[Buildroot] [git commit] package/civetweb: add patch for CVE-2025-55763
Julien Olivain
ju.o at free.fr
Thu Sep 18 19:29:34 UTC 2025
commit: https://git.buildroot.net/buildroot/commit/?id=426d7635c7e99af49c3cc24c122c95b1ed89c082
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
This fixes the following vulnerability:
- CVE-2025-55763
Buffer Overflow in the URI parser of CivetWeb 1.14 through 1.16 (latest)
allows a remote attacker to achieve remote code execution via a crafted
HTTP request. This vulnerability is triggered during request processing
and may allow an attacker to corrupt heap memory, potentially leading to
denial of service or arbitrary code execution.
For more information, see:
- https://nvd.nist.gov//vuln/detail/CVE-2025-55763
- https://github.com/civetweb/civetweb/commit/76e222bcb77ba8452e5da4e82ae6cecd499c25e0
Signed-off-by: Thomas Perale <thomas.perale at mind.be>
Signed-off-by: Julien Olivain <ju.o at free.fr>
---
...erflow-in-directory-URI-slash-redirection.patch | 56 ++++++++++++++++++++++
package/civetweb/civetweb.mk | 3 ++
2 files changed, 59 insertions(+)
diff --git a/package/civetweb/0002-Fix-heap-overflow-in-directory-URI-slash-redirection.patch b/package/civetweb/0002-Fix-heap-overflow-in-directory-URI-slash-redirection.patch
new file mode 100644
index 0000000000..399fafb4bd
--- /dev/null
+++ b/package/civetweb/0002-Fix-heap-overflow-in-directory-URI-slash-redirection.patch
@@ -0,0 +1,56 @@
+From 76e222bcb77ba8452e5da4e82ae6cecd499c25e0 Mon Sep 17 00:00:00 2001
+From: krispybyte <krispybyte at proton.me>
+Date: Sat, 21 Jun 2025 23:33:50 +0300
+Subject: [PATCH] Fix heap overflow in directory URI slash redirection
+
+CVE: CVE-2025-55763
+Upstream: https://github.com/civetweb/civetweb/commit/76e222bcb77ba8452e5da4e82ae6cecd499c25e0
+[thomas: fix offset]
+Signed-off-by: Thomas Perale <thomas.perale at mind.be>
+---
+ src/civetweb.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/src/civetweb.c b/src/civetweb.c
+index bbc9aa8be..e969c939f 100644
+--- a/src/civetweb.c
++++ b/src/civetweb.c
+@@ -15242,7 +15242,6 @@ handle_request(struct mg_connection *conn)
+ /* 12. Directory uris should end with a slash */
+ if (file.stat.is_directory && ((uri_len = (int)strlen(ri->local_uri)) > 0)
+ && (ri->local_uri[uri_len - 1] != '/')) {
+-
+ /* Path + server root */
+ size_t buflen = UTF8_PATH_MAX * 2 + 2;
+ char *new_path;
+@@ -15254,12 +15254,26 @@ handle_request(struct mg_connection *conn)
+ mg_send_http_error(conn, 500, "out or memory");
+ } else {
+ mg_get_request_link(conn, new_path, buflen - 1);
+- strcat(new_path, "/");
++
++ size_t len = strlen(new_path);
++ if (len + 1 < buflen) {
++ new_path[len] = '/';
++ new_path[len + 1] = '\0';
++ len += 1;
++ }
++
+ if (ri->query_string) {
+- /* Append ? and query string */
+- strcat(new_path, "?");
+- strcat(new_path, ri->query_string);
++ if (len + 1 < buflen) {
++ new_path[len] = '?';
++ new_path[len + 1] = '\0';
++ len += 1;
++ }
++
++ /* Append with size of space left for query string + null terminator */
++ size_t max_append = buflen - len - 1;
++ strncat(new_path, ri->query_string, max_append);
+ }
++
+ mg_send_http_redirect(conn, new_path, 301);
+ mg_free(new_path);
+ }
diff --git a/package/civetweb/civetweb.mk b/package/civetweb/civetweb.mk
index 629c1b59b2..af221e9133 100644
--- a/package/civetweb/civetweb.mk
+++ b/package/civetweb/civetweb.mk
@@ -10,6 +10,9 @@ CIVETWEB_LICENSE = MIT
CIVETWEB_LICENSE_FILES = LICENSE.md
CIVETWEB_CPE_ID_VALID = YES
+# 0002-Fix-heap-overflow-in-directory-URI-slash-redirection.patch
+CIVETWEB_IGNORE_CVES += CVE-2025-55763
+
CIVETWEB_CONF_OPTS = TARGET_OS=LINUX WITH_IPV6=1 \
$(if $(BR2_INSTALL_LIBSTDCPP),WITH_CPP=1)
CIVETWEB_COPT = -DHAVE_POSIX_FALLOCATE=0
More information about the buildroot
mailing list