Wheezy and jessie updates of lighttpd

["Santiago R.R." <santiagorr@riseup.net>]

Hi,

El 29/07/16 a las 09:54, Krzysztof Krzyżaniak escribió:
> 
> 
> W dniu czw 28 lip, 2016 o 22∶36 użytkownik Thorsten Alteholz
> <debian@alteholz.de> napisał:
> 
>     Hello dear maintainer(s), the Debian LTS team would like to fix the
>     security issues which are currently open in the Wheezy version of lighttpd:
>     https://security-tracker.debian.org/tracker/CVE-2016-1000212 Would you like
>     to take care of this yourself?
> 
> 
> I don't have any Wheezy on my own. I would need to install it on some vm, it
> think I could maybe do this over the weekend. So if you have someone else to do
> it faster feel free to do it. 
> 
>   eloy
> *

Please, find attached debdiffs to mitigate this in wheezy (that I plan
to upload) and jessie. I have tested it with a python cgi taken from
httpoxy's PoCs, and it seems to work well. However, I am not familiar
with lighttpd, so any review is welcome.

Cheers,

Santiago

diff -Nru lighttpd-1.4.31/debian/changelog lighttpd-1.4.31/debian/changelog
--- lighttpd-1.4.31/debian/changelog	2016-02-23 11:10:46.000000000 +0100
+++ lighttpd-1.4.31/debian/changelog	2016-08-01 18:01:58.000000000 +0200
@@ -1,3 +1,12 @@
+lighttpd (1.4.31-4+deb7u5~1) santiago-wheezy; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS Team.
+  * Fix CVE-2016-1000212: Mitigate HTTPoxy vulnerability.
+  * Add buffer_is_equal_caseless_string.patch
+  * Add mitigate-httpoxy-779c133c16f9af168b004dce7a2a64f16c1cb3a4.patch
+
+ -- Santiago R.R. <santiagorr@riseup.net>  Fri, 29 Jul 2016 18:16:19 +0200
+
 lighttpd (1.4.31-4+deb7u4) wheezy-security; urgency=high
 
