Bug 1939127 (CVE-2021-3466)

Summary: CVE-2021-3466 libmicrohttpd: Buffer overflow issue in URL parser in the post_process_urlencoded function
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: erik-fedora, k2k, lnykryn, mgansser, mike
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libmicrohttpd 0.9.71 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libmicrohttpd. A missing bounds check in the post_process_urlencoded function leads to a buffer overflow, allowing a remote attacker to write arbitrary data in an application that uses libmicrohttpd. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-23 17:35:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1939128, 1939129    
Bug Blocks: 1939130, 1942701    

Description Pedro Sampaio 2021-03-15 16:52:55 UTC 
libmicrohttpd 0.9.70 contains a buffer overflow issue in URL parser implemented in the post_process_urlencoded function.

References:

https://git.gnunet.org/libmicrohttpd.git/commit/?id=a110ae6276660bee3caab30e9ff3f12f85cf3241
https://git.gnunet.org/libmicrohttpd.git/diff/src/microhttpd/postprocessor.c?id=a110ae6276660bee3caab30e9ff3f12f85cf3241
https://git.gnunet.org/libmicrohttpd.git/diff/src/microhttpd/test_postprocessor.c?id=a110ae6276660bee3caab30e9ff3f12f85cf3241
Comment 1 Pedro Sampaio 2021-03-15 16:53:27 UTC 
Created libmicrohttpd tracking bugs for this issue:

Affects: fedora-all [bug 1939128]


Created mingw-libmicrohttpd tracking bugs for this issue:

Affects: fedora-all [bug 1939129]
Comment 2 Riccardo Schirone 2021-03-23 15:14:52 UTC 
Function post_process_urlencoded() processes the arguments passed to a POST method, looking for the key part and the value part of each argument. Once it finds where a key starts and ends, it copies the key string into the internal buffer created through the MHD_create_post_processor() function. The internal buffer is used for the parsing and its size is chosen by the caller of MHD_create_post_processor().

The flaw is due to a missing check before copying the POST key string, to ensure that the internal buffer is big enough to hold the key.

A remote attacker may exploit this flaw in an application that uses libmicrohttpd to perform a classic buffer overflow and potentially execute code on the victim machine.
Comment 3 Riccardo Schirone 2021-03-23 15:17:14 UTC 
The vulnerability was likely introduced in https://git.gnunet.org/libmicrohttpd.git/commit/?id=55f715e15e3ce66babc939b5a670bee02d4d9571 , which was first included in libmicrohttpd v0.9.70.
Comment 4 Riccardo Schirone 2021-03-23 15:22:25 UTC 
Statement:

This issue did not affect the versions of libmicrohttpd as shipped with Red Hat Enterprise Linux 6, 7, and 8 as the vulnerable code was only introduced in later versions of the library.
Comment 6 Karlson2k 2021-06-23 09:09:57 UTC 
I can confirm, the only affected version of libmicrohttpd is v0.9.70.

The bug was introduced in v0.9.70 and fixed in v0.9.71.

All libmicrohttpd versions before v0.9.70 were not affected by this bug.

CVE record must be updated to avoid marking version before v0.9.70 as vulnerable.