Bug 31670 - libmicrohttpd new security issue fixed upstream in 0.9.76
Summary: libmicrohttpd new security issue fixed upstream in 0.9.76
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: validated_update
Depends on:
Reported: 2023-03-14 03:00 CET by David Walser
Modified: 2023-03-19 19:42 CET (History)
3 users (show)

See Also:
Source RPM: libmicrohttpd-0.9.72-1.mga8.src.rpm
Status comment:


Description David Walser 2023-03-14 03:00:24 CET
libmicrohttpd 0.9.76 has been released on February 27:

It fixes a security bug.  Either Mageia 8 should be updated or the patch should be backported.
Comment 1 Lewis Smith 2023-03-14 20:55:35 CET
0.9.76 is already in Cauldron thanks to luigi.

Assigning this M8 update globally as different packagers maintain the SRPM.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2023-03-16 13:51:55 CET
Suggested advisory:

The updated packages fix a security vulnerability:

In the MHD_PostProcessor, malformed inputs can be used to crash the server (for denial-of-service).


Updated packages in core/updates_testing:

from SRPM:

CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs

Comment 3 Thomas Andrews 2023-03-18 22:37:49 CET
No installation issues.

A search for a previous bug revealed just one, reaching all the way back to Mageia 3, bug 11936. That did show a test procedure, but it seems that the package that provided the command, microspdy2http, is no longer in Mageia. So, no help there.

Urpmq --whatrequires showed systemd and Kodi as needing the package, so after a reboot of the test system to "reset" systemd, I tried each of them.

With an strace of Kodi, I set up the weather app to get a forecast for New York City (Apparently Syracuse, the city closest to me, isn't available) and the weather looked to be relatively nice. I then watched several different IPTV channels, all of which worked except for those labeled as "geo-blocked." I didn't see any issues with what I did, but then an examination of the resulting strace file didn't show any reference to libmicrohttpd that kwrite could find.

So I tried some systemd commands. Since I'm treading over largely unfamiliar territory there, I kept it to commands that should be relatively harmless. I listed all the unit files, but didn't see anything there that jumped out at me as having to do with a server. An attempt to enable the httpd service informed me that it didn't exist. (As it should: Apache isn't installed.)

I checked the status of some units that *are* there, and the answers were all what I expected them to be. I did not muck about with enabling or disabling things that I don't understand.

That's about as far as I can go with what I know. Systemd didn't crash the system, which I consider a definite plus.

I wouldn't mind giving this an OK based on what little I did, but would feel better if someone who is more familiar with this sort of thing could take a look at it.

CC: (none) => andrewsfarm

Comment 4 Thomas Andrews 2023-03-19 19:42:58 CET
Testing on MGA8 Plasma system on an HP Probook 6550b.

Completely overthinking the whole thing in the last comment. 

It seems that another app that requires this library is psensor, used to set up a minimal http server. So, after doing some reading...

[tom@localhost ~]$ psensor-server
[(null)] [ERR] Cannot open log file: /var/log/psensor-server.log
[(null)] [ERR] hddtemp: failed to open connection.
[(null)] [INFO] BCM2835: The BCM2835 has not been detected.
[(null)] [INFO] Web server started on port: 3131
[(null)] [INFO] WWW directory: /usr/share/psensor/www
[(null)] [INFO] URL: http://localhost:3131

I think the first "err" was from not running as root. Not sure about the second, but I don't believe it is related to the library under test.

Pointing Firefox to the above url showed a page giving information from the various sensors that psensor monitors on this laptop. An strace of the process shows one call to "/lib64/libmicrohttpd.so.12" early in the process.

So, it appears to work. Giving this an OK, and validating. Advisory in comment 2.

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Note You need to log in before you can comment on or make changes to this bug.