sarubbo gentoo-dev 2013-12-10 13:18:07 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-12-10 13:23:47 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-12-13 09:25:20 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-12-13 09:25:38 UTC
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-12-13 09:25:44 UTC
arm stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2013-12-15 09:48:40 UTC
CVE-2013-7039 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7039):
  Stack-based buffer overflow in the MHD_digest_auth_check function in
  libmicrohttpd before 0.9.32, when MHD_OPTION_CONNECTION_MEMORY_LIMIT is set
  to a large value, allows remote attackers to cause a denial of service
  (crash) or possibly execute arbitrary code via a long URI in an
  authentication header.

CVE-2013-7038 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7038):
  The MHD_http_unescape function in libmicrohttpd before 0.9.32 might allow
  remote attackers to obtain sensitive information or cause a denial of
  service (crash) via unspecified vectors that trigger an out-of-bounds read.
Comment 9 Sergey Popov gentoo-dev 2013-12-15 09:49:13 UTC
Thanks for your work.

GLSA vote: yes
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-02-01 21:36:17 UTC
GLSA vote: yes.

glsa request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-02-02 17:46:28 UTC
This issue was resolved and addressed in
 GLSA 201402-01 at http://security.gentoo.org/glsa/glsa-201402-01.xml
by GLSA coordinator Mikle Kolyada (Zlogene).