Re: [libmicrohttpd] libmicrohttpd 0.9.71 released

[Markus Doppelbauer]

Hello,

The percent-encoded post-processor (current git ) segfaults.

ASAN reports: global-buffer-overflow

A testcase is attached.

Best wishes

Markus

-------- Weitergeleitete Nachricht --------

Von: Christian Grothoff <grothoff@gnunet.org>

Antwort an: libmicrohttpd development and user mailinglist <libmicrohttpd@gnu.org>

An: libmicrohttpd <libmicrohttpd@gnu.org>

Betreff: [libmicrohttpd] libmicrohttpd 0.9.71 released

Datum: Sun, 28 Jun 2020 22:04:49 +0200

Dear all,

I'm happy to announce the release of GNU libmicrohttpd 0.9.71.

This release fixes a potential buffer overflow and is thus considered a

security release. Please upgrade as soon as possible.  Thanks to Nicolas

Mora for finding and reporting the issue.

Additionally, the release fixes the following issues:

* Proper uncorking with GnuTLS to ensure 'last bytes' are

  transmitted over TLS connections even if we are congested

* Fixes wrong values returned by PostProcessor given certain

  parser boundaries

* Improved documentation, fixed spelling mistakes

* Fixed several socket handling issues on OS X

Furthermore, the release introduces an 'enum MHD_Result' instead of

#defines for MHD_YES/MHD_NO. This is intended to make it easier to check

for certain API misuse bugs by providing better types (not everything is

an 'int').  While this does NOT change the binary API, this change

_will_ cause compiler warnings for all legacy code -- until 'int' is

replaced with 'enum MHD_Result'.

If you want your code to build without warnings on both older and newer

MHD releases, you may want to introduce a MHD_RESULT as done here:

https://git.gnunet.org/gnunet.git/tree/src/include/gnunet_mhd_compat.h

That said, this being a security release it may be a good time to not

build nicely against older versions.

Happy hacking!

Christian

testcase6.cpp
Description: Text Data