Project

General

Profile

Actions
Copy link

Security #6757

closed

libhtp: quadratic complexity checking after request line missing protocol

Added by Philippe Antoine 9 months ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
8.0.0-beta1
Affected Versions:
6.0.16, 7.0.3, git master
Label:
CVE:
2024-28871
Git IDs:
Severity:
CRITICAL
Disclosure Date:
05/08/2024

Description

Found by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66559

Introduced by https://github.com/OISF/libhtp/commit/bf618ec7f243cebfb0f7e84c3cb158955cb32b4d

Subtasks 2 (0 open2 closed)

Security #6758: libhtp: quadratic complexity checking after request line mission protocol (6.0.x backport)ClosedPhilippe AntoineActions
Security #6759: libhtp: quadratic complexity checking after request line mission protocol (7.0.x backport)ClosedPhilippe AntoineActions

Related issues 2 (0 open2 closed)

Related to Suricata - Task #6769: libhtp 0.5.47ClosedVictor JulienActions
Related to Suricata - Feature #6856: http: anomaly when request line is missing protocolClosedPhilippe AntoineActions
Actions
Copy link
 #1

Updated by OISF Ticketbot 9 months ago

  • Subtask #6758 added
Actions
Copy link
 #2

Updated by OISF Ticketbot 9 months ago

  • Label deleted (Needs backport to 6.0)
Actions
Copy link
 #3

Updated by OISF Ticketbot 9 months ago

  • Subtask #6759 added
Actions
Copy link
 #4

Updated by OISF Ticketbot 9 months ago

  • Label deleted (Needs backport to 7.0)
Actions
Copy link
 #5

Updated by Philippe Antoine 9 months ago

  • Status changed from New to In Review
  • Label Needs backport to 6.0, Needs backport to 7.0 added

Gitlab MR

Actions
Copy link
 #6

Updated by OISF Ticketbot 9 months ago

  • Label deleted (Needs backport to 6.0)
Actions
Copy link
 #7

Updated by OISF Ticketbot 9 months ago

  • Label deleted (Needs backport to 7.0)
Actions
Copy link
 #8

Updated by Philippe Antoine 9 months ago

  • Tracker changed from Bug to Security
  • Severity set to MODERATE
  • Disclosure Date set to 05/08/2024
Actions
Copy link
 #9

Updated by Philippe Antoine 9 months ago

Actions
Copy link
 #10

Updated by Victor Julien 8 months ago

  • Subject changed from libhtp: quadratic complexity checking after request line mission protocol to libhtp: quadratic complexity checking after request line missing protocol
Actions
Copy link
 #11

Updated by Victor Julien 8 months ago

  • Severity changed from MODERATE to CRITICAL
Actions
Copy link
 #12

Updated by Philippe Antoine 8 months ago

  • Related to Feature #6856: http: anomaly when request line is missing protocol added
Actions
Copy link
 #13

Updated by Victor Julien 8 months ago

  • CVE set to 2024-28871
Actions
Copy link

Also available in: Atom PDF