Bug 11936

Summary: libmicrohttpd new security issues CVE-2013-7038 and CVE-2013-7039
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, fundawang, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/582193/
Whiteboard: MGA3-64-OK has_procedure feedback MGA3-32-OK advisory
Source RPM: libmicrohttpd-0.9.30-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2013-12-10 01:48:28 CET 
CVEs have been requested and allocated for two security issues fixed in 0.9.32:
http://openwall.com/lists/oss-security/2013/12/09/9
http://openwall.com/lists/oss-security/2013/12/09/11

We have 0.9.30 in Cauldron.  Here's the release details for 0.9.31 and 0.9.32:
http://freecode.com/projects/libmicrohttpd/releases/358638
http://freecode.com/projects/libmicrohttpd/releases/359716

Reproducible: 

Steps to Reproduce:
David Walser 2013-12-10 01:48:41 CET

CC: (none) => fundawang
Whiteboard: (none) => MGA3TOO

Dave Hodgins 2013-12-12 22:36:35 CET

Blocks: (none) => 11726

Comment 1 David Walser 2013-12-27 19:25:48 CET 
Release details for 0.9.33, a bugfix release:
http://freecode.com/projects/libmicrohttpd/releases/360107
Comment 2 David Walser 2013-12-29 18:12:43 CET 
libmicrohttpd-0.9.33-1.mga4 uploaded for Cauldron.

Version: Cauldron => 3
Blocks: 11726 => (none)
Whiteboard: MGA3TOO => (none)

Comment 3 David Walser 2014-01-24 14:36:53 CET 
Fedora has issued an advisory for this on January 16:
https://lists.fedoraproject.org/pipermail/package-announce/2014-January/127159.html

Updated package uploaded for Mageia 3.

Advisory:
========================

Updated libmicrohttpd packages fix security vulnerabilities:

The MHD_http_unescape function in libmicrohttpd before 0.9.32 might allow
remote attackers to obtain sensitive information or cause a denial of service
(crash) via unspecified vectors that trigger an out-of-bounds read
(CVE-2013-7038).

Stack-based buffer overflow in the MHD_digest_auth_check function in
libmicrohttpd before 0.9.32, when MHD_OPTION_CONNECTION_MEMORY_LIMIT is set to
a large value, allows remote attackers to cause a denial of service (crash) or
possibly execute arbitrary code via a long URI in an authentication header
(CVE-2013-7039).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7038
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7039
http://secunia.com/advisories/55903/
https://lists.fedoraproject.org/pipermail/package-announce/2014-January/127159.html
========================

Updated packages in core/updates_testing:
========================
libmicrohttpd10-0.9.33-1.mga3
libmicrospdy0-0.9.33-1.mga3
microspdy2http-0.9.33-1.mga3
libmicrohttpd-devel-0.9.33-1.mga3

from libmicrohttpd-0.9.33-1.mga3.src.rpm

Assignee: bugsquad => qa-bugs
Severity: normal => critical

David Walser 2014-01-24 18:33:13 CET

URL: (none) => http://lwn.net/Vulnerabilities/582193/

Comment 4 Dave Hodgins 2014-01-30 22:10:27 CET 
Just testing that the server starts, using info from
http://dev.online6.eu/spdytor/

microspdy2http -v -p 9980 -l 192.168.10.2 -rDt4 -T 120
1082
num  curls 0
1089
SPDY timeout 0; 0
1099
curl timeout -1
<snip>
Killed with ctrl+c. Note that 192.168.10.2 is the ip address of the
machine I'm testing on.

CC: (none) => davidwhodgins
Whiteboard: (none) => MGA3-64-OK has_procedure

Comment 5 Dave Hodgins 2014-01-31 01:16:39 CET 
Testing complete on Mageia 3 i586, and advisory uploaded to svn.

Someone from the sysadmin team please pust 11936.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA3-64-OK has_procedure => MGA3-64-OK has_procedure feedback MGA3-32-OK advisory
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2014-01-31 18:07:21 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0030.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 7 David Walser 2014-01-31 19:34:13 CET 
LWN reference for CVE-2013-7038:
http://lwn.net/Vulnerabilities/583670/