libmicrohttpd 0.9.70 contains a buffer overflow issue in URL parser implemented in the post_process_urlencoded function. References: https://git.gnunet.org/libmicrohttpd.git/commit/?id=a110ae6276660bee3caab30e9ff3f12f85cf3241 https://git.gnunet.org/libmicrohttpd.git/diff/src/microhttpd/postprocessor.c?id=a110ae6276660bee3caab30e9ff3f12f85cf3241 https://git.gnunet.org/libmicrohttpd.git/diff/src/microhttpd/test_postprocessor.c?id=a110ae6276660bee3caab30e9ff3f12f85cf3241
Created libmicrohttpd tracking bugs for this issue: Affects: fedora-all [bug 1939128] Created mingw-libmicrohttpd tracking bugs for this issue: Affects: fedora-all [bug 1939129]
Function post_process_urlencoded() processes the arguments passed to a POST method, looking for the key part and the value part of each argument. Once it finds where a key starts and ends, it copies the key string into the internal buffer created through the MHD_create_post_processor() function. The internal buffer is used for the parsing and its size is chosen by the caller of MHD_create_post_processor(). The flaw is due to a missing check before copying the POST key string, to ensure that the internal buffer is big enough to hold the key. A remote attacker may exploit this flaw in an application that uses libmicrohttpd to perform a classic buffer overflow and potentially execute code on the victim machine.
The vulnerability was likely introduced in https://git.gnunet.org/libmicrohttpd.git/commit/?id=55f715e15e3ce66babc939b5a670bee02d4d9571 , which was first included in libmicrohttpd v0.9.70.
Statement: This issue did not affect the versions of libmicrohttpd as shipped with Red Hat Enterprise Linux 6, 7, and 8 as the vulnerable code was only introduced in later versions of the library.
I can confirm, the only affected version of libmicrohttpd is v0.9.70. The bug was introduced in v0.9.70 and fixed in v0.9.71. All libmicrohttpd versions before v0.9.70 were not affected by this bug. CVE record must be updated to avoid marking version before v0.9.70 as vulnerable.