   * Non-maintainer upload.
diff -Nru lighttpd-1.4.31/debian/patches/buffer_is_equal_caseless_string.patch lighttpd-1.4.31/debian/patches/buffer_is_equal_caseless_string.patch
--- lighttpd-1.4.31/debian/patches/buffer_is_equal_caseless_string.patch	1970-01-01 01:00:00.000000000 +0100
+++ lighttpd-1.4.31/debian/patches/buffer_is_equal_caseless_string.patch	2016-08-01 18:01:58.000000000 +0200
@@ -0,0 +1,67 @@
+Description: backport buffer.c buffer_is_equal_caseless_string()
+ needed to mitigate httpoxy vulnerability.
+Author: Santiago R.R. <santiagorr@riseup.net>
+
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -533,6 +533,15 @@
+ 	return buffer_is_equal(a, &b);
+ }
+ 
++/* buffer_is_equal_caseless_string(b, CONST_STR_LEN("value")) */
++int buffer_is_equal_caseless_string(const buffer *a, const char *s, size_t b_len) {
++	force_assert(NULL != a);
++	if (a->used != b_len + 1) return 0;
++	force_assert('\0' == a->ptr[a->used - 1]);
++
++	return (0 == strcasecmp(a->ptr, s));
++}
++
+ /* simple-assumption:
+  *
+  * most parts are equal and doing a case conversion needs time
+@@ -1075,3 +1084,10 @@
+ 
+ 	return 0;
+ }
++
++void log_failed_assert(const char *filename, unsigned int line, const char *msg) {
++	/* can't use buffer here; could lead to recursive assertions */
++	fprintf(stderr, "%s.%u: %s\n", filename, line, msg);
++	fflush(stderr);
++	abort();
++}
+--- a/src/buffer.h
++++ b/src/buffer.h
+@@ -82,6 +82,7 @@
+ int buffer_is_equal(buffer *a, buffer *b);
+ int buffer_is_equal_right_len(buffer *a, buffer *b, size_t len);
+ int buffer_is_equal_string(buffer *a, const char *s, size_t b_len);
++int buffer_is_equal_caseless_string(const buffer *a, const char *s, size_t b_len);
+ int buffer_caseless_compare(const char *a, size_t a_len, const char *b, size_t b_len);
+ 
+ typedef enum {
+@@ -125,6 +126,8 @@
+ #define CONST_STR_LEN(x) x, x ? sizeof(x) - 1 : 0
+ #define CONST_BUF_LEN(x) x->ptr, x->used ? x->used - 1 : 0
+ 
++void log_failed_assert(const char *filename, unsigned int line, const char *msg) LI_NORETURN;
++#define force_assert(x) do { if (!(x)) log_failed_assert(__FILE__, __LINE__, "assertion failed: " #x); } while(0)
+ 
+ #define SEGFAULT() do { fprintf(stderr, "%s.%d: aborted\n", __FILE__, __LINE__); abort(); } while(0)
+ #define UNUSED(x) ( (void)(x) )
+--- a/src/settings.h
++++ b/src/settings.h
+@@ -9,6 +9,12 @@
+ # define __USE_GNU /* a hack in my eyes, <fcntl.h> F_SETSIG should work with _GNU_SOURCE */
+ #endif
+ 
++#ifdef __GNUC__
++# define LI_NORETURN __attribute__((noreturn))
++#else
++# define LI_NORETURN
++#endif
++
+ #define BV(x) (1 << x)
+ 
+ #define INET_NTOP_CACHE_MAX 4
diff -Nru lighttpd-1.4.31/debian/patches/mitigate-httpoxy-779c133c16f9af168b004dce7a2a64f16c1cb3a4.patch lighttpd-1.4.31/debian/patches/mitigate-httpoxy-779c133c16f9af168b004dce7a2a64f16c1cb3a4.patch
--- lighttpd-1.4.31/debian/patches/mitigate-httpoxy-779c133c16f9af168b004dce7a2a64f16c1cb3a4.patch	1970-01-01 01:00:00.000000000 +0100
+++ lighttpd-1.4.31/debian/patches/mitigate-httpoxy-779c133c16f9af168b004dce7a2a64f16c1cb3a4.patch	2016-08-01 18:02:27.000000000 +0200
@@ -0,0 +1,126 @@
+Description: backported patch to mitigate httpoxy vulnerability
+Origin: upstream, https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/779c133c16f9af168b004dce7a2a64f16c1cb3a4/diff
+Reviewed-by: Santiago R.R. <santiagorr@riseup.net>
+
+From 779c133c16f9af168b004dce7a2a64f16c1cb3a4 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Mon, 18 Jul 2016 22:59:33 -0400
+Subject: [PATCH] [security] do not emit HTTP_PROXY to CGI env
+
+Strip bogus "Proxy" header before creating subprocess environment.
+(mod_cgi, mod_fastcgi, mod_scgi, mod_ssi, mod_proxy)
+
+Do not emit HTTP_PROXY to subprocess environment.
+Some executables use HTTP_PROXY to configure outgoing proxy.
+
+This is not a lighttpd security issue per se, but this change to
+lighttpd adds a layer of defense to protect backend processes which
+might be vulnerable due to blindly using this untrusted environment
