1939127 – (CVE-2021-3466) CVE-2021-3466 libmicrohttpd: Buffer overflow issue in URL parser in the post_process_urlencoded function

Bug 1939127 (CVE-2021-3466) - CVE-2021-3466 libmicrohttpd: Buffer overflow issue in URL parser in the post_process_urlencoded function

Summary: CVE-2021-3466 libmicrohttpd: Buffer overflow issue in URL parser in the post_...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2021-3466
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1939128 1939129
Blocks:	1939130 1942701
TreeView+	depends on / blocked

Reported:	2021-03-15 16:52 UTC by Pedro Sampaio
Modified:	2023-11-06 20:02 UTC (History)
CC List:	5 users (show)
Fixed In Version:	libmicrohttpd 0.9.71
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in libmicrohttpd. A missing bounds check in the post_process_urlencoded function leads to a buffer overflow, allowing a remote attacker to write arbitrary data in an application that uses libmicrohttpd. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed:	2021-03-23 17:35:48 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2021-03-15 16:52:55 UTC

libmicrohttpd 0.9.70 contains a buffer overflow issue in URL parser implemented in the post_process_urlencoded function.

References:

https://git.gnunet.org/libmicrohttpd.git/commit/?id=a110ae6276660bee3caab30e9ff3f12f85cf3241
https://git.gnunet.org/libmicrohttpd.git/diff/src/microhttpd/postprocessor.c?id=a110ae6276660bee3caab30e9ff3f12f85cf3241
https://git.gnunet.org/libmicrohttpd.git/diff/src/microhttpd/test_postprocessor.c?id=a110ae6276660bee3caab30e9ff3f12f85cf3241

Comment 1 Pedro Sampaio 2021-03-15 16:53:27 UTC

Created libmicrohttpd tracking bugs for this issue:

Affects: fedora-all [bug 1939128]


Created mingw-libmicrohttpd tracking bugs for this issue:

Affects: fedora-all [bug 1939129]

Comment 2 Riccardo Schirone 2021-03-23 15:14:52 UTC

Function post_process_urlencoded() processes the arguments passed to a POST method, looking for the key part and the value part of each argument. Once it finds where a key starts and ends, it copies the key string into the internal buffer created through the MHD_create_post_processor() function. The internal buffer is used for the parsing and its size is chosen by the caller of MHD_create_post_processor().

The flaw is due to a missing check before copying the POST key string, to ensure that the internal buffer is big enough to hold the key.

A remote attacker may exploit this flaw in an application that uses libmicrohttpd to perform a classic buffer overflow and potentially execute code on the victim machine.

Comment 3 Riccardo Schirone 2021-03-23 15:17:14 UTC

The vulnerability was likely introduced in https://git.gnunet.org/libmicrohttpd.git/commit/?id=55f715e15e3ce66babc939b5a670bee02d4d9571 , which was first included in libmicrohttpd v0.9.70.

Comment 4 Riccardo Schirone 2021-03-23 15:22:25 UTC

Statement:

This issue did not affect the versions of libmicrohttpd as shipped with Red Hat Enterprise Linux 6, 7, and 8 as the vulnerable code was only introduced in later versions of the library.

Comment 6 Karlson2k 2021-06-23 09:09:57 UTC

I can confirm, the only affected version of libmicrohttpd is v0.9.70.

The bug was introduced in v0.9.70 and fixed in v0.9.71.

All libmicrohttpd versions before v0.9.70 were not affected by this bug.

CVE record must be updated to avoid marking version before v0.9.70 as vulnerable.

Note You need to log in before you can comment on or make changes to this bug.