From 64981bc05763a6772740afbbab365eb90e63f3f0 Mon Sep 17 00:00:00 2001 From: Gyorgy Sarvari Date: Sat, 4 Oct 2025 21:58:41 +0200 Subject: [PATCH] civetweb: patch CVE-2025-55763 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-55763 Pick the relevant commit from https://github.com/civetweb/civetweb/pull/1347/ Signed-off-by: Gyorgy Sarvari Signed-off-by: Anuj Mittal --- ...w-in-directory-URI-slash-redirection.patch | 57 +++++++++++++++++++ .../civetweb/civetweb_1.16.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta-networking/recipes-connectivity/civetweb/civetweb/0001-Fix-heap-overflow-in-directory-URI-slash-redirection.patch diff --git a/meta-networking/recipes-connectivity/civetweb/civetweb/0001-Fix-heap-overflow-in-directory-URI-slash-redirection.patch b/meta-networking/recipes-connectivity/civetweb/civetweb/0001-Fix-heap-overflow-in-directory-URI-slash-redirection.patch new file mode 100644 index 0000000000..667cb9c2f0 --- /dev/null +++ b/meta-networking/recipes-connectivity/civetweb/civetweb/0001-Fix-heap-overflow-in-directory-URI-slash-redirection.patch @@ -0,0 +1,57 @@ +From e5e639d42a94b2585fe5123cb123963c6f04c3f5 Mon Sep 17 00:00:00 2001 +From: krispybyte +Date: Sat, 21 Jun 2025 23:33:50 +0300 +Subject: [PATCH] Fix heap overflow in directory URI slash redirection + +CVE: CVE-2025-55763 + +Upstream-Status: Backport [https://github.com/civetweb/civetweb/pull/1347/commits/76e222bcb77ba8452e5da4e82ae6cecd499c25e0] + +Signed-off-by: Gyorgy Sarvari +--- + src/civetweb.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/src/civetweb.c b/src/civetweb.c +index 9e321edf..5452b36d 100644 +--- a/src/civetweb.c ++++ b/src/civetweb.c +@@ -15242,7 +15242,6 @@ handle_request(struct mg_connection *conn) + /* 12. Directory uris should end with a slash */ + if (file.stat.is_directory && ((uri_len = (int)strlen(ri->local_uri)) > 0) + && (ri->local_uri[uri_len - 1] != '/')) { +- + /* Path + server root */ + size_t buflen = UTF8_PATH_MAX * 2 + 2; + char *new_path; +@@ -15255,12 +15254,26 @@ handle_request(struct mg_connection *conn) + mg_send_http_error(conn, 500, "out or memory"); + } else { + mg_get_request_link(conn, new_path, buflen - 1); +- strcat(new_path, "/"); ++ ++ size_t len = strlen(new_path); ++ if (len + 1 < buflen) { ++ new_path[len] = '/'; ++ new_path[len + 1] = '\0'; ++ len += 1; ++ } ++ + if (ri->query_string) { +- /* Append ? and query string */ +- strcat(new_path, "?"); +- strcat(new_path, ri->query_string); ++ if (len + 1 < buflen) { ++ new_path[len] = '?'; ++ new_path[len + 1] = '\0'; ++ len += 1; ++ } ++ ++ /* Append with size of space left for query string + null terminator */ ++ size_t max_append = buflen - len - 1; ++ strncat(new_path, ri->query_string, max_append); + } ++ + mg_send_http_redirect(conn, new_path, 301); + mg_free(new_path); + } diff --git a/meta-networking/recipes-connectivity/civetweb/civetweb_1.16.bb b/meta-networking/recipes-connectivity/civetweb/civetweb_1.16.bb index f5a699d5be..a546efca7b 100644 --- a/meta-networking/recipes-connectivity/civetweb/civetweb_1.16.bb +++ b/meta-networking/recipes-connectivity/civetweb/civetweb_1.16.bb @@ -8,6 +8,7 @@ SRCREV = "d7ba35bbb649209c66e582d5a0244ba988a15159" SRC_URI = "git://github.com/civetweb/civetweb.git;branch=master;protocol=https \ file://0001-Unittest-Link-librt-and-libm-using-l-option.patch \ + file://0001-Fix-heap-overflow-in-directory-URI-slash-redirection.patch \ " S = "${WORKDIR}/git"