!36 [sync] PR-35: fix CVE-2022-41556

From: @openeuler-sync-bot 
Reviewed-by: @zengwefeng 
Signed-off-by: @zengwefeng

lighttpd-1.4.65-defaultconf.patch

@@ -0,0 +1,33 @@
+--- doc/config/lighttpd.conf~	2021-12-02 09:34:06.450352761 -0600
++++ doc/config/lighttpd.conf	2021-12-02 09:36:04.345770602 -0600
+@@ -14,8 +14,8 @@
+ ## chroot example as well.
+ ##
+ var.log_root    = "/var/log/lighttpd"
+-var.server_root = "/srv/www"
+-var.state_dir   = "/run"
++var.server_root = "/var/www"
++var.state_dir   = "/var/run"
+ var.home_dir    = "/var/lib/lighttpd"
+ var.conf_dir    = "/etc/lighttpd"
+ 
+@@ -436,7 +436,7 @@
+ ##   # Check your cipher list with: openssl ciphers -v '...'
+ ##   # (use single quotes with: openssl ciphers -v '...'
+ ##   #  as your shell won't like ! in double quotes)
+-##   #ssl.cipher-list            = "HIGH"   # default
++##   #ssl.cipher-list            = "PROFILE=SYSTEM"
+ ##
+ ##   # (recommended to accept only TLSv1.2 and TLSv1.3)
+ ##   #ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")  # default
+--- doc/config/lighttpd.conf~	2022-07-28 10:49:14.928564535 -0500
++++ doc/config/lighttpd.conf	2022-07-28 10:49:47.161444622 -0500
+@@ -118,7 +118,7 @@
+ ##
+ ## Document root
+ ##
+-server.document-root = server_root + "/htdocs"
++server.document-root = server_root + "/lighttpd"
+ 
+ ##
+ ## The value for the "Server:" response field.

lighttpd.init

@@ -0,0 +1,114 @@
+#!/bin/sh
+#
+# lighttpd     Lightning fast webserver with light system requirements
+#
+# chkconfig:   - 85 15
+# description: Secure, fast, compliant and very flexible web-server which has \
+#              been optimized for high-performance environments. It has a \
+#              very low memory footprint compared to other web servers and \
+#              takes care of cpu-load.
+
+### BEGIN INIT INFO
+# Provides: httpd
+# Required-Start: $local_fs $network
+# Required-Stop: $local_fs $network
+# Should-Start: $named
+# Should-Stop: $named
+# Default-Start: 
+# Default-Stop: 0 1 2 3 4 5 6
+# Short-Description: Lightning fast webserver with light system requirements
+# Description:       Secure, fast, compliant and very flexible web-server which
+#                    has been optimized for high-performance environments. It
+#                    has a very low memory footprint compared to other web
+#                    servers and takes care of cpu-load.
+### END INIT INFO
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+exec="/usr/sbin/lighttpd"
+prog="lighttpd"
+config="/etc/lighttpd/lighttpd.conf"
+
+[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
+
+lockfile=/var/lock/subsys/$prog
+
+start() {
+    [ -x $exec ] || exit 5
+    [ -f $config ] || exit 6
+    echo -n $"Starting $prog: "
+    daemon $exec -f $config
+    retval=$?
+    echo
+    [ $retval -eq 0 ] && touch $lockfile
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping $prog: "
+    killproc $prog
+    retval=$?
+    echo
+    [ $retval -eq 0 ] && rm -f $lockfile
+    return $retval
+}
+
+restart() {
+    stop
+    start
+}
+
+reload() {
+    echo -n $"Reloading $prog: "
+    killproc $prog -HUP
+    retval=$?
+    echo
+    return $retval
+}
+
+force_reload() {
+    restart
+}
+
+rh_status() {
+    status $prog
+}
+
+rh_status_q() {
+    rh_status &>/dev/null
+}
+
+
+case "$1" in
+    start)
+        rh_status_q && exit 0
+        $1
+        ;;
+    stop)
+        rh_status_q || exit 0
+        $1
+        ;;
+    restart)
+        $1
+        ;;
+    reload)
+        rh_status_q || exit 7
+        $1
+        ;;
+    force-reload)
+        force_reload
+        ;;
+    status)
+        rh_status
+        ;;
+    condrestart|try-restart)
+        rh_status_q || exit 0
+        restart
+        ;;
+    *)
+        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
+        exit 2
+esac
+exit $?
+

