Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 905326 (CVE-2023-27371) - <net-libs/libmicrohttpd-0.9.76: DoS via multipart form mishandling
Summary: <net-libs/libmicrohttpd-0.9.76: DoS via multipart form mishandling
Alias: CVE-2023-27371
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Keywords: PullRequest
Depends on: 907351
  Show dependency tree
Reported: 2023-04-29 20:45 UTC by John Helmert III
Modified: 2023-09-17 12:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-29 20:45:35 UTC

GNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHD_create_post_processor() method. This allows an attacker to remotely send a malicious HTTP POST packet that includes one or more '\0' bytes in a multipart/form-data boundary field, which - assuming a specific heap layout - will result in an out-of-bounds read and a crash in the find_boundary() function.


Doesn't seem like the patch is in the 0.9.76 tag?
Comment 1 Karlson2k 2023-05-01 11:32:06 UTC
The only change between 0.9.75 and 0.9.76 is this patch, backported from git master on top of 0.9.75 version.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-07 16:39:39 UTC
Thanks! Please stabilize when ready then.
Comment 3 Karlson2k 2023-06-06 10:10:20 UTC
Version 0.9.76 was stabilized.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-12 04:29:43 UTC
Thanks! Please remember to make stablereqs block the security bugs they fix.

Please cleanup.
Comment 5 Larry the Git Cow gentoo-dev 2023-08-25 17:00:11 UTC
The bug has been referenced in the following commit(s):

commit c0283f56f6d4894e8fac7201f498a1074c5e1652
Author:     Karlson2k (Evgeny Grin) <>
AuthorDate: 2023-08-17 08:19:18 +0000
Commit:     Arthur Zamarin <>
CommitDate: 2023-08-25 17:00:00 +0000

    net-libs/libmicrohttpd: drop 0.9.75
    This version has vulnerability.
    Signed-off-by: Karlson2k (Evgeny Grin) <>
    Signed-off-by: Arthur Zamarin <>

 net-libs/libmicrohttpd/Manifest                    |  1 -
 net-libs/libmicrohttpd/libmicrohttpd-0.9.75.ebuild | 96 ----------------------
 2 files changed, 97 deletions(-)
Comment 6 Hans de Graaff gentoo-dev Security 2023-09-09 08:13:10 UTC
GLSA vote: no.