CVE-2023-27371: GNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHD_create_post_processor() method. This allows an attacker to remotely send a malicious HTTP POST packet that includes one or more '\0' bytes in a multipart/form-data boundary field, which - assuming a specific heap layout - will result in an out-of-bounds read and a crash in the find_boundary() function. Patch: https://git.gnunet.org/libmicrohttpd.git/commit/?id=6d6846e20bfdf4b3eb1b592c97520a532f724238): Doesn't seem like the patch is in the 0.9.76 tag?
The only change between 0.9.75 and 0.9.76 is this patch, backported from git master on top of 0.9.75 version. https://git.gnunet.org/libmicrohttpd.git/commit/?h=v0.9.76&id=e0754d1638c602382384f1eface30854b1defeec
Thanks! Please stabilize when ready then.
Version 0.9.76 was stabilized.
Thanks! Please remember to make stablereqs block the security bugs they fix. Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0283f56f6d4894e8fac7201f498a1074c5e1652 commit c0283f56f6d4894e8fac7201f498a1074c5e1652 Author: Karlson2k (Evgeny Grin) <k2k@narod.ru> AuthorDate: 2023-08-17 08:19:18 +0000 Commit: Arthur Zamarin <arthurzam@gentoo.org> CommitDate: 2023-08-25 17:00:00 +0000 net-libs/libmicrohttpd: drop 0.9.75 This version has vulnerability. Bug: https://bugs.gentoo.org/905326 Signed-off-by: Karlson2k (Evgeny Grin) <k2k@narod.ru> Closes: https://github.com/gentoo/gentoo/pull/32355 Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org> net-libs/libmicrohttpd/Manifest | 1 - net-libs/libmicrohttpd/libmicrohttpd-0.9.75.ebuild | 96 ---------------------- 2 files changed, 97 deletions(-)
GLSA vote: no.
