Your message dated Sat, 29 Jun 2024 10:47:46 +0000
with message-id <[email protected]>
and subject line Released with 11.10
has caused the Debian Bug report #1067544,
regarding bullseye-pu: libmicrohttpd/0.9.72-2+deb11u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1067544: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067544
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu
The attached debdiff for libmicrohttpd fixes CVE-2023-27371 in Bullseye.
It is marked as no-dsa by the security team.
The fix was uploaded to Buster about a year ago and nobody complained yet.
For whatever reason, the upload to Bullseye was forgotten back then, so I
catch up on this now.
Thorsten
diff -Nru libmicrohttpd-0.9.72/debian/changelog
libmicrohttpd-0.9.72/debian/changelog
--- libmicrohttpd-0.9.72/debian/changelog 2021-02-27 06:47:48.000000000
+0100
+++ libmicrohttpd-0.9.72/debian/changelog 2024-03-23 12:03:02.000000000
+0100
@@ -1,3 +1,12 @@
+libmicrohttpd (0.9.72-2+deb11u1) bullseye; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2023-27371
+ parsing crafted POST requests result in an out of bounds read, which
+ might cause a DoS (Denial of Service)
+
+ -- Thorsten Alteholz <[email protected]> Sat, 23 Mar 2024 12:03:02 +0100
+
libmicrohttpd (0.9.72-2) sid; urgency=medium
* Uploading to sid.
diff -Nru libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch
libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch
--- libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch 1970-01-01
01:00:00.000000000 +0100
+++ libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch 2023-03-29
19:22:12.000000000 +0200
@@ -0,0 +1,23 @@
+From e0754d1638c602382384f1eface30854b1defeec Mon Sep 17 00:00:00 2001
+From: Christian Grothoff <[email protected]>
+Date: Sun, 26 Feb 2023 17:51:24 +0100
+Subject: fix parser bug that could be used to crash servers using the
+ MHD_PostProcessor
+
+---
+ src/microhttpd/postprocessor.c | 2 +-
+ 1 file changed, 1 insertions(+), 1 deletions(-)
+
+Index: libmicrohttpd-0.9.72/src/microhttpd/postprocessor.c
+===================================================================
+--- libmicrohttpd-0.9.72.orig/src/microhttpd/postprocessor.c 2023-03-29
19:22:08.888629726 +0200
++++ libmicrohttpd-0.9.72/src/microhttpd/postprocessor.c 2023-03-29
19:22:08.884629728 +0200
+@@ -321,7 +321,7 @@
+ return NULL; /* failed to determine boundary */
+ boundary += MHD_STATICSTR_LEN_ ("boundary=");
+ blen = strlen (boundary);
+- if ( (blen == 0) ||
++ if ( (blen < 2) ||
+ (blen * 2 + 2 > buffer_size) )
+ return NULL; /* (will be) out of memory or invalid
boundary */
+ if ( (boundary[0] == '"') &&
diff -Nru libmicrohttpd-0.9.72/debian/patches/series
libmicrohttpd-0.9.72/debian/patches/series
--- libmicrohttpd-0.9.72/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ libmicrohttpd-0.9.72/debian/patches/series 2023-03-29 19:21:28.000000000
+0200
@@ -0,0 +1 @@
+CVE-2023-27371.patch
--- End Message ---
--- Begin Message ---
Version: 11.10
The upload requested in this bug has been released as part of 11.10.
--- End Message ---
