packages/lighttpd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2022-41556

Browse Source 
(cherry picked from commit 7dcbb91215a9a271d1fdf68f6682909e5be803f8)
This commit is contained in:
emancipator 2022-10-13 09:45:04 +08:00 committed by openeuler-sync-bot
parent 6669d30626
commit c70cf27b8e
7 changed files with 47 additions and 205 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
CVE-2022-22707.patch
View File

@ -1,90 +0,0 @@
From 8c62a890e23f5853b1a562b03fe3e1bccc6e7664 Mon Sep 17 00:00:00 2001
From: povcfe <povcfe@qq.com>
Date: Wed, 5 Jan 2022 11:11:09 +0000
Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134)
(thx povcfe)
(edited: gstrauss)
There is a potential remote denial of service in lighttpd mod_extforward
under specific, non-default and uncommon 32-bit lighttpd mod_extforward
configurations.
Under specific, non-default and uncommon lighttpd mod_extforward
configurations, a remote attacker can trigger a 4-byte out-of-bounds
write of value '-1' to the stack. This is not believed to be exploitable
in any way beyond triggering a crash of the lighttpd server on systems
where the lighttpd server has been built 32-bit and with compiler flags
which enable a stack canary -- gcc/clang -fstack-protector-strong or
-fstack-protector-all, but bug not visible with only -fstack-protector.
With standard lighttpd builds using -O2 optimization on 64-bit x86_64,
this bug has not been observed to cause adverse behavior, even with
gcc/clang -fstack-protector-strong.
For the bug to be reachable, the user must be using a non-default
lighttpd configuration which enables mod_extforward and configures
mod_extforward to accept and parse the "Forwarded" header from a trusted
proxy. At this time, support for RFC7239 Forwarded is not common in CDN
providers or popular web server reverse proxies. It bears repeating that
for the user to desire to configure lighttpd mod_extforward to accept
"Forwarded", the user must also be using a trusted proxy (in front of
lighttpd) which understands and actively modifies the "Forwarded" header
sent to lighttpd.
lighttpd natively supports RFC7239 "Forwarded"
hiawatha natively supports RFC7239 "Forwarded"
nginx can be manually configured to add a "Forwarded" header
https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
A 64-bit build of lighttpd on x86_64 (not known to be affected by bug)
in front of another 32-bit lighttpd will detect and reject a malicious
"Forwarded" request header, thereby thwarting an attempt to trigger
this bug in an upstream 32-bit lighttpd.
The following servers currently do not natively support RFC7239 Forwarded:
nginx
apache2
caddy
node.js
haproxy
squid
varnish-cache
litespeed
Given the general dearth of support for RFC7239 Forwarded in popular
CDNs and web server reverse proxies, and given the prerequisites in
lighttpd mod_extforward needed to reach this bug, the number of lighttpd
servers vulnerable to this bug is estimated to be vanishingly small.
Large systems using reverse proxies are likely running 64-bit lighttpd,
which is not known to be adversely affected by this bug.
In the future, it is desirable for more servers to implement RFC7239
Forwarded. lighttpd developers would like to thank povcfe for reporting
this bug so that it can be fixed before more CDNs and web servers
implement RFC7239 Forwarded.
x-ref:
"mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1"
https://redmine.lighttpd.net/issues/3134
(not yet written or published)
CVE-2022-22707
---
src/mod_extforward.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mod_extforward.c b/src/mod_extforward.c
index 733231fd2..1a04befa6 100644
--- a/src/mod_extforward.c
+++ b/src/mod_extforward.c
@@ -673,7 +673,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c
while (s[i] == ' ' || s[i] == '\t') ++i;
if (s[i] == ';') { ++i; continue; }
if (s[i] == ',') {
- if (j >= (int)(sizeof(offsets)/sizeof(int))) break;
+ if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break;
offsets[++j] = -1; /*("offset" separating params from next proxy)*/
++i;
continue;

31
CVE-2022-37797.patch
View File

@ -1,31 +0,0 @@
From a8f7ea10802f6363146e11e2552177bc1e5a6e12 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Tue, 13 Sep 2022 05:51:02 +0000
Subject: [PATCH] [mod_wstunnel] fix crash with bad hybivers (fixes #3165)
x-ref:
"mod_wstunnel null pointer dereference"
https://redmine.lighttpd.net/issues/3165
---
src/mod_wstunnel.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/mod_wstunnel.c b/src/mod_wstunnel.c
index 6d17d4d..97b89f0 100644
--- a/src/mod_wstunnel.c
+++ b/src/mod_wstunnel.c
@@ -483,7 +483,10 @@ static handler_t wstunnel_handler_setup (request_st * const r, plugin_data * con
hctx->errh = r->conf.errh;/*(for mod_wstunnel-specific DEBUG_* macros)*/
hctx->conf = p->conf; /*(copies struct)*/
hybivers = wstunnel_check_request(r, hctx);
- if (hybivers < 0) return HANDLER_FINISHED;
+ if (hybivers < 0) {
+ r->handler_module = NULL;
+ return HANDLER_FINISHED;
+ }
hctx->hybivers = hybivers;
if (0 == hybivers) {
DEBUG_LOG_INFO("WebSocket Version = %s", "hybi-00");
--
2.33.0

