!26 [sync] PR-22: Fix CVE-2023-27371

From: @openeuler-sync-bot Reviewed-by: @caodongxia Signed-off-by: @caodongxia
2023-03-13 07:18:38 +00:00 · 2023-03-13 07:18:38 +00:00 · ac803a1ae7
commit ac803a1ae7
parent 58712cab46 117842d735
2 changed files with 17 additions and 1 deletions
--- a/CVE-2023-27371.patch
+++ b/CVE-2023-27371.patch
@ -0,0 +1,12 @@
+diff -Naur a/src/microhttpd/postprocessor.c b/src/microhttpd/postprocessor.c
+--- a/src/microhttpd/postprocessor.c	2023-03-13 11:20:38.069141187 +0800
+++ b/src/microhttpd/postprocessor.c	2023-03-13 11:21:37.158002318 +0800
+@@ -310,7 +310,7 @@
+ 	return NULL; /* failed to determine boundary */
+       boundary += MHD_STATICSTR_LEN_ ("boundary=");
+       blen = strlen (boundary);
+-      if ( (blen == 0) ||
+      if ( (blen < 2) ||
+            (blen * 2 + 2 > buffer_size) )
+         return NULL;            /* (will be) out of memory or invalid boundary */
+       if ( (boundary[0] == '"') &&
--- a/libmicrohttpd.spec
+++ b/libmicrohttpd.spec
@ -1,6 +1,6 @@
 Name:           libmicrohttpd
 Version:        0.9.59
-Release:        7
+Release:        8
 Epoch:          1
 Summary:        Lightweight library for embedding a webserver in applications
 License:        LGPLv2+
@ -9,6 +9,7 @@ Source0:        https://ftp.gnu.org/gnu/libmicrohttpd/%{name}-%{version}.tar.gz
 Patch0001:      gnutls-utilize-system-crypto-policy.patch
 Patch0002:      fix-libmicrohttpd-tutorial-info.patch
 Patch0003:      0001-skip-tls-upgrade-test-case.patch
+Patch0004:      CVE-2023-27371.patch

 BuildRequires:  autoconf automake libtool gettext-devel texinfo gnutls-devel doxygen graphviz
 Requires:       %{name}-help = %{epoch}:%{version}-%{release}
@ -92,6 +93,9 @@ fi
 %{_infodir}/libmicrohttpd_performance_data.png.gz

 %changelog
+* Mon Mar 13 2023 yaoxin <yaoxin30@h-partners.com> - 1:0.9.59-8
+- Fix CVE-2023-27371
+
 * Mon Jan 29 2023 Ge Wang<wangge20@h-partners.com> - 0.9.59-7
 - Skip upgrade_tls test case due to socket recv failure