+variable.  The HTTP_PROXY environment variable should not be trusted
+by a program running in a CGI-like environment.
+
+Mitigation in lighttpd <= 1.4.40 is to reject requests w/ Proxy header:
+
+* Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content:
+  if (lighty.request["Proxy"] == nil) then return 0 else return 403 end
+* Modify lighttpd.conf to load mod_magnet and run lua code
+    server.modules += ( "mod_magnet" )
+    magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" )
+
+References:
+
+https://www.kb.cert.org/vuls/id/797896
+CGI web servers assign Proxy header values from client requests to
+internal HTTP_PROXY environment variables
+
+https://httpoxy.org/
+httpoxy: A CGI application vulnerability
+
+
+---
+ src/mod_cgi.c     | 7 +++++++
+ src/mod_fastcgi.c | 7 +++++++
+ src/mod_proxy.c   | 4 ++++
+ src/mod_scgi.c    | 7 +++++++
+ src/mod_ssi.c     | 9 ++++++++-
+ 5 files changed, 33 insertions(+), 1 deletion(-)
+
+--- a/src/mod_cgi.c
++++ b/src/mod_cgi.c
+@@ -957,6 +957,13 @@
+ 			ds = (data_string *)con->request.headers->data[n];
+ 
+ 			if (ds->value->used && ds->key->used) {
++				/* Do not emit HTTP_PROXY in environment.
++				 * Some executables use HTTP_PROXY to configure
++				 * outgoing proxy.  See also https://httpoxy.org/ */
++				if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Proxy"))) {
++					continue;
++				}
++
+ 				size_t j;
+ 
+ 				buffer_reset(p->tmp_buf);
+--- a/src/mod_fastcgi.c
++++ b/src/mod_fastcgi.c
+@@ -1756,6 +1756,13 @@
+ 		ds = (data_string *)con->request.headers->data[i];
+ 
+ 		if (ds->value->used && ds->key->used) {
++			/* Do not emit HTTP_PROXY in environment.
++			 * Some executables use HTTP_PROXY to configure
++			 * outgoing proxy.  See also https://httpoxy.org/ */
++			if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Proxy"))) {
++				continue;
++			}
++
+ 			size_t j;
+ 			buffer_reset(srv->tmp_buf);
+ 
+--- a/src/mod_proxy.c
++++ b/src/mod_proxy.c
+@@ -474,6 +474,10 @@
+ 		if (ds->value->used && ds->key->used) {
+ 			if (buffer_is_equal_string(ds->key, CONST_STR_LEN("Connection"))) continue;
+ 			if (buffer_is_equal_string(ds->key, CONST_STR_LEN("Proxy-Connection"))) continue;
++			/* Do not emit HTTP_PROXY in environment.
++			 * Some executables use HTTP_PROXY to configure
++			 * outgoing proxy.  See also https://httpoxy.org/ */
++			if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Proxy"))) continue;
+ 
+ 			buffer_append_string_buffer(b, ds->key);
+ 			buffer_append_string_len(b, CONST_STR_LEN(": "));
+--- a/src/mod_scgi.c
++++ b/src/mod_scgi.c
+@@ -1404,6 +1404,13 @@
+ 		ds = (data_string *)con->request.headers->data[i];
+ 
+ 		if (ds->value->used && ds->key->used) {
++			/* Do not emit HTTP_PROXY in environment.
++			 * Some executables use HTTP_PROXY to configure
++			 * outgoing proxy.  See also https://httpoxy.org/ */
++			if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Proxy"))) {
++				continue;
++			}
++
+ 			size_t j;
+ 			buffer_reset(srv->tmp_buf);
+ 
+--- a/src/mod_ssi.c
++++ b/src/mod_ssi.c
+@@ -177,7 +177,14 @@
+ 			buffer_reset(srv->tmp_buf);
+ 
+ 			/* don't forward the Authorization: Header */
+-			if (0 == strcasecmp(ds->key->ptr, "AUTHORIZATION")) {
++			if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Authorization"))) {
++				continue;
++			}
++
++			/* Do not emit HTTP_PROXY in environment.
++			 * Some executables use HTTP_PROXY to configure
++			 * outgoing proxy.  See also https://httpoxy.org/ */
++			if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Proxy"))) {
+ 				continue;
+ 			}
+ 
diff -Nru lighttpd-1.4.31/debian/patches/series lighttpd-1.4.31/debian/patches/series
--- lighttpd-1.4.31/debian/patches/series	2016-02-23 11:10:46.000000000 +0100
+++ lighttpd-1.4.31/debian/patches/series	2016-08-01 18:01:58.000000000 +0200
@@ -6,3 +6,5 @@
 cve-2014-2323.patch
 cve-2014-2324.patch
 CVE-2014-3566.patch
+buffer_is_equal_caseless_string.patch
+mitigate-httpoxy-779c133c16f9af168b004dce7a2a64f16c1cb3a4.patch

