CVE-2013-7039: Buffer Overflow
First published: Mon Dec 09 2013(Updated: )
A stack overflow flaw was found in the MHD_digest_auth_check() function in libmicrohttpd. If MHD_OPTION_CONNECTION_MEMORY_LIMIT was configured to allow large allocations, a remote attacker could possibly use this flaw to cause an application using libmicrohttpd to crash or, potentially, execute arbitrary code with the privileges of the user running the application. This issue has been resolved in version 0.9.32. References: <a href="https://gnunet.org/svn/libmicrohttpd/ChangeLog">https://gnunet.org/svn/libmicrohttpd/ChangeLog</a> <a href="http://secunia.com/advisories/55903/">http://secunia.com/advisories/55903/</a> <a href="https://bugs.gentoo.org/show_bug.cgi?id=493450">https://bugs.gentoo.org/show_bug.cgi?id=493450</a> Acknowledgements: This issue was discovered by Florian Weimer of the Red Hat Product Security Team.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GNU libmicrohttpd | <=0.9.31 | |
| GNU libmicrohttpd | =0.9.16 | |
| GNU libmicrohttpd | =0.9.17 | |
| GNU libmicrohttpd | =0.9.18 | |
| GNU libmicrohttpd | =0.9.19 | |
| GNU libmicrohttpd | =0.9.20 | |
| GNU libmicrohttpd | =0.9.21 | |
| GNU libmicrohttpd | =0.9.22 | |
| GNU libmicrohttpd | =0.9.23 | |
| GNU libmicrohttpd | =0.9.24 | |
| GNU libmicrohttpd | =0.9.25 | |
| GNU libmicrohttpd | =0.9.26 | |
| GNU libmicrohttpd | =0.9.27 | |
| GNU libmicrohttpd | =0.9.28 | |
| GNU libmicrohttpd | =0.9.29 | |
| GNU libmicrohttpd | =0.9.30 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://gnunet.org/svn/libmicrohttpd/ChangeLog
- http://secunia.com/advisories/55903/
- https://bugs.gentoo.org/show_bug.cgi?id=493450
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1039391
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1039392
- http://www.openwall.com/lists/oss-security/2013/12/09/1
- https://bugzilla.redhat.com/show_bug.cgi?id=1039390
- http://secunia.com/advisories/55903
- http://security.gentoo.org/glsa/glsa-201402-01.xml
- http://www.openwall.com/lists/oss-security/2013/12/09/11
- http://www.securityfocus.com/bid/64138
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/author
- agent/references
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-7039
- agent/tags
- agent/trending
- vendor/gnu
- canonical/gnu libmicrohttpd
- version/gnu libmicrohttpd/0.9.31
- version/gnu libmicrohttpd/0.9.16
- version/gnu libmicrohttpd/0.9.17
- version/gnu libmicrohttpd/0.9.18
- version/gnu libmicrohttpd/0.9.19
- version/gnu libmicrohttpd/0.9.20
- version/gnu libmicrohttpd/0.9.21
- version/gnu libmicrohttpd/0.9.22
- version/gnu libmicrohttpd/0.9.23
- version/gnu libmicrohttpd/0.9.24
- version/gnu libmicrohttpd/0.9.25
- version/gnu libmicrohttpd/0.9.26
- version/gnu libmicrohttpd/0.9.27
- version/gnu libmicrohttpd/0.9.28
- version/gnu libmicrohttpd/0.9.29
- version/gnu libmicrohttpd/0.9.30