A flaw was found in libmicrohttpd in versions before 0.9.71. A missing bounds check in the post_process_urlencoded function leads to a buffer overflow, allowing a remote attacker to write arbitrary data in an application that uses libmicrohttpd. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Please stabilize 0.9.71.
The only one version is affected, it is 0.9.70.
See redhat bugtracker.
Version 0.9.71 has some breaking (for C++ applications) API changes (return type changed from 'int' to 'enum').
.build for 0.9.71 was not fixed and contains unneeded 'libgcrypt' dependency. ebuild files for 0.9.65-r1, 0.9.68-r1, and 0.9.72 are correct and do not have unneeded dependencies.
Version 0.9.72 has additional fixes:
I suggest to mask version 0.9.70, stabilize version 0.9.72 and correct .ebuild files for old dependent packages to depend on <=0.9.69.
New packages (including Kodi) work fine with new libmicrohttpd versions (>=0.9.71).
Is there a tracker for the breakage, then? Stabilization here will be blocked by packages which are broken with the stabilization candidate.
No bug has been created so far as tracker for the breakage.
(In reply to Karlson2k from comment #5)
> Tracker bug:
I've checked the all MHD dependent packages.
There are only two packages (and one masked) are not ready for 0.9.72: dev-cpp/libjson-rpc-cpp-1.3.0[http-server] and net-p2p/xmr-stak-rx[webserver] (1.0.4, 1.0.5).
Both packages are unstable. (And nothing in repo is using libjson-rpc-cpp)
I suggest to make them dependent on '<libmicrohttpd-0.9.70' and stabilize 0.9.72.
Go ahead and stabilize libmicrohttpd-0.9.72.
all arches done
(In reply to Sam James from comment #15)
> ppc64 done
> all arches done
I've removed the vulnerable versions.
The bug has been referenced in the following commit(s):
Author: Andreas Sturmlechner <email@example.com>
AuthorDate: 2021-04-06 12:36:54 +0000
Commit: Andreas Sturmlechner <firstname.lastname@example.org>
CommitDate: 2021-04-06 12:43:02 +0000
net-libs/libmicrohttpd: Revert remove vulnerable 0.9.68-r1, bug #778296
Partially reverts commit 79c54c122b2d260d80716930b04c66d43affa411 to fix CI,
with KEYWORDS="amd64 x86" just for media-sound/sc2mpd.
Signed-off-by: Andreas Sturmlechner <email@example.com>
net-libs/libmicrohttpd/Manifest | 1 +
.../libmicrohttpd/libmicrohttpd-0.9.68-r1.ebuild | 56 ++++++++++++++++++++++
2 files changed, 57 insertions(+)
There is the only one vulnerable version, it is 0.9.70.
Versions <=0.9.69 and >=0.9.71 are fine.
See https://bugzilla.redhat.com/show_bug.cgi?id=1939127#c3 (Comment 3)
There is no need to remove anything except 0.9.70.
(In reply to Andreas Sturmlechner from comment #17)
> sc2mpd-1.1.7.ebuild has:
> > <=net-libs/libmicrohttpd-0.9.70
sc2mpd needs to be updated to the new upstream version 1.1.8, which adapted new libmicrohttpd API.
Package list is empty or all packages have requested keywords.
The CVE should be updated soon to indicate a single vulnerable version 0.9.71.
After my request, Red Hat security team updated internal records and requested Mitre to update CVE description.
As soon as CVE is updated, this bug should be renamed to '=net-libs/libmicrohttpd-0.9.70: buffer overflow vulnerability (CVE-2021-3466)'
(In reply to Karlson2k from comment #27)
> The CVE should be updated soon to indicate a single vulnerable version
> After my request, Red Hat security team updated internal records and
> requested Mitre to update CVE description.
> As soon as CVE is updated, this bug should be renamed to
> '=net-libs/libmicrohttpd-0.9.70: buffer overflow vulnerability
You're right. Thanks!