diff -Nru lighttpd-1.4.35/debian/changelog lighttpd-1.4.35/debian/changelog
--- lighttpd-1.4.35/debian/changelog	2014-11-02 03:52:30.000000000 +0100
+++ lighttpd-1.4.35/debian/changelog	2016-08-01 14:59:43.000000000 +0200
@@ -1,3 +1,11 @@
+lighttpd (1.4.35-5) jessie-security; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2016-1000212: Mitigate HTTPoxy vulnerability.
+  * Add mitigate-httpoxy-779c133c16f9af168b004dce7a2a64f16c1cb3a4.patch
+
+ -- Santiago R.R. <santiagorr@riseup.net>  Sun, 31 Jul 2016 20:57:24 +0200
+
 lighttpd (1.4.35-4) unstable; urgency=medium
 
   * Disable SSLv3 by default (closes: #765702).
diff -Nru lighttpd-1.4.35/debian/patches/mitigate-httpoxy-779c133c16f9af168b004dce7a2a64f16c1cb3a4.patch lighttpd-1.4.35/debian/patches/mitigate-httpoxy-779c133c16f9af168b004dce7a2a64f16c1cb3a4.patch
--- lighttpd-1.4.35/debian/patches/mitigate-httpoxy-779c133c16f9af168b004dce7a2a64f16c1cb3a4.patch	1970-01-01 01:00:00.000000000 +0100
+++ lighttpd-1.4.35/debian/patches/mitigate-httpoxy-779c133c16f9af168b004dce7a2a64f16c1cb3a4.patch	2016-08-01 15:08:34.000000000 +0200
@@ -0,0 +1,126 @@
+Description: backported patch to mitigate httpoxy vulnerability
+Origin: upstream, https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/779c133c16f9af168b004dce7a2a64f16c1cb3a4/diff
+Reviewed-by: Santiago R.R. <santiagorr@riseup.net>
+
+From 779c133c16f9af168b004dce7a2a64f16c1cb3a4 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Mon, 18 Jul 2016 22:59:33 -0400
+Subject: [PATCH] [security] do not emit HTTP_PROXY to CGI env
+
+Strip bogus "Proxy" header before creating subprocess environment.
+(mod_cgi, mod_fastcgi, mod_scgi, mod_ssi, mod_proxy)
+
+Do not emit HTTP_PROXY to subprocess environment.
+Some executables use HTTP_PROXY to configure outgoing proxy.
+
+This is not a lighttpd security issue per se, but this change to
+lighttpd adds a layer of defense to protect backend processes which
+might be vulnerable due to blindly using this untrusted environment
+variable.  The HTTP_PROXY environment variable should not be trusted
+by a program running in a CGI-like environment.
+
+Mitigation in lighttpd <= 1.4.40 is to reject requests w/ Proxy header:
+
+* Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content:
+  if (lighty.request["Proxy"] == nil) then return 0 else return 403 end
+* Modify lighttpd.conf to load mod_magnet and run lua code
+    server.modules += ( "mod_magnet" )
+    magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" )
+
+References:
+
+https://www.kb.cert.org/vuls/id/797896
+CGI web servers assign Proxy header values from client requests to
+internal HTTP_PROXY environment variables
+
+https://httpoxy.org/
+httpoxy: A CGI application vulnerability
+
+
+---
+ src/mod_cgi.c     | 7 +++++++
+ src/mod_fastcgi.c | 7 +++++++
+ src/mod_proxy.c   | 4 ++++
+ src/mod_scgi.c    | 7 +++++++
+ src/mod_ssi.c     | 9 ++++++++-
+ 5 files changed, 33 insertions(+), 1 deletion(-)
+
+--- a/src/mod_cgi.c
++++ b/src/mod_cgi.c
+@@ -950,6 +950,13 @@
