Bug#1067544: bullseye-pu: libmicrohttpd/0.9.72-2+deb11u1.debdiff

Sat, 23 Mar 2024 05:33:29 -0700 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
The attached debdiff for libmicrohttpd fixes CVE-2023-27371 in Bullseye. It is marked as no-dsa by the security team. 

The fix was uploaded to Buster about a year ago and nobody complained yet.
For whatever reason, the upload to Bullseye was forgotten back then, so I catch up on this now. 

  Thorsten

diff -Nru libmicrohttpd-0.9.72/debian/changelog 
libmicrohttpd-0.9.72/debian/changelog
--- libmicrohttpd-0.9.72/debian/changelog       2021-02-27 06:47:48.000000000 
+0100
+++ libmicrohttpd-0.9.72/debian/changelog       2024-03-23 12:03:02.000000000 
+0100
@@ -1,3 +1,12 @@
+libmicrohttpd (0.9.72-2+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2023-27371
+    parsing crafted POST requests result in an out of bounds read, which
+    might cause a DoS (Denial of Service)
+
+ -- Thorsten Alteholz <deb...@alteholz.de>  Sat, 23 Mar 2024 12:03:02 +0100
+
 libmicrohttpd (0.9.72-2) sid; urgency=medium
 
   * Uploading to sid.
diff -Nru libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch 
libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch
--- libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch    1970-01-01 
01:00:00.000000000 +0100
+++ libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch    2023-03-29 
19:22:12.000000000 +0200
@@ -0,0 +1,23 @@
+From e0754d1638c602382384f1eface30854b1defeec Mon Sep 17 00:00:00 2001
+From: Christian Grothoff <christ...@grothoff.org>
+Date: Sun, 26 Feb 2023 17:51:24 +0100
+Subject: fix parser bug that could be used to crash servers using the
+ MHD_PostProcessor
+
+---
+ src/microhttpd/postprocessor.c |  2 +-
+ 1 file changed, 1 insertions(+), 1 deletions(-)
+
+Index: libmicrohttpd-0.9.72/src/microhttpd/postprocessor.c
+===================================================================
+--- libmicrohttpd-0.9.72.orig/src/microhttpd/postprocessor.c   2023-03-29 
19:22:08.888629726 +0200
++++ libmicrohttpd-0.9.72/src/microhttpd/postprocessor.c        2023-03-29 
19:22:08.884629728 +0200
+@@ -321,7 +321,7 @@
+       return NULL; /* failed to determine boundary */
+     boundary += MHD_STATICSTR_LEN_ ("boundary=");
+     blen = strlen (boundary);
+-    if ( (blen == 0) ||
++    if ( (blen < 2) ||
+          (blen * 2 + 2 > buffer_size) )
+       return NULL;              /* (will be) out of memory or invalid 
boundary */
+     if ( (boundary[0] == '"') &&
diff -Nru libmicrohttpd-0.9.72/debian/patches/series 
libmicrohttpd-0.9.72/debian/patches/series
--- libmicrohttpd-0.9.72/debian/patches/series  1970-01-01 01:00:00.000000000 
+0100
+++ libmicrohttpd-0.9.72/debian/patches/series  2023-03-29 19:21:28.000000000 
+0200
@@ -0,0 +1 @@
+CVE-2023-27371.patch

Reply via email to