1 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch
new file mode 100644
index 0000000000..da59b7297a
--- /dev/null
+++ b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch
@@ -0,0 +1,100 @@
+From 27103f3f8b1a2857aa45b889e775435f7daf141f Mon Sep 17 00:00:00 2001
+From: povcfe <povcfe@qq.com>
+Date: Wed, 5 Jan 2022 11:11:09 +0000
+Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134)
+(thx povcfe)
+(edited: gstrauss)
+There is a potential remote denial of service in lighttpd mod_extforward
+under specific, non-default and uncommon 32-bit lighttpd mod_extforward
+configurations.
+Under specific, non-default and uncommon lighttpd mod_extforward
+configurations, a remote attacker can trigger a 4-byte out-of-bounds
+write of value '-1' to the stack. This is not believed to be exploitable
+in any way beyond triggering a crash of the lighttpd server on systems
+where the lighttpd server has been built 32-bit and with compiler flags
+which enable a stack canary -- gcc/clang -fstack-protector-strong or
+-fstack-protector-all, but bug not visible with only -fstack-protector.
+With standard lighttpd builds using -O2 optimization on 64-bit x86_64,
+this bug has not been observed to cause adverse behavior, even with
+gcc/clang -fstack-protector-strong.
+For the bug to be reachable, the user must be using a non-default
+lighttpd configuration which enables mod_extforward and configures
+mod_extforward to accept and parse the "Forwarded" header from a trusted
+proxy. At this time, support for RFC7239 Forwarded is not common in CDN
+providers or popular web server reverse proxies. It bears repeating that
+for the user to desire to configure lighttpd mod_extforward to accept
+"Forwarded", the user must also be using a trusted proxy (in front of
+lighttpd) which understands and actively modifies the "Forwarded" header
+sent to lighttpd.
+lighttpd natively supports RFC7239 "Forwarded"
+hiawatha natively supports RFC7239 "Forwarded"
+nginx can be manually configured to add a "Forwarded" header
+https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
+A 64-bit build of lighttpd on x86_64 (not known to be affected by bug)
+in front of another 32-bit lighttpd will detect and reject a malicious
+"Forwarded" request header, thereby thwarting an attempt to trigger
+this bug in an upstream 32-bit lighttpd.
+The following servers currently do not natively support RFC7239 Forwarded:
+nginx
+apache2
+caddy
+node.js
+haproxy
+squid
+varnish-cache
+litespeed
+Given the general dearth of support for RFC7239 Forwarded in popular
+CDNs and web server reverse proxies, and given the prerequisites in
+lighttpd mod_extforward needed to reach this bug, the number of lighttpd
+servers vulnerable to this bug is estimated to be vanishingly small.
+Large systems using reverse proxies are likely running 64-bit lighttpd,
+which is not known to be adversely affected by this bug.
+In the future, it is desirable for more servers to implement RFC7239
+Forwarded.  lighttpd developers would like to thank povcfe for reporting
+this bug so that it can be fixed before more CDNs and web servers
+implement RFC7239 Forwarded.
+x-ref:
+  "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1"
+  https://redmine.lighttpd.net/issues/3134
+  (not yet written or published)
+  CVE-2022-22707
+Upstream-Status: Backport
+CVE: CVE-2022-22707
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com>
+Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com>
+---
+ src/mod_extforward.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/mod_extforward.c b/src/mod_extforward.c
+index ba957e04..fdaef7f6 100644
+--- a/src/mod_extforward.c
+++ b/src/mod_extforward.c
+@@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c
+         while (s[i] == ' ' || s[i] == '\t') ++i;
+         if (s[i] == ';') { ++i; continue; }
+         if (s[i] == ',') {
+-            if (j >= (int)(sizeof(offsets)/sizeof(int))) break;
+            if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break;
+             offsets[++j] = -1; /*("offset" separating params from next proxy)*/
+             ++i;
+             continue;
+-- 
+2.25.1

diff --git a/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch new file mode 100644 index 0000000000..da59b7297a --- /dev/null +++ b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch
@@ -0,0 +1,100 @@
	1	From 27103f3f8b1a2857aa45b889e775435f7daf141f Mon Sep 17 00:00:00 2001
	2	From: povcfe <povcfe@qq.com>
	3	Date: Wed, 5 Jan 2022 11:11:09 +0000
	4	Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134)
	5
	6	(thx povcfe)
	7
	8	(edited: gstrauss)
	9
	10	There is a potential remote denial of service in lighttpd mod_extforward
	11	under specific, non-default and uncommon 32-bit lighttpd mod_extforward
	12	configurations.
