Bug 854443 (CVE-2013-7038) - VUL-0: CVE-2013-7038, CVE-2013-7039: libmicrohttpd: memory issues
Summary: VUL-0: CVE-2013-7038, CVE-2013-7039: libmicrohttpd: memory issues
Status: RESOLVED FIXED
Alias: CVE-2013-7038
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All All
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/94506/
Whiteboard: CVSSv2:NVD:CVE-2013-7038:6.4:(AV:N/AC...
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-09 10:56 UTC by Sebastian Krahmer
Modified: 2017-07-13 14:52 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2013-12-09 23:00:18 UTC 
bugbot adjusting priority
Comment 2 Sebastian Krahmer 2013-12-10 07:26:45 UTC 
Via OSS:

There are two more patches I recommend cherry-picking (if you consider the
other two worth fixing).  All these fixes border on hardening.

------------------------------------------------------------------------
r30927 | grothoff | 2013-11-28 11:05:52 +0100 (Thu, 28 Nov 2013) | 1 line

-handle case that original allocation request was zero
------------------------------------------------------------------------
r30926 | grothoff | 2013-11-28 10:16:38 +0100 (Thu, 28 Nov 2013) | 1 line

-fix theoretical overflow issue reported by Florian Weimer

--
Florian Weimer / Red Hat Product Security Team
Comment 3 Sebastian Krahmer 2013-12-10 07:28:50 UTC 
> 1) https://bugzilla.redhat.com/show_bug.cgi?id=1039384

Use CVE-2013-7038.


> 2) https://bugzilla.redhat.com/show_bug.cgi?id=1039390

Use CVE-2013-7039.
Comment 4 Marcus Meissner 2013-12-17 10:50:00 UTC 
ping cristian?
Comment 5 Cristian Rodríguez 2013-12-17 15:09:13 UTC 
WIP.. 13.1 is ready..got sidetracked in something else for the rest of the products..
Comment 6 Johannes Segitz 2015-04-01 12:23:18 UTC 
(In reply to Cristian Rodríguez from comment #5)
13.1 is still unpatched, can you please submit?
Comment 8 Bernhard Wiedemann 2017-05-30 10:01:41 UTC 
This is an autogenerated message for OBS integration:
This bug (854443) was mentioned in
https://build.opensuse.org/request/show/499625 Factory / libmicrohttpd
Comment 9 Tomáš Chvátal 2017-05-30 12:45:46 UTC 
Submission done.
Comment 11 Swamp Workflow Management 2017-06-16 10:11:00 UTC 
SUSE-SU-2017:1576-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1041216,854443
CVE References: CVE-2013-7038,CVE-2013-7039
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libmicrohttpd-0.9.30-5.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libmicrohttpd-0.9.30-5.1
SUSE Linux Enterprise Server 12-SP2 (src):    libmicrohttpd-0.9.30-5.1
Comment 12 Swamp Workflow Management 2017-06-26 13:15:27 UTC 
openSUSE-SU-2017:1676-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1041216,854443
CVE References: CVE-2013-7038,CVE-2013-7039
Sources used:
openSUSE Leap 42.2 (src):    libmicrohttpd-0.9.30-5.3.1
Comment 13 Marcus Meissner 2017-06-27 08:45:49 UTC 
released