Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 778296 (CVE-2021-3466) - <net-libs/libmicrohttpd-0.9.71: buffer overflow vulnerability (CVE-2021-3466)
Summary: <net-libs/libmicrohttpd-0.9.71: buffer overflow vulnerability (CVE-2021-3466)
Status: IN_PROGRESS
Alias: CVE-2021-3466
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa? cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-26 01:34 UTC by John Helmert III
Modified: 2021-07-29 18:12 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-03-26 01:34:28 UTC
CVE-2021-3466 (https://bugzilla.redhat.com/show_bug.cgi?id=1939127):

A flaw was found in libmicrohttpd in versions before 0.9.71. A missing bounds check in the post_process_urlencoded function leads to a buffer overflow, allowing a remote attacker to write arbitrary data in an application that uses libmicrohttpd. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.


Please stabilize 0.9.71.
Comment 1 Karlson2k 2021-03-26 05:40:30 UTC
The only one version is affected, it is 0.9.70.
See redhat bugtracker.
Comment 2 Karlson2k 2021-03-26 09:03:09 UTC
Version 0.9.71 has some breaking (for C++ applications) API changes (return type changed from 'int' to 'enum').
.build for 0.9.71 was not fixed and contains unneeded 'libgcrypt' dependency. ebuild files for 0.9.65-r1, 0.9.68-r1, and 0.9.72 are correct and do not have unneeded dependencies.

Version 0.9.72 has additional fixes:
https://lists.gnu.org/archive/html/info-gnu/2020-12/msg00012.html

I suggest to mask version 0.9.70, stabilize version 0.9.72 and correct .ebuild files for old dependent packages to depend on <=0.9.69.
New packages (including Kodi) work fine with new libmicrohttpd versions (>=0.9.71).
Comment 3 John Helmert III gentoo-dev Security 2021-03-26 14:30:17 UTC
Is there a tracker for the breakage, then? Stabilization here will be blocked by packages which are broken with the stabilization candidate.
Comment 4 Karlson2k 2021-03-27 13:17:54 UTC
No bug has been created so far as tracker for the breakage.
Comment 5 Karlson2k 2021-03-29 21:05:44 UTC
Tracker bug:
https://bugs.gentoo.org/779151
Comment 6 John Helmert III gentoo-dev Security 2021-03-29 21:09:38 UTC
(In reply to Karlson2k from comment #5)
> Tracker bug:
> https://bugs.gentoo.org/779151

Thanks!
Comment 7 Karlson2k 2021-03-30 16:31:50 UTC
I've checked the all MHD dependent packages.
See https://bugs.gentoo.org/779151#c18

There are only two packages (and one masked) are not ready for 0.9.72: dev-cpp/libjson-rpc-cpp-1.3.0[http-server] and net-p2p/xmr-stak-rx[webserver] (1.0.4, 1.0.5).
Both packages are unstable. (And nothing in repo is using libjson-rpc-cpp)
I suggest to make them dependent on '<libmicrohttpd-0.9.70' and stabilize 0.9.72.
Comment 8 Anthony Basile gentoo-dev 2021-04-01 11:37:10 UTC
Go ahead and stabilize libmicrohttpd-0.9.72.
Comment 9 Thomas Deutschmann gentoo-dev Security 2021-04-01 21:36:31 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2021-04-02 10:35:58 UTC
sparc stable
Comment 11 Sam James archtester gentoo-dev Security 2021-04-02 14:07:57 UTC
arm64 done
Comment 12 Sam James archtester gentoo-dev Security 2021-04-02 14:08:55 UTC
arm done
Comment 13 Sam James archtester gentoo-dev Security 2021-04-02 14:11:02 UTC
amd64 done
Comment 14 Sam James archtester gentoo-dev Security 2021-04-02 14:14:48 UTC
ppc done
Comment 15 Sam James archtester gentoo-dev Security 2021-04-02 14:14:56 UTC
ppc64 done

all arches done
Comment 16 Anthony Basile gentoo-dev 2021-04-06 11:11:48 UTC
(In reply to Sam James from comment #15)
> ppc64 done
> 
> all arches done

I've removed the vulnerable versions.
Comment 17 Andreas Sturmlechner gentoo-dev 2021-04-06 11:38:54 UTC
sc2mpd-1.1.7.ebuild has:

> <=net-libs/libmicrohttpd-0.9.70
Comment 18 Larry the Git Cow gentoo-dev 2021-04-06 12:43:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f8a8f3ecf02f25260c1728abaafe4ddcdd7b0e5

commit 9f8a8f3ecf02f25260c1728abaafe4ddcdd7b0e5
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-04-06 12:36:54 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-04-06 12:43:02 +0000

    net-libs/libmicrohttpd: Revert remove vulnerable 0.9.68-r1, bug #778296
    
    Partially reverts commit 79c54c122b2d260d80716930b04c66d43affa411 to fix CI,
    with KEYWORDS="amd64 x86" just for media-sound/sc2mpd.
    
    Bug: https://bugs.gentoo.org/778296
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 net-libs/libmicrohttpd/Manifest                    |  1 +
 .../libmicrohttpd/libmicrohttpd-0.9.68-r1.ebuild   | 56 ++++++++++++++++++++++
 2 files changed, 57 insertions(+)
Comment 19 Karlson2k 2021-04-06 12:54:51 UTC
There is the only one vulnerable version, it is 0.9.70.

Versions <=0.9.69 and >=0.9.71 are fine.

See https://bugzilla.redhat.com/show_bug.cgi?id=1939127#c3 (Comment 3)

There is no need to remove anything except 0.9.70.
Comment 20 Karlson2k 2021-04-06 12:56:33 UTC
(In reply to Andreas Sturmlechner from comment #17)
> sc2mpd-1.1.7.ebuild has:
> 
> > <=net-libs/libmicrohttpd-0.9.70

sc2mpd needs to be updated to the new upstream version 1.1.8, which adapted new libmicrohttpd API.
Comment 21 NATTkA bot gentoo-dev 2021-07-29 17:23:31 UTC Comment hidden (obsolete)
Comment 22 NATTkA bot gentoo-dev 2021-07-29 17:31:53 UTC Comment hidden (obsolete)
Comment 23 NATTkA bot gentoo-dev 2021-07-29 17:39:48 UTC Comment hidden (obsolete)
Comment 24 NATTkA bot gentoo-dev 2021-07-29 17:47:58 UTC Comment hidden (obsolete)
Comment 25 NATTkA bot gentoo-dev 2021-07-29 18:03:55 UTC Comment hidden (obsolete)
Comment 26 NATTkA bot gentoo-dev 2021-07-29 18:12:13 UTC
Package list is empty or all packages have requested keywords.