[Buildroot] [PATCH] package/civetweb: add patch for CVE-2025-55763
Thomas Perale
thomas.perale at mind.be
Thu Sep 25 20:16:54 UTC 2025
In reply of:
> This fixes the following vulnerability:
>
> - CVE-2025-55763
>
> Buffer Overflow in the URI parser of CivetWeb 1.14 through 1.16 (latest)
> allows a remote attacker to achieve remote code execution via a crafted
> HTTP request. This vulnerability is triggered during request processing
> and may allow an attacker to corrupt heap memory, potentially leading to
> denial of service or arbitrary code execution.
>
> For more information, see:
> - https://nvd.nist.gov//vuln/detail/CVE-2025-55763
> - https://github.com/civetweb/civetweb/commit/76e222bcb77ba8452e5da4e82ae6cecd499c25e0
>
> Signed-off-by: Thomas Perale <thomas.perale at mind.be>
Applied to 2025.02.x, 2025.05.x & 2025.08.x. Thanks
> ---
> ...w-in-directory-URI-slash-redirection.patch | 56 +++++++++++++++++++
> package/civetweb/civetweb.mk | 3 +
> 2 files changed, 59 insertions(+)
> create mode 100644 package/civetweb/0002-Fix-heap-overflow-in-directory-URI-slash-redirection.patch
>
> diff --git a/package/civetweb/0002-Fix-heap-overflow-in-directory-URI-slash-redirection.patch b/package/civetweb/0002-Fix-heap-overflow-in-directory-URI-slash-redirection.patch
> new file mode 100644
> index 0000000000..399fafb4bd
> --- /dev/null
> +++ b/package/civetweb/0002-Fix-heap-overflow-in-directory-URI-slash-redirection.patch
> @@ -0,0 +1,56 @@
> +From 76e222bcb77ba8452e5da4e82ae6cecd499c25e0 Mon Sep 17 00:00:00 2001
> +From: krispybyte <krispybyte at proton.me>
> +Date: Sat, 21 Jun 2025 23:33:50 +0300
> +Subject: [PATCH] Fix heap overflow in directory URI slash redirection
> +
> +CVE: CVE-2025-55763
> +Upstream: https://github.com/civetweb/civetweb/commit/76e222bcb77ba8452e5da4e82ae6cecd499c25e0
> +[thomas: fix offset]
> +Signed-off-by: Thomas Perale <thomas.perale at mind.be>
> +---
> + src/civetweb.c | 23 ++++++++++++++++++-----
> + 1 file changed, 18 insertions(+), 5 deletions(-)
> +
> +diff --git a/src/civetweb.c b/src/civetweb.c
> +index bbc9aa8be..e969c939f 100644
> +--- a/src/civetweb.c
> ++++ b/src/civetweb.c
> +@@ -15242,7 +15242,6 @@ handle_request(struct mg_connection *conn)
> + /* 12. Directory uris should end with a slash */
> + if (file.stat.is_directory && ((uri_len = (int)strlen(ri->local_uri)) > 0)
> + && (ri->local_uri[uri_len - 1] != '/')) {
> +-
> + /* Path + server root */
> + size_t buflen = UTF8_PATH_MAX * 2 + 2;
> + char *new_path;
> +@@ -15254,12 +15254,26 @@ handle_request(struct mg_connection *conn)
> + mg_send_http_error(conn, 500, "out or memory");
> + } else {
> + mg_get_request_link(conn, new_path, buflen - 1);
> +- strcat(new_path, "/");
> ++
> ++ size_t len = strlen(new_path);
> ++ if (len + 1 < buflen) {
> ++ new_path[len] = '/';
> ++ new_path[len + 1] = '\0';
> ++ len += 1;
> ++ }
> ++
> + if (ri->query_string) {
> +- /* Append ? and query string */
> +- strcat(new_path, "?");
> +- strcat(new_path, ri->query_string);
> ++ if (len + 1 < buflen) {
> ++ new_path[len] = '?';
> ++ new_path[len + 1] = '\0';
> ++ len += 1;
> ++ }
> ++
> ++ /* Append with size of space left for query string + null terminator */
> ++ size_t max_append = buflen - len - 1;
> ++ strncat(new_path, ri->query_string, max_append);
> + }
> ++
> + mg_send_http_redirect(conn, new_path, 301);
> + mg_free(new_path);
> + }
> diff --git a/package/civetweb/civetweb.mk b/package/civetweb/civetweb.mk
> index 629c1b59b2..af221e9133 100644
> --- a/package/civetweb/civetweb.mk
> +++ b/package/civetweb/civetweb.mk
> @@ -10,6 +10,9 @@ CIVETWEB_LICENSE = MIT
> CIVETWEB_LICENSE_FILES = LICENSE.md
> CIVETWEB_CPE_ID_VALID = YES
>
> +# 0002-Fix-heap-overflow-in-directory-URI-slash-redirection.patch
> +CIVETWEB_IGNORE_CVES += CVE-2025-55763
> +
> CIVETWEB_CONF_OPTS = TARGET_OS=LINUX WITH_IPV6=1 \
> $(if $(BR2_INSTALL_LIBSTDCPP),WITH_CPP=1)
> CIVETWEB_COPT = -DHAVE_POSIX_FALLOCATE=0
> --
> 2.51.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
More information about the buildroot
mailing list