summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoss Burton <ross@burtonini.com>2022-01-17 11:20:56 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2022-01-17 17:56:46 +0000
commit3b52dee71be3ef6a34d934a7e09e284d9099f8d2 (patch)
tree0ac79b4f43016122a3e8757a6e85ce503d4742db
parent40c56a5019f721babb920008cbbeadcacdc1e05f (diff)
downloadpoky-3b52dee71be3ef6a34d934a7e09e284d9099f8d2.tar.gz
lighttpd: backport a fix for CVE-2022-22707
Backport the fix for CVE-2022-22707, a buffer overflow in mod_extforward. (From OE-Core rev: 7758596613cc442f647fd4625b36532f30e6129f) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch97
-rw-r--r--meta/recipes-extended/lighttpd/lighttpd_1.4.63.bb1
2 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch
new file mode 100644
index 0000000000..f4e93d1065
--- /dev/null
+++ b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch
@@ -0,0 +1,97 @@
1Upstream-Status: Backport
2CVE: CVE-2022-22707
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From 27103f3f8b1a2857aa45b889e775435f7daf141f Mon Sep 17 00:00:00 2001
6From: povcfe <povcfe@qq.com>
7Date: Wed, 5 Jan 2022 11:11:09 +0000
8Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134)
9
10(thx povcfe)
11
12(edited: gstrauss)
13
14There is a potential remote denial of service in lighttpd mod_extforward
15under specific, non-default and uncommon 32-bit lighttpd mod_extforward
16configurations.
17
18Under specific, non-default and uncommon lighttpd mod_extforward
19configurations, a remote attacker can trigger a 4-byte out-of-bounds
20write of value '-1' to the stack. This is not believed to be exploitable
21in any way beyond triggering a crash of the lighttpd server on systems
22where the lighttpd server has been built 32-bit and with compiler flags
23which enable a stack canary -- gcc/clang -fstack-protector-strong or
24-fstack-protector-all, but bug not visible with only -fstack-protector.
25
26With standard lighttpd builds using -O2 optimization on 64-bit x86_64,
27this bug has not been observed to cause adverse behavior, even with
28gcc/clang -fstack-protector-strong.
29
30For the bug to be reachable, the user must be using a non-default
31lighttpd configuration which enables mod_extforward and configures
32mod_extforward to accept and parse the "Forwarded" header from a trusted
33proxy. At this time, support for RFC7239 Forwarded is not common in CDN
34providers or popular web server reverse proxies. It bears repeating that
35for the user to desire to configure lighttpd mod_extforward to accept
36"Forwarded", the user must also be using a trusted proxy (in front of
37lighttpd) which understands and actively modifies the "Forwarded" header
38sent to lighttpd.
39
40lighttpd natively supports RFC7239 "Forwarded"
41hiawatha natively supports RFC7239 "Forwarded"
42
43nginx can be manually configured to add a "Forwarded" header
44https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
45
46A 64-bit build of lighttpd on x86_64 (not known to be affected by bug)
47in front of another 32-bit lighttpd will detect and reject a malicious
48"Forwarded" request header, thereby thwarting an attempt to trigger
49this bug in an upstream 32-bit lighttpd.
50
51The following servers currently do not natively support RFC7239 Forwarded:
52nginx
53apache2
54caddy
55node.js
56haproxy
57squid
58varnish-cache
59litespeed
60
61Given the general dearth of support for RFC7239 Forwarded in popular
62CDNs and web server reverse proxies, and given the prerequisites in
63lighttpd mod_extforward needed to reach this bug, the number of lighttpd
64servers vulnerable to this bug is estimated to be vanishingly small.
65Large systems using reverse proxies are likely running 64-bit lighttpd,
66which is not known to be adversely affected by this bug.
67
68In the future, it is desirable for more servers to implement RFC7239
69Forwarded. lighttpd developers would like to thank povcfe for reporting
70this bug so that it can be fixed before more CDNs and web servers
71implement RFC7239 Forwarded.
72
73x-ref:
74 "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1"
75 https://redmine.lighttpd.net/issues/3134
76 (not yet written or published)
77 CVE-2022-22707
78---
79 src/mod_extforward.c | 2 +-
80 1 file changed, 1 insertion(+), 1 deletion(-)
81
82diff --git a/src/mod_extforward.c b/src/mod_extforward.c
83index ba957e04..fdaef7f6 100644
84--- a/src/mod_extforward.c
85+++ b/src/mod_extforward.c
86@@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c
87 while (s[i] == ' ' || s[i] == '\t') ++i;
88 if (s[i] == ';') { ++i; continue; }
89 if (s[i] == ',') {
90- if (j >= (int)(sizeof(offsets)/sizeof(int))) break;
91+ if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break;
92 offsets[++j] = -1; /*("offset" separating params from next proxy)*/
93 ++i;
94 continue;
95--
962.25.1
97
diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.63.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.63.bb
index 41d6319e1b..6359310772 100644
--- a/meta/recipes-extended/lighttpd/lighttpd_1.4.63.bb
+++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.63.bb
@@ -14,6 +14,7 @@ RRECOMMENDS:${PN} = "lighttpd-module-access \
14 lighttpd-module-accesslog" 14 lighttpd-module-accesslog"
15 15
16SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.xz \ 16SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.xz \
17 file://0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch \
17 file://index.html.lighttpd \ 18 file://index.html.lighttpd \
18 file://lighttpd.conf \ 19 file://lighttpd.conf \
19 file://lighttpd \ 20 file://lighttpd \