Version in base suite: 0.9.72-2

Base version: libmicrohttpd_0.9.72-2
Target version: libmicrohttpd_0.9.72-2+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libm/libmicrohttpd/libmicrohttpd_0.9.72-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libm/libmicrohttpd/libmicrohttpd_0.9.72-2+deb11u1.dsc

 changelog                    |    9 +++++++++
 patches/CVE-2023-27371.patch |   23 +++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 33 insertions(+)

diff -Nru libmicrohttpd-0.9.72/debian/changelog libmicrohttpd-0.9.72/debian/changelog
--- libmicrohttpd-0.9.72/debian/changelog	2021-02-27 05:47:48.000000000 +0000
+++ libmicrohttpd-0.9.72/debian/changelog	2024-03-23 11:03:02.000000000 +0000
@@ -1,3 +1,12 @@
+libmicrohttpd (0.9.72-2+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2023-27371
+    parsing crafted POST requests result in an out of bounds read, which
+    might cause a DoS (Denial of Service)
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Sat, 23 Mar 2024 12:03:02 +0100
+
 libmicrohttpd (0.9.72-2) sid; urgency=medium
 
   * Uploading to sid.
diff -Nru libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch
--- libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch	1970-01-01 00:00:00.000000000 +0000
+++ libmicrohttpd-0.9.72/debian/patches/CVE-2023-27371.patch	2023-03-29 17:22:12.000000000 +0000
@@ -0,0 +1,23 @@
+From e0754d1638c602382384f1eface30854b1defeec Mon Sep 17 00:00:00 2001
+From: Christian Grothoff <christian@grothoff.org>
+Date: Sun, 26 Feb 2023 17:51:24 +0100
+Subject: fix parser bug that could be used to crash servers using the
+ MHD_PostProcessor
+
+---
+ src/microhttpd/postprocessor.c |  2 +-
+ 1 file changed, 1 insertions(+), 1 deletions(-)
+
+Index: libmicrohttpd-0.9.72/src/microhttpd/postprocessor.c
+===================================================================
+--- libmicrohttpd-0.9.72.orig/src/microhttpd/postprocessor.c	2023-03-29 19:22:08.888629726 +0200
++++ libmicrohttpd-0.9.72/src/microhttpd/postprocessor.c	2023-03-29 19:22:08.884629728 +0200
+@@ -321,7 +321,7 @@
+       return NULL; /* failed to determine boundary */
+     boundary += MHD_STATICSTR_LEN_ ("boundary=");
+     blen = strlen (boundary);
+-    if ( (blen == 0) ||
++    if ( (blen < 2) ||
+          (blen * 2 + 2 > buffer_size) )
+       return NULL;              /* (will be) out of memory or invalid boundary */
+     if ( (boundary[0] == '"') &&
diff -Nru libmicrohttpd-0.9.72/debian/patches/series libmicrohttpd-0.9.72/debian/patches/series
--- libmicrohttpd-0.9.72/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ libmicrohttpd-0.9.72/debian/patches/series	2023-03-29 17:21:28.000000000 +0000
@@ -0,0 +1 @@
+CVE-2023-27371.patch