Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 907934 (CVE-2023-26130) - <dev-cpp/cpp-httplib-0.12.4: clrf injection
Summary: <dev-cpp/cpp-httplib-0.12.4: clrf injection
Status: RESOLVED FIXED
Alias: CVE-2023-26130
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://github.com/yhirose/cpp-httpli...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-06 04:29 UTC by John Helmert III
Modified: 2023-09-29 12:23 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-06 04:29:48 UTC 
CVE-2023-26130 (https://gist.github.com/dellalibera/094aece17a86069a7d27f93c8aba2280)

Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors.

**Note:** This issue is present due to an incomplete fix for [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-2366507).

Patch: https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08

Please stabilize 0.12.4.
Comment 1 Maciej Barć gentoo-dev 2023-08-23 19:48:54 UTC 
0.12.6 is already stable.