!34 fix CVE-2022-41556

From: @emancipator Reviewed-by: @zengwefeng Signed-off-by: @zengwefeng
2022-10-13 08:23:49 +00:00 · 2022-10-13 08:23:49 +00:00 · 78c87dee67
commit 78c87dee67
parent ab99ce4241 8807666a0e
8 changed files with 26 additions and 232 deletions
--- a/CVE-2022-22707.patch
+++ b/CVE-2022-22707.patch
@ -1,90 +0,0 @@
 From 8c62a890e23f5853b1a562b03fe3e1bccc6e7664 Mon Sep 17 00:00:00 2001
 From: povcfe <povcfe@qq.com>
 Date: Wed, 5 Jan 2022 11:11:09 +0000
 Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134)
 (thx povcfe)
 (edited: gstrauss)
 There is a potential remote denial of service in lighttpd mod_extforward
 under specific, non-default and uncommon 32-bit lighttpd mod_extforward
 configurations.
 Under specific, non-default and uncommon lighttpd mod_extforward
 configurations, a remote attacker can trigger a 4-byte out-of-bounds
 write of value '-1' to the stack. This is not believed to be exploitable
 in any way beyond triggering a crash of the lighttpd server on systems
 where the lighttpd server has been built 32-bit and with compiler flags
 which enable a stack canary -- gcc/clang -fstack-protector-strong or
 -fstack-protector-all, but bug not visible with only -fstack-protector.
 With standard lighttpd builds using -O2 optimization on 64-bit x86_64,
 this bug has not been observed to cause adverse behavior, even with
 gcc/clang -fstack-protector-strong.
 For the bug to be reachable, the user must be using a non-default
 lighttpd configuration which enables mod_extforward and configures
 mod_extforward to accept and parse the "Forwarded" header from a trusted
 proxy. At this time, support for RFC7239 Forwarded is not common in CDN
 providers or popular web server reverse proxies. It bears repeating that
 for the user to desire to configure lighttpd mod_extforward to accept
 "Forwarded", the user must also be using a trusted proxy (in front of
 lighttpd) which understands and actively modifies the "Forwarded" header
 sent to lighttpd.
 lighttpd natively supports RFC7239 "Forwarded"
 hiawatha natively supports RFC7239 "Forwarded"
 nginx can be manually configured to add a "Forwarded" header
 https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
 A 64-bit build of lighttpd on x86_64 (not known to be affected by bug)
 in front of another 32-bit lighttpd will detect and reject a malicious
 "Forwarded" request header, thereby thwarting an attempt to trigger
 this bug in an upstream 32-bit lighttpd.
 The following servers currently do not natively support RFC7239 Forwarded:
 nginx
 apache2
 caddy
 node.js
 haproxy
 squid
 varnish-cache
 litespeed
 Given the general dearth of support for RFC7239 Forwarded in popular
 CDNs and web server reverse proxies, and given the prerequisites in
 lighttpd mod_extforward needed to reach this bug, the number of lighttpd
 servers vulnerable to this bug is estimated to be vanishingly small.
 Large systems using reverse proxies are likely running 64-bit lighttpd,
 which is not known to be adversely affected by this bug.
 In the future, it is desirable for more servers to implement RFC7239
 Forwarded.  lighttpd developers would like to thank povcfe for reporting
 this bug so that it can be fixed before more CDNs and web servers
 implement RFC7239 Forwarded.