lighttpd.logrotate

@@ -0,0 +1,8 @@
+/var/log/lighttpd/*log {
+    missingok
+    notifempty
+    sharedscripts
+    postrotate
+        /usr/bin/killall -HUP lighttpd &>/dev/null || :
+    endscript
+}

lighttpd.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Lightning Fast Webserver With Light System Requirements
+After=syslog.target network.target
+
+[Service]
+PIDFile=/var/run/lighttpd.pid
+EnvironmentFile=-/etc/sysconfig/lighttpd
+ExecStart=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
+
+[Install]
+WantedBy=multi-user.target
+

lighttpd.spec

@@ -0,0 +1,267 @@
+%define webroot /var/www/lighttpd
+%global _hardened_build 1
+%define confswitch() %{expand:%%{?with_%{1}:--with-%{1}}%%{!?with_%{1}:--without-%{1}}}
+%bcond_without mysql
+%bcond_without ldap
+%bcond_without attr
+%bcond_without openssl
+%bcond_without kerberos5
+%bcond_without pcre
+%bcond_with fam
+%bcond_without lua
+%bcond_without krb5
+%bcond_without pam
+%bcond_with    webdavprops
+%bcond_with    webdavlocks
+%bcond_without gdbm
+%bcond_with    memcache
+%bcond_without tmpfiles
+%bcond_without systemd
+Summary:             Lightning fast webserver with light system requirements
+Name:                lighttpd
+Version:             1.4.67
+Release:             1
+License:             BSD-3-Clause and OML and GPLv3 and GPLv2
+URL:                 https://github.com/lighttpd/lighttpd1.4
+Source0:             http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-%{version}.tar.xz
+Source1:             lighttpd.logrotate
+Source2:             php.d-lighttpd.ini
+Source3:             lighttpd.init
+Source4:             lighttpd.service
+Patch0:              lighttpd-1.4.65-defaultconf.patch
+Requires:            %{name}-filesystem
+%if %{with systemd}
+Requires(post):      systemd
+Requires(preun):     systemd
+Requires(postun):    systemd
+BuildRequires:       systemd
+%else
+Requires(post):      /sbin/chkconfig
+Requires(preun):     /sbin/service, /sbin/chkconfig
+Requires(postun):    /sbin/service
+%endif
+Provides:            webserver
+BuildRequires:       openssl-devel, pcre-devel, bzip2-devel, zlib-devel, autoconf, automake, libtool
+BuildRequires:       /usr/bin/awk, libattr-devel
+%{?with_ldap:BuildRequires: openldap-devel}
+%{?with_fam:BuildRequires: gamin-devel}
+%{?with_webdavprops:BuildRequires: libxml2-devel}
+%{?with_webdavlocks:BuildRequires: sqlite-devel}
+%{?with_gdbm:BuildRequires: gdbm-devel}
+%{?with_memcache:BuildRequires: memcached-devel}
+%{?with_lua:BuildRequires: lua-devel}
+
+Provides: %{name}-mod_authn_mysql = %{version}-%{release}
+Obsoletes: %{name}-mod_authn_mysql <= 1.4.63-1
+ 
+Provides: %{name}-mod_mysql_vhost = %{version}-%{release}
+Obsoletes: %{name}-mod_mysql_vhost <= 1.4.63-1
+
+%description
+Secure, fast, compliant and very flexible web-server which has been optimized
+for high-performance environments. It has a very low memory footprint compared
+to other webservers and takes care of cpu-load. Its advanced feature-set
+(FastCGI, CGI, Auth, Output-Compression, URL-Rewriting and many more) make
+it the perfect webserver-software for every server that is suffering load
+problems.
+
+%package fastcgi
+Summary:             FastCGI module and spawning helper for lighttpd and PHP configuration
