CVE-2013-7039: Buffer Overflow
First published: Mon Dec 09 2013(Updated: )
A stack overflow flaw was found in the MHD_digest_auth_check() function in libmicrohttpd. If MHD_OPTION_CONNECTION_MEMORY_LIMIT was configured to allow large allocations, a remote attacker could possibly use this flaw to cause an application using libmicrohttpd to crash or, potentially, execute arbitrary code with the privileges of the user running the application. This issue has been resolved in version 0.9.32. References: <a href="https://gnunet.org/svn/libmicrohttpd/ChangeLog">https://gnunet.org/svn/libmicrohttpd/ChangeLog</a> <a href="http://secunia.com/advisories/55903/">http://secunia.com/advisories/55903/</a> <a href="https://bugs.gentoo.org/show_bug.cgi?id=493450">https://bugs.gentoo.org/show_bug.cgi?id=493450</a> Acknowledgements: This issue was discovered by Florian Weimer of the Red Hat Product Security Team.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Libmicrohttpd | <=0.9.31 | |
| Libmicrohttpd | =0.9.16 | |
| Libmicrohttpd | =0.9.17 | |
| Libmicrohttpd | =0.9.18 | |
| Libmicrohttpd | =0.9.19 | |
| Libmicrohttpd | =0.9.20 | |
| Libmicrohttpd | =0.9.21 | |
| Libmicrohttpd | =0.9.22 | |
| Libmicrohttpd | =0.9.23 | |
| Libmicrohttpd | =0.9.24 | |
| Libmicrohttpd | =0.9.25 | |
| Libmicrohttpd | =0.9.26 | |
| Libmicrohttpd | =0.9.27 | |
| Libmicrohttpd | =0.9.28 | |
| Libmicrohttpd | =0.9.29 | |
| Libmicrohttpd | =0.9.30 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://gnunet.org/svn/libmicrohttpd/ChangeLog
- http://secunia.com/advisories/55903/
- https://bugs.gentoo.org/show_bug.cgi?id=493450
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1039391
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1039392
- http://www.openwall.com/lists/oss-security/2013/12/09/1
- https://bugzilla.redhat.com/show_bug.cgi?id=1039390
- http://secunia.com/advisories/55903
- http://security.gentoo.org/glsa/glsa-201402-01.xml
- http://www.openwall.com/lists/oss-security/2013/12/09/11
- http://www.securityfocus.com/bid/64138
Frequently Asked Questions
What is the severity of CVE-2013-7039?
CVE-2013-7039 has a medium severity level due to its potential to cause application crashes or arbitrary code execution.
How do I fix CVE-2013-7039?
To fix CVE-2013-7039, update libmicrohttpd to version 0.9.31 or later.
What is affected by CVE-2013-7039?
CVE-2013-7039 affects versions of libmicrohttpd up to and including 0.9.30.
Can CVE-2013-7039 be exploited remotely?
Yes, CVE-2013-7039 can be exploited remotely by attackers sending specially crafted requests.
Is there a workaround for CVE-2013-7039?
A potential workaround for CVE-2013-7039 is to restrict the MHD_OPTION_CONNECTION_MEMORY_LIMIT configuration.
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/author
- agent/references
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-7039
- agent/trending
- agent/source
- agent/weakness
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/gnu
- canonical/libmicrohttpd
- version/libmicrohttpd/0.9.31
- version/libmicrohttpd/0.9.16
- version/libmicrohttpd/0.9.17
- version/libmicrohttpd/0.9.18
- version/libmicrohttpd/0.9.19
- version/libmicrohttpd/0.9.20
- version/libmicrohttpd/0.9.21
- version/libmicrohttpd/0.9.22
- version/libmicrohttpd/0.9.23
- version/libmicrohttpd/0.9.24
- version/libmicrohttpd/0.9.25
- version/libmicrohttpd/0.9.26
- version/libmicrohttpd/0.9.27
- version/libmicrohttpd/0.9.28
- version/libmicrohttpd/0.9.29
- version/libmicrohttpd/0.9.30