+ 			ds = (data_string *)con->request.headers->data[n];
+ 
+ 			if (ds->value->used && ds->key->used) {
++				/* Do not emit HTTP_PROXY in environment.
++				 * Some executables use HTTP_PROXY to configure
++				 * outgoing proxy.  See also https://httpoxy.org/ */
++				if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Proxy"))) {
++					continue;
++				}
++
+ 				size_t j;
+ 
+ 				buffer_reset(p->tmp_buf);
+--- a/src/mod_fastcgi.c
++++ b/src/mod_fastcgi.c
+@@ -1778,6 +1778,13 @@
+ 		ds = (data_string *)con->request.headers->data[i];
+ 
+ 		if (ds->value->used && ds->key->used) {
++			/* Do not emit HTTP_PROXY in environment.
++			 * Some executables use HTTP_PROXY to configure
++			 * outgoing proxy.  See also https://httpoxy.org/ */
++			if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Proxy"))) {
++				continue;
++			}
++
+ 			size_t j;
+ 			buffer_reset(srv->tmp_buf);
+ 
+--- a/src/mod_proxy.c
++++ b/src/mod_proxy.c
+@@ -476,6 +476,10 @@
+ 		if (ds->value->used && ds->key->used) {
+ 			if (buffer_is_equal_string(ds->key, CONST_STR_LEN("Connection"))) continue;
+ 			if (buffer_is_equal_string(ds->key, CONST_STR_LEN("Proxy-Connection"))) continue;
++			/* Do not emit HTTP_PROXY in environment.
++			 * Some executables use HTTP_PROXY to configure
++			 * outgoing proxy.  See also https://httpoxy.org/ */
++			if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Proxy"))) continue;
+ 
+ 			buffer_append_string_buffer(b, ds->key);
+ 			buffer_append_string_len(b, CONST_STR_LEN(": "));
+--- a/src/mod_scgi.c
++++ b/src/mod_scgi.c
+@@ -1425,6 +1425,13 @@
+ 		ds = (data_string *)con->request.headers->data[i];
+ 
+ 		if (ds->value->used && ds->key->used) {
++			/* Do not emit HTTP_PROXY in environment.
++			 * Some executables use HTTP_PROXY to configure
++			 * outgoing proxy.  See also https://httpoxy.org/ */
++			if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Proxy"))) {
++				continue;
++			}
++
+ 			size_t j;
+ 			buffer_reset(srv->tmp_buf);
+ 
+--- a/src/mod_ssi.c
++++ b/src/mod_ssi.c
+@@ -177,7 +177,14 @@
+ 			buffer_reset(srv->tmp_buf);
+ 
+ 			/* don't forward the Authorization: Header */
+-			if (0 == strcasecmp(ds->key->ptr, "AUTHORIZATION")) {
++			if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Authorization"))) {
++				continue;
++			}
++
++			/* Do not emit HTTP_PROXY in environment.
++			 * Some executables use HTTP_PROXY to configure
++			 * outgoing proxy.  See also https://httpoxy.org/ */
++			if (buffer_is_equal_caseless_string(ds->key, CONST_STR_LEN("Proxy"))) {
+ 				continue;
+ 			}
+ 
diff -Nru lighttpd-1.4.35/debian/patches/series lighttpd-1.4.35/debian/patches/series
--- lighttpd-1.4.35/debian/patches/series	2014-11-02 03:53:48.000000000 +0100
+++ lighttpd-1.4.35/debian/patches/series	2016-08-01 15:01:20.000000000 +0200
@@ -1,3 +1,4 @@
 kfreebsd-disable-test.patch
 spelling.patch
 no-sslv3.patch
+mitigate-httpoxy-779c133c16f9af168b004dce7a2a64f16c1cb3a4.patch

Attachment: signature.asc
Description: PGP signature