	13
	14	Under specific, non-default and uncommon lighttpd mod_extforward
	15	configurations, a remote attacker can trigger a 4-byte out-of-bounds
	16	write of value '-1' to the stack. This is not believed to be exploitable
	17	in any way beyond triggering a crash of the lighttpd server on systems
	18	where the lighttpd server has been built 32-bit and with compiler flags
	19	which enable a stack canary -- gcc/clang -fstack-protector-strong or
	20	-fstack-protector-all, but bug not visible with only -fstack-protector.
	21
	22	With standard lighttpd builds using -O2 optimization on 64-bit x86_64,
	23	this bug has not been observed to cause adverse behavior, even with
	24	gcc/clang -fstack-protector-strong.
	25
	26	For the bug to be reachable, the user must be using a non-default
	27	lighttpd configuration which enables mod_extforward and configures
	28	mod_extforward to accept and parse the "Forwarded" header from a trusted
	29	proxy. At this time, support for RFC7239 Forwarded is not common in CDN
	30	providers or popular web server reverse proxies. It bears repeating that
	31	for the user to desire to configure lighttpd mod_extforward to accept
	32	"Forwarded", the user must also be using a trusted proxy (in front of
	33	lighttpd) which understands and actively modifies the "Forwarded" header
	34	sent to lighttpd.
	35
	36	lighttpd natively supports RFC7239 "Forwarded"
	37	hiawatha natively supports RFC7239 "Forwarded"
	38
	39	nginx can be manually configured to add a "Forwarded" header
	40	https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
	41
	42	A 64-bit build of lighttpd on x86_64 (not known to be affected by bug)
	43	in front of another 32-bit lighttpd will detect and reject a malicious
	44	"Forwarded" request header, thereby thwarting an attempt to trigger
	45	this bug in an upstream 32-bit lighttpd.
	46
	47	The following servers currently do not natively support RFC7239 Forwarded:
	48	nginx
	49	apache2
	50	caddy
	51	node.js
	52	haproxy
	53	squid
	54	varnish-cache
	55	litespeed
	56
	57	Given the general dearth of support for RFC7239 Forwarded in popular
	58	CDNs and web server reverse proxies, and given the prerequisites in
	59	lighttpd mod_extforward needed to reach this bug, the number of lighttpd
	60	servers vulnerable to this bug is estimated to be vanishingly small.
	61	Large systems using reverse proxies are likely running 64-bit lighttpd,
	62	which is not known to be adversely affected by this bug.
	63
	64	In the future, it is desirable for more servers to implement RFC7239
	65	Forwarded. lighttpd developers would like to thank povcfe for reporting
	66	this bug so that it can be fixed before more CDNs and web servers
	67	implement RFC7239 Forwarded.
	68
	69	x-ref:
	70	"mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1"
	71	https://redmine.lighttpd.net/issues/3134
	72	(not yet written or published)
	73	CVE-2022-22707
	74
	75	Upstream-Status: Backport
	76	CVE: CVE-2022-22707
	77	Signed-off-by: Ross Burton <ross.burton@arm.com>
	78
	79	Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com>
	80	Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com>
	81	---
	82	src/mod_extforward.c \| 2 +-
	83	1 file changed, 1 insertion(+), 1 deletion(-)
	84
	85	diff --git a/src/mod_extforward.c b/src/mod_extforward.c
	86	index ba957e04..fdaef7f6 100644
	87	--- a/src/mod_extforward.c
	88	+++ b/src/mod_extforward.c
	89	@@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c
	90	while (s[i] == ' ' \|\| s[i] == '\t') ++i;
	91	if (s[i] == ';') { ++i; continue; }
	92	if (s[i] == ',') {
	93	- if (j >= (int)(sizeof(offsets)/sizeof(int))) break;
	94	+ if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break;
	95	offsets[++j] = -1; /("offset" separating params from next proxy)/
	96	++i;
	97	continue;
	98	--
	99	2.25.1
	100