diff options
author | Ross Burton <ross.burton@intel.com> | 2019-06-25 13:37:52 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-27 18:05:18 +0100 |
commit | f749c69115dcc3918d1fd0acd379852288193345 (patch) | |
tree | d24cae4eea8b9c277f70ff2506c70baf689c8d04 /meta/recipes-extended | |
parent | 573a9358603308e125cea7274c24c1fcceb50ab7 (diff) | |
download | poky-f749c69115dcc3918d1fd0acd379852288193345.tar.gz |
lighttpd: fix CVE-2019-11072
(From OE-Core rev: 0dbd16a40a28bb75962f38c6ce450c909c22ee79)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended')
-rw-r--r-- | meta/recipes-extended/lighttpd/lighttpd/fix-http-parseopts.patch | 51 | ||||
-rw-r--r-- | meta/recipes-extended/lighttpd/lighttpd_1.4.51.bb | 1 |
2 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-extended/lighttpd/lighttpd/fix-http-parseopts.patch b/meta/recipes-extended/lighttpd/lighttpd/fix-http-parseopts.patch new file mode 100644 index 0000000000..f3a0402c4b --- /dev/null +++ b/meta/recipes-extended/lighttpd/lighttpd/fix-http-parseopts.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | CVE: CVE-2019-11072 | ||
2 | Upstream-Status: Backport | ||
3 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
4 | |||
5 | From 32120d5b8b3203fc21ccb9eafb0eaf824bb59354 Mon Sep 17 00:00:00 2001 | ||
6 | From: Glenn Strauss <gstrauss@gluelogic.com> | ||
7 | Date: Wed, 10 Apr 2019 11:28:10 -0400 | ||
8 | Subject: [PATCH] [core] fix abort in http-parseopts (fixes #2945) | ||
9 | |||
10 | fix abort in server.http-parseopts with url-path-2f-decode enabled | ||
11 | |||
12 | (thx stze) | ||
13 | |||
14 | x-ref: | ||
15 | "Security - SIGABRT during GET request handling with url-path-2f-decode enabled" | ||
16 | https://redmine.lighttpd.net/issues/2945 | ||
17 | --- | ||
18 | src/burl.c | 6 ++++-- | ||
19 | src/t/test_burl.c | 2 ++ | ||
20 | 2 files changed, 6 insertions(+), 2 deletions(-) | ||
21 | |||
22 | diff --git a/src/burl.c b/src/burl.c | ||
23 | index 51182628..c4b928fd 100644 | ||
24 | --- a/src/burl.c | ||
25 | +++ b/src/burl.c | ||
26 | @@ -252,8 +252,10 @@ static int burl_normalize_2F_to_slash_fix (buffer *b, int qs, int i) | ||
27 | } | ||
28 | } | ||
29 | if (qs >= 0) { | ||
30 | - memmove(s+j, s+qs, blen - qs); | ||
31 | - j += blen - qs; | ||
32 | + const int qslen = blen - qs; | ||
33 | + memmove(s+j, s+qs, (size_t)qslen); | ||
34 | + qs = j; | ||
35 | + j += qslen; | ||
36 | } | ||
37 | buffer_string_set_length(b, j); | ||
38 | return qs; | ||
39 | diff --git a/src/t/test_burl.c b/src/t/test_burl.c | ||
40 | index 7be9be50..f7a16815 100644 | ||
41 | --- a/src/t/test_burl.c | ||
42 | +++ b/src/t/test_burl.c | ||
43 | @@ -97,6 +97,8 @@ static void test_burl_normalize (void) { | ||
44 | flags |= HTTP_PARSEOPT_URL_NORMALIZE_PATH_2F_DECODE; | ||
45 | run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/b?c=/"), CONST_STR_LEN("/a/b?c=/")); | ||
46 | run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/b?c=%2f"), CONST_STR_LEN("/a/b?c=/")); | ||
47 | + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("%2f?"), CONST_STR_LEN("/?")); | ||
48 | + run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/%2f?"), CONST_STR_LEN("//?")); | ||
49 | run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2fb"), CONST_STR_LEN("/a/b")); | ||
50 | run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2Fb"), CONST_STR_LEN("/a/b")); | ||
51 | run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2fb?c=/"), CONST_STR_LEN("/a/b?c=/")); | ||
diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.51.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.51.bb index f28fd2f690..5c828da5b0 100644 --- a/meta/recipes-extended/lighttpd/lighttpd_1.4.51.bb +++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.51.bb | |||
@@ -18,6 +18,7 @@ SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.t | |||
18 | file://lighttpd \ | 18 | file://lighttpd \ |
19 | file://lighttpd.service \ | 19 | file://lighttpd.service \ |
20 | file://0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch \ | 20 | file://0001-Use-pkg-config-for-pcre-dependency-instead-of-config.patch \ |
21 | file://fix-http-parseopts.patch \ | ||
21 | " | 22 | " |
22 | 23 | ||
23 | SRC_URI[md5sum] = "6e68c19601af332fa3c5f174245f59bf" | 24 | SRC_URI[md5sum] = "6e68c19601af332fa3c5f174245f59bf" |