 x-ref:
  "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1"
  https://redmine.lighttpd.net/issues/3134
  (not yet written or published)
  CVE-2022-22707
 ---
 src/mod_extforward.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/mod_extforward.c b/src/mod_extforward.c
 index 733231fd2..1a04befa6 100644
 --- a/src/mod_extforward.c
 +++ b/src/mod_extforward.c
@@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c
         while (s[i] == ' ' || s[i] == '\t') ++i;
         if (s[i] == ';') { ++i; continue; }
         if (s[i] == ',') {
 -            if (j >= (int)(sizeof(offsets)/sizeof(int))) break;
 +            if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break;
             offsets[++j] = -1; /*("offset" separating params from next proxy)*/
             ++i;
             continue;
--- a/CVE-2022-37797.patch
+++ b/CVE-2022-37797.patch
@ -1,31 +0,0 @@
 From a8f7ea10802f6363146e11e2552177bc1e5a6e12 Mon Sep 17 00:00:00 2001
 From: Glenn Strauss <gstrauss@gluelogic.com>
 Date: Tue, 13 Sep 2022 05:51:02 +0000
 Subject: [PATCH] [mod_wstunnel] fix crash with bad hybivers (fixes #3165)
 x-ref:
  "mod_wstunnel null pointer dereference"
  https://redmine.lighttpd.net/issues/3165
 ---
 src/mod_wstunnel.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/src/mod_wstunnel.c b/src/mod_wstunnel.c
 index 6d17d4d..97b89f0 100644
 --- a/src/mod_wstunnel.c
 +++ b/src/mod_wstunnel.c
@@ -483,7 +483,10 @@ static handler_t wstunnel_handler_setup (request_st * const r, plugin_data * con
     hctx->errh = r->conf.errh;/*(for mod_wstunnel-specific DEBUG_* macros)*/
     hctx->conf = p->conf; /*(copies struct)*/
     hybivers = wstunnel_check_request(r, hctx);
 -    if (hybivers < 0) return HANDLER_FINISHED;
 +    if (hybivers < 0) {
 +        r->handler_module = NULL;
 +        return HANDLER_FINISHED;
 +    }
     hctx->hybivers = hybivers;
     if (0 == hybivers) {
         DEBUG_LOG_INFO("WebSocket Version = %s", "hybi-00");
 -- 
 2.33.0
--- a/fix-loading-mod_auth-after-dynamic-modules.patch
+++ b/fix-loading-mod_auth-after-dynamic-modules.patch
@ -1,62 +0,0 @@
 From 492773a20f8a1deb1c94e25d40023970dd9608a1 Mon Sep 17 00:00:00 2001
 From: Glenn Strauss <gstrauss@gluelogic.com>
 Date: Sun, 5 Dec 2021 07:50:17 -0500
 Subject: [PATCH] [core] fix trace issued for loading mod_auth (fixes #3121)
 Origin:https://github.com/lighttpd/lighttpd1.4/commit/492773a20f8a1deb1c94e25d40023970dd9608a1
 fix trace issued for loading mod_auth after dynamic modules
 x-ref:
  "Curious message on startup with version 1.4.63"
  https://redmine.lighttpd.net/boards/2/topics/10182
  "mod_auth warning on startup"
  https://redmine.lighttpd.net/issues/3121
 ---
 src/configfile.c | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)
 diff --git a/src/configfile.c b/src/configfile.c
 index 5760bb43..033f2c46 100644
 --- a/src/configfile.c
 +++ b/src/configfile.c
@@ -369,6 +369,7 @@ static void config_compat_module_load (server *srv) {
     int contains_mod_auth      = 0;
     int prepend_mod_auth       = 0;
     int prepend_mod_vhostdb    = 0;
 +    const char *dyn_name = NULL;
     for (uint32_t i = 0; i < srv->srvconf.modules->used; ++i) {
         buffer *m = &((data_string *)srv->srvconf.modules->data[i])->value;
@@ -390,8 +391,15 @@ static void config_compat_module_load (server *srv) {
         else if (buffer_eq_slen(m, CONST_STR_LEN("mod_wolfssl")))
             append_mod_openssl = 0;
         else if (0 == strncmp(m->ptr, "mod_auth", sizeof("mod_auth")-1)) {
 -            if (buffer_eq_slen(m, CONST_STR_LEN("mod_auth")))
 -                contains_mod_auth = 1;
 +            if (buffer_eq_slen(m, CONST_STR_LEN("mod_auth"))) {
 +                if (!contains_mod_auth) {
