diff options
Diffstat (limited to 'meta/recipes-extended/lighttpd')
-rw-r--r-- | meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch | 100 | ||||
-rw-r--r-- | meta/recipes-extended/lighttpd/lighttpd_1.4.55.bb | 1 |
2 files changed, 101 insertions, 0 deletions
diff --git a/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch new file mode 100644 index 0000000000..da59b7297a --- /dev/null +++ b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch | |||
@@ -0,0 +1,100 @@ | |||
1 | From 27103f3f8b1a2857aa45b889e775435f7daf141f Mon Sep 17 00:00:00 2001 | ||
2 | From: povcfe <povcfe@qq.com> | ||
3 | Date: Wed, 5 Jan 2022 11:11:09 +0000 | ||
4 | Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134) | ||
5 | |||
6 | (thx povcfe) | ||
7 | |||
8 | (edited: gstrauss) | ||
9 | |||
10 | There is a potential remote denial of service in lighttpd mod_extforward | ||
11 | under specific, non-default and uncommon 32-bit lighttpd mod_extforward | ||
12 | configurations. | ||
13 | |||
14 | Under specific, non-default and uncommon lighttpd mod_extforward | ||
15 | configurations, a remote attacker can trigger a 4-byte out-of-bounds | ||
16 | write of value '-1' to the stack. This is not believed to be exploitable | ||
17 | in any way beyond triggering a crash of the lighttpd server on systems | ||
18 | where the lighttpd server has been built 32-bit and with compiler flags | ||
19 | which enable a stack canary -- gcc/clang -fstack-protector-strong or | ||
20 | -fstack-protector-all, but bug not visible with only -fstack-protector. | ||
21 | |||
22 | With standard lighttpd builds using -O2 optimization on 64-bit x86_64, | ||
23 | this bug has not been observed to cause adverse behavior, even with | ||
24 | gcc/clang -fstack-protector-strong. | ||
25 | |||
26 | For the bug to be reachable, the user must be using a non-default | ||
27 | lighttpd configuration which enables mod_extforward and configures | ||
28 | mod_extforward to accept and parse the "Forwarded" header from a trusted | ||
29 | proxy. At this time, support for RFC7239 Forwarded is not common in CDN | ||
30 | providers or popular web server reverse proxies. It bears repeating that | ||
31 | for the user to desire to configure lighttpd mod_extforward to accept | ||
32 | "Forwarded", the user must also be using a trusted proxy (in front of | ||
33 | lighttpd) which understands and actively modifies the "Forwarded" header | ||
34 | sent to lighttpd. | ||
35 | |||
36 | lighttpd natively supports RFC7239 "Forwarded" | ||
37 | hiawatha natively supports RFC7239 "Forwarded" | ||
38 | |||
39 | nginx can be manually configured to add a "Forwarded" header | ||
40 | https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/ | ||
41 | |||
42 | A 64-bit build of lighttpd on x86_64 (not known to be affected by bug) | ||
43 | in front of another 32-bit lighttpd will detect and reject a malicious | ||
44 | "Forwarded" request header, thereby thwarting an attempt to trigger | ||
45 | this bug in an upstream 32-bit lighttpd. | ||
46 | |||
47 | The following servers currently do not natively support RFC7239 Forwarded: | ||
48 | nginx | ||
49 | apache2 | ||
50 | caddy | ||
51 | node.js | ||
52 | haproxy | ||
53 | squid | ||
54 | varnish-cache | ||
55 | litespeed | ||
56 | |||
57 | Given the general dearth of support for RFC7239 Forwarded in popular | ||
58 | CDNs and web server reverse proxies, and given the prerequisites in | ||
59 | lighttpd mod_extforward needed to reach this bug, the number of lighttpd | ||
60 | servers vulnerable to this bug is estimated to be vanishingly small. | ||
61 | Large systems using reverse proxies are likely running 64-bit lighttpd, | ||
62 | which is not known to be adversely affected by this bug. | ||
63 | |||
64 | In the future, it is desirable for more servers to implement RFC7239 | ||
65 | Forwarded. lighttpd developers would like to thank povcfe for reporting | ||
66 | this bug so that it can be fixed before more CDNs and web servers | ||
67 | implement RFC7239 Forwarded. | ||
68 | |||
69 | x-ref: | ||
70 | "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1" | ||
71 | https://redmine.lighttpd.net/issues/3134 | ||
72 | (not yet written or published) | ||
73 | CVE-2022-22707 | ||
74 | |||
75 | Upstream-Status: Backport | ||
76 | CVE: CVE-2022-22707 | ||
77 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
78 | |||
79 | Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com> | ||
80 | Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com> | ||
81 | --- | ||
82 | src/mod_extforward.c | 2 +- | ||
83 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
84 | |||
85 | diff --git a/src/mod_extforward.c b/src/mod_extforward.c | ||
86 | index ba957e04..fdaef7f6 100644 | ||
87 | --- a/src/mod_extforward.c | ||
88 | +++ b/src/mod_extforward.c | ||
89 | @@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c | ||
90 | while (s[i] == ' ' || s[i] == '\t') ++i; | ||
91 | if (s[i] == ';') { ++i; continue; } | ||
92 | if (s[i] == ',') { | ||
93 | - if (j >= (int)(sizeof(offsets)/sizeof(int))) break; | ||
94 | + if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break; | ||
95 | offsets[++j] = -1; /*("offset" separating params from next proxy)*/ | ||
96 | ++i; | ||
97 | continue; | ||
98 | -- | ||
99 | 2.25.1 | ||
100 | |||
diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.55.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.55.bb index 737d6ebf7c..357a269015 100644 --- a/meta/recipes-extended/lighttpd/lighttpd_1.4.55.bb +++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.55.bb | |||
@@ -14,6 +14,7 @@ RRECOMMENDS_${PN} = "lighttpd-module-access \ | |||
14 | lighttpd-module-accesslog" | 14 | lighttpd-module-accesslog" |
15 | 15 | ||
16 | SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.xz \ | 16 | SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.xz \ |
17 | file://0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch \ | ||
17 | file://index.html.lighttpd \ | 18 | file://index.html.lighttpd \ |
18 | file://lighttpd.conf \ | 19 | file://lighttpd.conf \ |
19 | file://lighttpd \ | 20 | file://lighttpd \ |