Bug#1067544: bullseye-pu: libmicrohttpd/0.9.72-2+deb11u1.debdiff

[Thorsten Alteholz]

Hi Jonathan,

On 22.04.24 18:59, Jonathan Wiltshire wrote:

Please go ahead.


great, thanks ...

... and uploaded.

  Thorsten

Bug#1067544: bullseye-pu: libmicrohttpd/0.9.72-2+deb11u1.debdiff

[Jonathan Wiltshire]

Control: tag -1 confirmed

On Sat, Mar 23, 2024 at 12:01:09PM +, Thorsten Alteholz wrote:
> The attached debdiff for libmicrohttpd fixes CVE-2023-27371 in Bullseye. It
> is marked as no-dsa by the security team.

Please go ahead.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Processed: Re: Bug#1067544: bullseye-pu: libmicrohttpd/0.9.72-2+deb11u1.debdiff

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #1067544 [release.debian.org] bullseye-pu: libmicrohttpd/0.9.72-2+deb11u1
Added tag(s) confirmed.

-- 
1067544: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067544
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1067544: bullseye-pu: libmicrohttpd/0.9.72-2+deb11u1.debdiff

[Thorsten Alteholz]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu


The attached debdiff for libmicrohttpd fixes CVE-2023-27371 in Bullseye. 
It is marked as no-dsa by the security team.


The fix was uploaded to Buster about a year ago and nobody complained yet.
For whatever reason, the upload to Bullseye was forgotten back then, so I 
catch up on this now.


  Thorsten
diff -Nru libmicrohttpd-0.9.72/debian/changelog 
libmicrohttpd-0.9.72/debian/changelog
--- libmicrohttpd-0.9.72/debian/changelog   2021-02-27 06:47:48.0 
+0100
+++ libmicrohttpd-0.9.72/debian/changelog   2024-03-23 12:03:02.0 
+0100
@@ -1,3 +1,12 @@
+libmicrohttpd (0.9.72-2+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2023-27371
+parsing crafted POST requests result in an out of bounds read, which
+might cause a DoS (Denial of Service)
+
+ -- Thorsten Alteholz   Sat, 23 Mar 2024 12:03:02 +0100
+
 libmicrohttpd (0.9.72-2) sid; urgency=medium
 
   * Uploading to sid.
diff -Nru libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch 
libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch
--- libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch1970-01-01 
01:00:00.0 +0100
+++ libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch2023-03-29 
19:22:12.0 +0200
@@ -0,0 +1,23 @@
+From e0754d1638c602382384f1eface30854b1defeec Mon Sep 17 00:00:00 2001
+From: Christian Grothoff 
+Date: Sun, 26 Feb 2023 17:51:24 +0100
+Subject: fix parser bug that could be used to crash servers using the
+ MHD_PostProcessor
+
+---
+ src/microhttpd/postprocessor.c |  2 +-
+ 1 file changed, 1 insertions(+), 1 deletions(-)
+
+Index: libmicrohttpd-0.9.72/src/microhttpd/postprocessor.c
+===
+--- libmicrohttpd-0.9.72.orig/src/microhttpd/postprocessor.c   2023-03-29 
19:22:08.888629726 +0200
 libmicrohttpd-0.9.72/src/microhttpd/postprocessor.c2023-03-29 
19:22:08.884629728 +0200
+@@ -321,7 +321,7 @@
+   return NULL; /* failed to determine boundary */
+ boundary += MHD_STATICSTR_LEN_ ("boundary=");
+ blen = strlen (boundary);
+-if ( (blen == 0) ||
++if ( (blen < 2) ||
+  (blen * 2 + 2 > buffer_size) )
+   return NULL;  /* (will be) out of memory or invalid 
boundary */
+ if ( (boundary[0] == '"') &&
diff -Nru libmicrohttpd-0.9.72/debian/patches/series 
libmicrohttpd-0.9.72/debian/patches/series
--- libmicrohttpd-0.9.72/debian/patches/series  1970-01-01 01:00:00.0 
+0100
+++ libmicrohttpd-0.9.72/debian/patches/series  2023-03-29 19:21:28.0 
+0200
@@ -0,0 +1 @@
+CVE-2023-27371.patch