68
lighttpd-1.4.56-defaultconf.patch
View File

@ -1,68 +0,0 @@
--- doc/config/lighttpd.conf.orig 2016-07-19 09:09:39.000000000 -0500
+++ doc/config/lighttpd.conf 2016-07-19 09:25:40.282577966 -0500
@@ -204,7 +204,9 @@
## By default lighttpd would not change the operation system default.
## But setting it to 2048 is a better default for busy servers.
##
-server.max-fds = 2048
+## With SELinux enabled, this is denied by default and needs to be allowed
+## by running the following once : setsebool -P httpd_setrlimit on
+#server.max-fds = 2048
##
## listen-backlog is the size of the listen() backlog queue requested when
--- doc/config/lighttpd.conf~ 2016-08-05 08:24:07.000000000 -0500
+++ doc/config/lighttpd.conf 2016-08-05 08:26:43.914683962 -0500
@@ -112,7 +112,7 @@
##
## Document root
##
-server.document-root = server_root + "/htdocs"
+server.document-root = server_root + "/lighttpd"
##
## The value for the "Server:" response field.
--- doc/config/lighttpd.conf~ 2016-06-28 12:32:10.000000000 -0500
+++ doc/config/lighttpd.conf 2016-06-28 12:41:50.478761160 -0500
@@ -67,7 +67,7 @@
## conf.d/fastcgi.conf
## conf.d/scgi.conf
##
-var.socket_dir = home_dir + "/sockets"
+var.socket_dir = state_dir + "/sockets"
##
#######################################################################
--- doc/config/lighttpd.conf~ 2020-04-27 10:48:12.000000000 -0500
+++ doc/config/lighttpd.conf 2020-04-27 10:55:12.145316446 -0500
@@ -90,7 +90,7 @@
##
## Use IPv6?
##
-server.use-ipv6 = "enable"
+#server.use-ipv6 = "enable"
##
## bind to a specific IP
--- doc/config/lighttpd.conf~ 2020-10-26 14:23:23.000000000 -0500
+++ doc/config/lighttpd.conf 2020-10-26 14:27:55.577840608 -0500
@@ -14,8 +14,8 @@
## chroot example aswell.
##
var.log_root = "/var/log/lighttpd"
-var.server_root = "/srv/www"
-var.state_dir = "/run"
+var.server_root = "/var/www"
+var.state_dir = "/var/run"
var.home_dir = "/var/lib/lighttpd"
var.conf_dir = "/etc/lighttpd"
@@ -438,7 +438,7 @@
##
## # Check your cipher list with: openssl ciphers -v '...'
## # (use single quotes as your shell won't like ! in double quotes)
-## #ssl.cipher-list = "HIGH" # default
+## #ssl.cipher-list = "PROFILE=SYSTEM"
##
## # (recommended to accept only TLSv1.2 and TLSv1.3)
## #ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")

BIN
lighttpd-1.4.56.tar.gz
View File

Binary file not shown.

33
lighttpd-1.4.65-defaultconf.patch Normal file
View File

@ -0,0 +1,33 @@
--- doc/config/lighttpd.conf~ 2021-12-02 09:34:06.450352761 -0600
+++ doc/config/lighttpd.conf 2021-12-02 09:36:04.345770602 -0600
@@ -14,8 +14,8 @@
## chroot example as well.
##
var.log_root = "/var/log/lighttpd"
-var.server_root = "/srv/www"
-var.state_dir = "/run"
+var.server_root = "/var/www"
+var.state_dir = "/var/run"
var.home_dir = "/var/lib/lighttpd"
var.conf_dir = "/etc/lighttpd"
@@ -436,7 +436,7 @@
## # Check your cipher list with: openssl ciphers -v '...'
## # (use single quotes with: openssl ciphers -v '...'
## # as your shell won't like ! in double quotes)
-## #ssl.cipher-list = "HIGH" # default
+## #ssl.cipher-list = "PROFILE=SYSTEM"
##
## # (recommended to accept only TLSv1.2 and TLSv1.3)
## #ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2") # default
--- doc/config/lighttpd.conf~ 2022-07-28 10:49:14.928564535 -0500
+++ doc/config/lighttpd.conf 2022-07-28 10:49:47.161444622 -0500
@@ -118,7 +118,7 @@
##
## Document root
##
-server.document-root = server_root + "/htdocs"
+server.document-root = server_root + "/lighttpd"
##
## The value for the "Server:" response field.