 +                    contains_mod_auth = 1;
 +                    if (dyn_name)
 +                        log_error(srv->errh, __FILE__, __LINE__,
 +                          "Warning: mod_auth should be listed in server.modules"
 +                          " before dynamic backends such as %s", dyn_name);
 +                }
 +            }
             else if (!contains_mod_auth)
                 prepend_mod_auth = 1;
@@ -422,11 +430,8 @@ static void config_compat_module_load (server *srv) {
                                          sizeof("mod_sockproxy")-1)
                  || 0 == strncmp(m->ptr, "mod_wstunnel",
                                          sizeof("mod_wstunnel")-1)) {
 -            if (!contains_mod_auth) {
 -                log_error(srv->errh, __FILE__, __LINE__,
 -                  "Warning: mod_auth should be listed in server.modules before "
 -                  "dynamic backends such as %s", m->ptr);
 -            }
 +            if (NULL == dyn_name)
 +                dyn_name = m->ptr;
         }
     }
--- a/lighttpd-1.4.63.tar.gz
+++ b/lighttpd-1.4.63.tar.gz
--- a/lighttpd-1.4.65-defaultconf.patch
+++ b/lighttpd-1.4.65-defaultconf.patch
@ -20,3 +20,14 @@
 ##
 ##   # (recommended to accept only TLSv1.2 and TLSv1.3)
 ##   #ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")  # default
 --- doc/config/lighttpd.conf~	2022-07-28 10:49:14.928564535 -0500
 +++ doc/config/lighttpd.conf	2022-07-28 10:49:47.161444622 -0500
@@ -118,7 +118,7 @@
 ##
 ## Document root
 ##
 -server.document-root = server_root + "/htdocs"
 +server.document-root = server_root + "/lighttpd"
 ##
 ## The value for the "Server:" response field.
--- a/lighttpd-1.4.67.tar.xz
+++ b/lighttpd-1.4.67.tar.xz
--- a/lighttpd.spec
+++ b/lighttpd.spec
@ -7,7 +7,7 @@
 %bcond_without openssl
 %bcond_without kerberos5
 %bcond_without pcre
-%bcond_with    fam
+%bcond_with fam
 %bcond_without lua
 %bcond_without krb5
 %bcond_without pam
@ -19,20 +19,16 @@
 %bcond_without systemd
 Summary:             Lightning fast webserver with light system requirements
 Name:                lighttpd
-Version:             1.4.63
+Version:             1.4.67
-Release:             5
+Release:             1
 License:             BSD-3-Clause and OML and GPLv3 and GPLv2
 URL:                 https://github.com/lighttpd/lighttpd1.4
-Source0:             http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-%{version}.tar.gz
+Source0:             http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-%{version}.tar.xz
 Source1:             lighttpd.logrotate
 Source2:             php.d-lighttpd.ini
 Source3:             lighttpd.init
 Source4:             lighttpd.service
-Patch0:              lighttpd-1.4.62-defaultconf.patch
+Patch0:              lighttpd-1.4.65-defaultconf.patch
 Patch1:              make-setrlimit-warn-not-fatal.patch
 Patch2:              fix-loading-mod_auth-after-dynamic-modules.patch
 Patch3:              CVE-2022-22707.patch
 Patch4:              CVE-2022-37797.patch
 Requires:            %{name}-filesystem
 %if %{with systemd}
 Requires(post):      systemd
@ -55,6 +51,12 @@ BuildRequires:       /usr/bin/awk, libattr-devel
 %{?with_memcache:BuildRequires: memcached-devel}
 %{?with_lua:BuildRequires: lua-devel}
 Provides: %{name}-mod_authn_mysql = %{version}-%{release}
 Obsoletes: %{name}-mod_authn_mysql <= 1.4.63-1
 Provides: %{name}-mod_mysql_vhost = %{version}-%{release}
 Obsoletes: %{name}-mod_mysql_vhost <= 1.4.63-1
 %description
 Secure, fast, compliant and very flexible web-server which has been optimized
 for high-performance environments. It has a very low memory footprint compared
@ -110,10 +112,6 @@ for the directories.