+Requires:            %{name} = %{version}-%{release} spawn-fcgi
+%description fastcgi
+This package contains the spawn-fcgi helper for lighttpd's automatic spawning
+of local FastCGI programs. Included is also a PHP .ini file to change a few
+defaults needed for correct FastCGI behavior.
+
+%package mod_mysql_vhost
+Summary:             Virtual host module for lighttpd that uses a MySQL database
+Requires:            %{name} = %{version}-%{release}
+BuildRequires:       mariadb-connector-c-devel
+%description mod_mysql_vhost
+Virtual host module for lighttpd that uses a MySQL database.
+
+%package mod_authn_mysql
+Summary:             Authentication module for lighttpd that uses a MySQL database
+Requires:            %{name} = %{version}-%{release}
+BuildRequires:       mariadb-connector-c-devel
+%description mod_authn_mysql
+Authentication module for lighttpd that uses a MySQL database.
+
+%package mod_authn_gssapi
+Summary:             Authentication module for lighttpd that uses GSSAPI
+Requires:            %{name} = %{version}-%{release}
+%description mod_authn_gssapi
+Authentication module for lighttpd that uses GSSAPI
+
+%package mod_authn_pam
+Summary:             Authentication module for lighttpd that uses PAM
+Requires:            %{name} = %{version}-%{release}
+BuildRequires:       pam-devel
+%description mod_authn_pam
+Authentication module for lighttpd that uses PAM.
+
+%package filesystem
+Summary:             The basic directory layout for lighttpd
+BuildArch:           noarch
+Requires(pre): /usr/sbin/useradd
+%description filesystem
+The lighttpd-filesystem package contains the basic directory layout
+for the lighttpd server including the correct permissions
+for the directories.
+
+%prep
+%setup -q
+%patch0 -p0 -b .defaultconf
+
+%build
+autoreconf -if
+%configure \
+    --libdir='%{_libdir}/lighttpd' \
+    %{confswitch mysql} \
+    %{confswitch pam} \
+    %{confswitch ldap} \
+    %{confswitch attr} \
+    %{confswitch openssl} \
+    %{confswitch pcre} \
+    %{confswitch fam} \
+    %{?with_webdavprops:--with-webdav-props} \
+    %{?with_webdavlocks:--with-webdav-locks} \
+    %{confswitch gdbm} \
+    %{confswitch memcached} \
+    %{confswitch lua} \
+    %{confswitch krb5}
+make %{?_smp_mflags}
+
+%install
+make install DESTDIR=%{buildroot}
+install -D -p -m 0644 %{SOURCE1} \
+    %{buildroot}%{_sysconfdir}/logrotate.d/lighttpd
+install -D -p -m 0644 %{SOURCE2} \
+    %{buildroot}%{_sysconfdir}/php.d/lighttpd.ini
+%if %{with systemd}
+install -D -p -m 0644 %{SOURCE4} \
+    %{buildroot}%{_unitdir}/lighttpd.service
+%else
+install -D -p -m 0755 %{SOURCE3} \
+    %{buildroot}%{_sysconfdir}/rc.d/init.d/lighttpd
+%endif
+mkdir -p %{buildroot}%{webroot}
+rm -rf config
+cp -a doc/config config
+find config -name 'Makefile*' | xargs rm -f
+chmod -x doc/scripts/*.sh
+mkdir -p %{buildroot}%{_sysconfdir}/lighttpd
+cp -a config/*.conf config/*.d %{buildroot}%{_sysconfdir}/lighttpd/
+mkdir -p %{buildroot}%{_var}/log/lighttpd
+mkdir -p %{buildroot}%{_var}/run/lighttpd
+%if %{with tmpfiles}
+mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d
+echo 'D /var/run/lighttpd 0750 lighttpd lighttpd -' > \
+    %{buildroot}%{_sysconfdir}/tmpfiles.d/lighttpd.conf
+%endif
+
