packages/lighttpd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2022-37797

Browse Source
This commit is contained in:
cenhuilin 2022-09-13 06:17:20 +00:00
parent 43884232ed
commit f130c95ba3
2 changed files with 37 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
CVE-2022-37797.patch Normal file
View File

@ -0,0 +1,31 @@
From a8f7ea10802f6363146e11e2552177bc1e5a6e12 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Tue, 13 Sep 2022 05:51:02 +0000
Subject: [PATCH] [mod_wstunnel] fix crash with bad hybivers (fixes #3165)
x-ref:
"mod_wstunnel null pointer dereference"
https://redmine.lighttpd.net/issues/3165
---
src/mod_wstunnel.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/mod_wstunnel.c b/src/mod_wstunnel.c
index 6d17d4d..97b89f0 100644
--- a/src/mod_wstunnel.c
+++ b/src/mod_wstunnel.c
@@ -483,7 +483,10 @@ static handler_t wstunnel_handler_setup (request_st * const r, plugin_data * con
hctx->errh = r->conf.errh;/*(for mod_wstunnel-specific DEBUG_* macros)*/
hctx->conf = p->conf; /*(copies struct)*/
hybivers = wstunnel_check_request(r, hctx);
- if (hybivers < 0) return HANDLER_FINISHED;
+ if (hybivers < 0) {
+ r->handler_module = NULL;
+ return HANDLER_FINISHED;
+ }
hctx->hybivers = hybivers;
if (0 == hybivers) {
DEBUG_LOG_INFO("WebSocket Version = %s", "hybi-00");
--
2.33.0

7
lighttpd.spec
View File

@ -20,7 +20,7 @@
Summary: Lightning fast webserver with light system requirements Summary: Lightning fast webserver with light system requirements
Name: lighttpd Name: lighttpd
Version: 1.4.63 Version: 1.4.63
Release: 4 Release: 5
License: BSD-3-Clause and OML and GPLv3 and GPLv2 License: BSD-3-Clause and OML and GPLv3 and GPLv2
URL: https://github.com/lighttpd/lighttpd1.4 URL: https://github.com/lighttpd/lighttpd1.4
Source0: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-%{version}.tar.gz Source0: http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-%{version}.tar.gz
@ -32,6 +32,7 @@ Patch0: lighttpd-1.4.62-defaultconf.patch
Patch1: make-setrlimit-warn-not-fatal.patch Patch1: make-setrlimit-warn-not-fatal.patch
Patch2: fix-loading-mod_auth-after-dynamic-modules.patch Patch2: fix-loading-mod_auth-after-dynamic-modules.patch
Patch3: CVE-2022-22707.patch Patch3: CVE-2022-22707.patch
Patch4: CVE-2022-37797.patch
Requires: %{name}-filesystem Requires: %{name}-filesystem
%if %{with systemd} %if %{with systemd}
Requires(post): systemd Requires(post): systemd
@ -112,6 +113,7 @@ for the directories.
%patch1 -p1 -b .setrlimit %patch1 -p1 -b .setrlimit
%patch2 -p1 -b .fixtrace %patch2 -p1 -b .fixtrace
%patch3 -p1 %patch3 -p1
%patch4 -p1
%build %build
autoreconf -if autoreconf -if
@ -258,6 +260,9 @@ fi
%attr(0700, lighttpd, lighttpd) %dir %{webroot}/ %attr(0700, lighttpd, lighttpd) %dir %{webroot}/
%changelog %changelog
* Tue Sep 13 2022 cenhuilin <cenhuilin@kylinos.cn> - 1.4.63-5
- Fix CVE-2022-37797
* Fri Mar 11 2022 baizhonggui <baizhonggui@huawei.com> - 1.4.63-4 * Fri Mar 11 2022 baizhonggui <baizhonggui@huawei.com> - 1.4.63-4
- Modify var.state_dir path from /etc/lighttpd/lighttpd.conf in lighttpd-1.4.62-defaultconf.patch - Modify var.state_dir path from /etc/lighttpd/lighttpd.conf in lighttpd-1.4.62-defaultconf.patch