BIN
lighttpd-1.4.67.tar.xz Normal file
View File

Binary file not shown.

30
lighttpd.spec
View File

@ -7,7 +7,7 @@
%bcond_without openssl
%bcond_without kerberos5
%bcond_without pcre
%bcond_without fam
%bcond_with fam
%bcond_without lua
%bcond_without krb5
%bcond_without pam
@ -19,18 +19,16 @@
%bcond_without systemd
Summary: Lightning fast webserver with light system requirements
Name: lighttpd
Version: 1.4.56
Release: 2
Version: 1.4.67
Release: 1
License: BSD-3-Clause and OML and GPLv3 and GPLv2
URL: https://github.com/lighttpd/lighttpd1.4
Source0: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-%{version}.tar.gz
Source0: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-%{version}.tar.xz
Source1: lighttpd.logrotate
Source2: php.d-lighttpd.ini
Source3: lighttpd.init
Source4: lighttpd.service
Patch0: lighttpd-1.4.56-defaultconf.patch
Patch1: CVE-2022-22707.patch
Patch2: CVE-2022-37797.patch
Patch0: lighttpd-1.4.65-defaultconf.patch
Requires: %{name}-filesystem
%if %{with systemd}
Requires(post): systemd
@ -53,6 +51,12 @@ BuildRequires: /usr/bin/awk, libattr-devel
%{?with_memcache:BuildRequires: memcached-devel}
%{?with_lua:BuildRequires: lua-devel}
Provides: %{name}-mod_authn_mysql = %{version}-%{release}
Obsoletes: %{name}-mod_authn_mysql <= 1.4.63-1
Provides: %{name}-mod_mysql_vhost = %{version}-%{release}
Obsoletes: %{name}-mod_mysql_vhost <= 1.4.63-1
%description
Secure, fast, compliant and very flexible web-server which has been optimized
for high-performance environments. It has a very low memory footprint compared
@ -108,8 +112,6 @@ for the directories.
%prep
%setup -q
%patch0 -p0 -b .defaultconf
%patch1 -p1
%patch2 -p1
%build
autoreconf -if
@ -195,7 +197,6 @@ fi
%config(noreplace) %{_sysconfdir}/lighttpd/*.conf
%config(noreplace) %{_sysconfdir}/lighttpd/conf.d/*.conf
%exclude %{_sysconfdir}/lighttpd/conf.d/fastcgi.conf
%exclude %{_sysconfdir}/lighttpd/conf.d/mysql_vhost.conf
%config %{_sysconfdir}/lighttpd/conf.d/mod.template
%config %{_sysconfdir}/lighttpd/vhosts.d/vhosts.template
%config(noreplace) %{_sysconfdir}/logrotate.d/lighttpd
@ -212,8 +213,6 @@ fi
%{_libdir}/lighttpd/
%exclude %{_libdir}/lighttpd/*.la
%exclude %{_libdir}/lighttpd/mod_fastcgi.so
%exclude %{_libdir}/lighttpd/mod_mysql_vhost.so
%exclude %{_libdir}/lighttpd/mod_authn_mysql.so
%exclude %{_libdir}/lighttpd/mod_authn_gssapi.so
%{_mandir}/man8/lighttpd*8*
@ -225,14 +224,10 @@ fi
%{_libdir}/lighttpd/mod_fastcgi.so
%files mod_mysql_vhost
%doc doc/outdated/mysqlvhost.txt
%config(noreplace) %{_sysconfdir}/lighttpd/conf.d/mysql_vhost.conf
%dir %{_libdir}/lighttpd/
%{_libdir}/lighttpd/mod_mysql_vhost.so
%files mod_authn_mysql
%dir %{_libdir}/lighttpd/
%{_libdir}/lighttpd/mod_authn_mysql.so
%files mod_authn_gssapi
%dir %{_libdir}/lighttpd/
@ -256,6 +251,9 @@ fi
%attr(0700, lighttpd, lighttpd) %dir %{webroot}/
%changelog
* Wed Oct 12 2022 liangqifeng <liangqifeng@ncti-gba.cn> - 1.4.67-1
- update to 1.4.67 to fix CVE-2022-41556
* Fri Sep 30 2022 yaoxin <yaoxin30@h-partners.com> - 1.4.56-2
- Fix excuting systemctl start lighttpd.service error