+%pre filesystem
+/usr/sbin/useradd -s /sbin/nologin -M -r -d %{webroot} \
+    -c 'lighttpd web server' lighttpd &>/dev/null || :
+
+%post
+%if %{with systemd}
+%systemd_post lighttpd.service
+%else
+/sbin/chkconfig --add lighttpd
+%endif
+
+%preun
+%if %{with systemd}
+%systemd_preun lighttpd.service
+%else
+if [ $1 -eq 0 ]; then
+    /sbin/service lighttpd stop &>/dev/null || :
+    /sbin/chkconfig --del lighttpd
+fi
+%endif
+
+%postun
+%if %{with systemd}
+%systemd_postun_with_restart lighttpd.service
+%else
+if [ $1 -ge 1 ]; then
+    /sbin/service lighttpd condrestart &>/dev/null || :
+fi
+%endif
+
+%files
+%license COPYING
+%doc AUTHORS README
+%doc config/ doc/scripts/rrdtool-graph.sh
+%config(noreplace) %{_sysconfdir}/lighttpd/*.conf
+%config(noreplace) %{_sysconfdir}/lighttpd/conf.d/*.conf
+%exclude %{_sysconfdir}/lighttpd/conf.d/fastcgi.conf
+%config %{_sysconfdir}/lighttpd/conf.d/mod.template
+%config %{_sysconfdir}/lighttpd/vhosts.d/vhosts.template
+%config(noreplace) %{_sysconfdir}/logrotate.d/lighttpd
+%if %{with systemd}
+%{_unitdir}/lighttpd.service
+%else
+%{_sysconfdir}/rc.d/init.d/lighttpd
+%endif
+%if %{with tmpfiles}
+%config(noreplace) %{_sysconfdir}/tmpfiles.d/lighttpd.conf
+%endif
+%{_sbindir}/lighttpd
+%{_sbindir}/lighttpd-angel
+%{_libdir}/lighttpd/
+%exclude %{_libdir}/lighttpd/*.la
+%exclude %{_libdir}/lighttpd/mod_fastcgi.so
+%exclude %{_libdir}/lighttpd/mod_authn_gssapi.so
+%{_mandir}/man8/lighttpd*8*
+
+%files fastcgi
+%doc doc/outdated/fastcgi*.txt doc/scripts/spawn-php.sh
+%config(noreplace) %{_sysconfdir}/php.d/lighttpd.ini
+%config(noreplace) %{_sysconfdir}/lighttpd/conf.d/fastcgi.conf
+%dir %{_libdir}/lighttpd/
+%{_libdir}/lighttpd/mod_fastcgi.so
+
+%files mod_mysql_vhost
+%dir %{_libdir}/lighttpd/
+
+%files mod_authn_mysql
+%dir %{_libdir}/lighttpd/
+
+%files mod_authn_gssapi
+%dir %{_libdir}/lighttpd/
+%{_libdir}/lighttpd/mod_authn_gssapi.so
+
+%files mod_authn_pam
+%dir %{_libdir}/lighttpd/
+%{_libdir}/lighttpd/mod_authn_pam.so
+
+%files filesystem
+%dir %{_sysconfdir}/lighttpd/
+%dir %{_sysconfdir}/lighttpd/conf.d/
+%dir %{_sysconfdir}/lighttpd/vhosts.d/
+%dir %{_var}/run/lighttpd/
+%if %{with tmpfiles}
+%ghost %attr(0750, lighttpd, lighttpd) %{_var}/run/lighttpd/
+%else
+%attr(0750, lighttpd, lighttpd) %{_var}/run/lighttpd/
+%endif
+%attr(0750, lighttpd, lighttpd) %{_var}/log/lighttpd/
+%attr(0700, lighttpd, lighttpd) %dir %{webroot}/
+
+%changelog
+* Wed Oct 12 2022 liangqifeng <liangqifeng@ncti-gba.cn> - 1.4.67-1
+- update to 1.4.67 to fix CVE-2022-41556
+
+* Fri Sep 30 2022 yaoxin <yaoxin30@h-partners.com> - 1.4.56-2
+- Fix excuting systemctl start lighttpd.service error
+
+* Wed Sep 21 2022 yaoxin <yaoxin30@h-partners.com> - 1.4.56-1
+- Update to 1.4.56 and fix CVE-2022-37797
+
+* Fri Jan 14 2022 yaoxin <yaoxin30@huawei.com> - 1.4.53-2
+- Fix CVE-2022-22707
+
+* Fri Jan 8 2021 chengzihan <chengzihan2@huawei.com> - 1.4.53-1
+- Package init

lighttpd.yaml

@@ -0,0 +1,4 @@
+version_control: github
+src_repo: lighttpd/lighttpd1.4
+tag_prefix: "lighttpd-"
+separator: .

php.d-lighttpd.ini

@@ -0,0 +1,3 @@
+; Required so that PHP_SELF gets set correctly when using PHP through
+; FastCGI with lighttpd (see main php.ini for more about this option)
+cgi.fix_pathinfo = 1