Bug 11936 - libmicrohttpd new security issues CVE-2013-7038 and CVE-2013-7039
: libmicrohttpd new security issues CVE-2013-7038 and CVE-2013-7039
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/582193/
: MGA3-64-OK has_procedure feedback MGA...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-12-10 01:48 CET by David Walser
Modified: 2014-01-31 19:34 CET (History)
4 users (show)

See Also:
Source RPM: libmicrohttpd-0.9.30-2.mga4.src.rpm
CVE:


Attachments

Description David Walser 2013-12-10 01:48:28 CET
CVEs have been requested and allocated for two security issues fixed in 0.9.32:
http://openwall.com/lists/oss-security/2013/12/09/9
http://openwall.com/lists/oss-security/2013/12/09/11

We have 0.9.30 in Cauldron.  Here's the release details for 0.9.31 and 0.9.32:
http://freecode.com/projects/libmicrohttpd/releases/358638
http://freecode.com/projects/libmicrohttpd/releases/359716

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-12-27 19:25:48 CET
Release details for 0.9.33, a bugfix release:
http://freecode.com/projects/libmicrohttpd/releases/360107
Comment 2 David Walser 2013-12-29 18:12:43 CET
libmicrohttpd-0.9.33-1.mga4 uploaded for Cauldron.
Comment 3 David Walser 2014-01-24 14:36:53 CET
Fedora has issued an advisory for this on January 16:
https://lists.fedoraproject.org/pipermail/package-announce/2014-January/127159.html

Updated package uploaded for Mageia 3.

Advisory:
========================

Updated libmicrohttpd packages fix security vulnerabilities:

The MHD_http_unescape function in libmicrohttpd before 0.9.32 might allow
remote attackers to obtain sensitive information or cause a denial of service
(crash) via unspecified vectors that trigger an out-of-bounds read
(CVE-2013-7038).

Stack-based buffer overflow in the MHD_digest_auth_check function in
libmicrohttpd before 0.9.32, when MHD_OPTION_CONNECTION_MEMORY_LIMIT is set to
a large value, allows remote attackers to cause a denial of service (crash) or
possibly execute arbitrary code via a long URI in an authentication header
(CVE-2013-7039).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7038
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7039
http://secunia.com/advisories/55903/
https://lists.fedoraproject.org/pipermail/package-announce/2014-January/127159.html
========================

Updated packages in core/updates_testing:
========================
libmicrohttpd10-0.9.33-1.mga3
libmicrospdy0-0.9.33-1.mga3
microspdy2http-0.9.33-1.mga3
libmicrohttpd-devel-0.9.33-1.mga3

from libmicrohttpd-0.9.33-1.mga3.src.rpm
Comment 4 Dave Hodgins 2014-01-30 22:10:27 CET
Just testing that the server starts, using info from
http://dev.online6.eu/spdytor/

microspdy2http -v -p 9980 -l 192.168.10.2 -rDt4 -T 120
1082
num  curls 0
1089
SPDY timeout 0; 0
1099
curl timeout -1
<snip>
Killed with ctrl+c. Note that 192.168.10.2 is the ip address of the
machine I'm testing on.
Comment 5 Dave Hodgins 2014-01-31 01:16:39 CET
Testing complete on Mageia 3 i586, and advisory uploaded to svn.

Someone from the sysadmin team please pust 11936.adv to updates.
Comment 6 Thomas Backlund 2014-01-31 18:07:21 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0030.html
Comment 7 David Walser 2014-01-31 19:34:13 CET
LWN reference for CVE-2013-7038:
http://lwn.net/Vulnerabilities/583670/

Note You need to log in before you can comment on or make changes to this bug.