 %prep
 %setup -q
 %patch0 -p0 -b .defaultconf
 %patch1 -p1 -b .setrlimit
 %patch2 -p1 -b .fixtrace
 %patch3 -p1
 %patch4 -p1
 %build
 autoreconf -if
@ -199,7 +197,6 @@ fi
 %config(noreplace) %{_sysconfdir}/lighttpd/*.conf
 %config(noreplace) %{_sysconfdir}/lighttpd/conf.d/*.conf
 %exclude %{_sysconfdir}/lighttpd/conf.d/fastcgi.conf
 %exclude %{_sysconfdir}/lighttpd/conf.d/mysql_vhost.conf
 %config %{_sysconfdir}/lighttpd/conf.d/mod.template
 %config %{_sysconfdir}/lighttpd/vhosts.d/vhosts.template
 %config(noreplace) %{_sysconfdir}/logrotate.d/lighttpd
@ -216,8 +213,6 @@ fi
 %{_libdir}/lighttpd/
 %exclude %{_libdir}/lighttpd/*.la
 %exclude %{_libdir}/lighttpd/mod_fastcgi.so
 %exclude %{_libdir}/lighttpd/mod_mysql_vhost.so
 %exclude %{_libdir}/lighttpd/mod_authn_mysql.so
 %exclude %{_libdir}/lighttpd/mod_authn_gssapi.so
 %{_mandir}/man8/lighttpd*8*
@ -229,14 +224,10 @@ fi
 %{_libdir}/lighttpd/mod_fastcgi.so
 %files mod_mysql_vhost
 %doc doc/outdated/mysqlvhost.txt
 %config(noreplace) %{_sysconfdir}/lighttpd/conf.d/mysql_vhost.conf
 %dir %{_libdir}/lighttpd/
 %{_libdir}/lighttpd/mod_mysql_vhost.so
 %files mod_authn_mysql
 %dir %{_libdir}/lighttpd/
 %{_libdir}/lighttpd/mod_authn_mysql.so
 %files mod_authn_gssapi
 %dir %{_libdir}/lighttpd/
@ -260,6 +251,9 @@ fi
 %attr(0700, lighttpd, lighttpd) %dir %{webroot}/
 %changelog
 * Wed Oct 12 2022 liangqifeng <liangqifeng@ncti-gba.cn> - 1.4.67-1
 - update to 1.4.67 to fix CVE-2022-41556
 * Tue Sep 13 2022 cenhuilin <cenhuilin@kylinos.cn> - 1.4.63-5
 - Fix CVE-2022-37797
@ -283,3 +277,4 @@ fi
 * Fri Jan 8 2021 chengzihan <chengzihan2@huawei.com> - 1.4.53-1
 - Package init
--- a/make-setrlimit-warn-not-fatal.patch
+++ b/make-setrlimit-warn-not-fatal.patch
@ -1,29 +0,0 @@
 From 5a257fab511225bbfa56b4f1a8b2bb7085f96478 Mon Sep 17 00:00:00 2001
 From: Glenn Strauss <gstrauss@gluelogic.com>
 Date: Wed, 8 Dec 2021 18:42:31 -0500
 Subject: [PATCH] [core] make setrlimit() warn, not fatal
 Origin:https://github.com/lighttpd/lighttpd1.4/commit/5a257fab511225bbfa56b4f1a8b2bb7085f96478
 (thx limb)
 make setrlimit() issue warning on error, not fatal,
 and add suggesting to configure SELinux permissions
 ---
 src/server.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/src/server.c b/src/server.c
 index f2ff7b73..beca364a 100644
 --- a/src/server.c
 +++ b/src/server.c
@@ -1357,7 +1357,8 @@ static int server_main_setup (server * const srv, int argc, char **argv) {
 			if (0 != setrlimit(RLIMIT_NOFILE, &rlim)) {
 				log_perror(srv->errh, __FILE__, __LINE__, "setrlimit()");
 -				return -1;
 +				log_error(srv->errh, __FILE__, __LINE__, "setrlimit() may need root to run once: setsebool -P httpd_setrlimit on");
 +				use_rlimit = 0;
 			}
 		}