Bug#693890: unblock: lighttpd/1.4.31-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package lighttpd. The upload fixes a critical Denial of Service
attack against the lighttpd web server by sending malicious HTTP Connection
headers.
Note, the upload also includes pure cosmetic non-invasive fixes to conffiles. I
did only include because I commited this fix to the VCS a while ago and I didn't
want to revert that again. These changes should be in order with your freeze
exception policies and I asked informally whether they are okay already. They do
not change any functionality and fix a documentation bug only.
Given the nature of this upload I'd also appreciate if you could age the upload.
A fix follows below inline
diff -Nru lighttpd-1.4.31/debian/changelog lighttpd-1.4.31/debian/changelog
--- lighttpd-1.4.31/debian/changelog 2012-06-02 00:15:25.000000000 +0200
+++ lighttpd-1.4.31/debian/changelog 2012-11-21 14:53:48.000000000 +0100
@@ -1,3 +1,13 @@
+lighttpd (1.4.31-3) unstable; urgency=high
+
+ * Fix "configuration files refer to wrong path for documentation"
+ by merging a patch supplied by Denis Laxalde <denis@laxalde.org>
+ (Closes: #676641)
+ * CVE-2012-5533: Fix Denial Of Service attacks against Lighttpd by sending
+ faulty Connection headers
+
+ -- Arno Töll <arno@debian.org> Wed, 21 Nov 2012 14:42:32 +0100
+
lighttpd (1.4.31-1) unstable; urgency=low
* New upstream release
diff -Nru lighttpd-1.4.31/debian/conf-available/05-auth.conf lighttpd-1.4.31/debian/conf-available/05-auth.conf
--- lighttpd-1.4.31/debian/conf-available/05-auth.conf 2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/05-auth.conf 2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/authentication.txt.gz
+# /usr/share/doc/lighttpd/authentication.txt.gz
server.modules += ( "mod_auth" )
diff -Nru lighttpd-1.4.31/debian/conf-available/10-cgi.conf lighttpd-1.4.31/debian/conf-available/10-cgi.conf
--- lighttpd-1.4.31/debian/conf-available/10-cgi.conf 2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-cgi.conf 2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/cgi.txt
+# /usr/share/doc/lighttpd/cgi.txt
server.modules += ( "mod_cgi" )
diff -Nru lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf
--- lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf 2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf 2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/fastcgi.txt.gz
+# /usr/share/doc/lighttpd/fastcgi.txt.gz
# http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ConfigurationOptions#mod_fastcgi-fastcgi
server.modules += ( "mod_fastcgi" )
diff -Nru lighttpd-1.4.31/debian/conf-available/10-proxy.conf lighttpd-1.4.31/debian/conf-available/10-proxy.conf
--- lighttpd-1.4.31/debian/conf-available/10-proxy.conf 2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-proxy.conf 2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/proxy.txt
+# /usr/share/doc/lighttpd/proxy.txt
server.modules += ( "mod_proxy" )
diff -Nru lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf
--- lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf 2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf 2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/rrdtool.txt
+# /usr/share/doc/lighttpd/rrdtool.txt
server.modules += ( "mod_rrdtool" )
diff -Nru lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf
--- lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf 2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf 2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/simple-vhost.txt
+# /usr/share/doc/lighttpd/simple-vhost.txt
server.modules += ( "mod_simple_vhost" )
diff -Nru lighttpd-1.4.31/debian/conf-available/10-ssi.conf lighttpd-1.4.31/debian/conf-available/10-ssi.conf
--- lighttpd-1.4.31/debian/conf-available/10-ssi.conf 2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-ssi.conf 2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/ssi.txt
+# /usr/share/doc/lighttpd/ssi.txt
server.modules += ( "mod_ssi" )
diff -Nru lighttpd-1.4.31/debian/conf-available/10-ssl.conf lighttpd-1.4.31/debian/conf-available/10-ssl.conf
--- lighttpd-1.4.31/debian/conf-available/10-ssl.conf 2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-ssl.conf 2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/ssl.txt
+# /usr/share/doc/lighttpd/ssl.txt
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
diff -Nru lighttpd-1.4.31/debian/conf-available/10-status.conf lighttpd-1.4.31/debian/conf-available/10-status.conf
--- lighttpd-1.4.31/debian/conf-available/10-status.conf 2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-status.conf 2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/status.txt
+# /usr/share/doc/lighttpd/status.txt
# http://trac.lighttpd.net/trac/wiki/Docs%3AModStatus
server.modules += ( "mod_status" )
diff -Nru lighttpd-1.4.31/debian/conf-available/10-userdir.conf lighttpd-1.4.31/debian/conf-available/10-userdir.conf
--- lighttpd-1.4.31/debian/conf-available/10-userdir.conf 2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-userdir.conf 2012-11-21 02:12:50.000000000 +0100
@@ -1,7 +1,7 @@
## The userdir module provides a simple way to link user-based directories into
## the global namespace of the webserver.
##
-# /usr/share/doc/lighttpd-doc/userdir.txt
+# /usr/share/doc/lighttpd/userdir.txt
server.modules += ( "mod_userdir" )
diff -Nru lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf
--- lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf 2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf 2012-11-21 02:12:50.000000000 +0100
@@ -1,5 +1,5 @@
# -*- depends: fastcgi -*-
-# /usr/share/doc/lighttpd-doc/fastcgi.txt.gz
+# /usr/share/doc/lighttpd/fastcgi.txt.gz
# http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ConfigurationOptions#mod_fastcgi-fastcgi
## Start an FastCGI server for php (needs the php5-cgi package)
diff -Nru lighttpd-1.4.31/debian/conf-available2/10-cml.conf lighttpd-1.4.31/debian/conf-available2/10-cml.conf
--- lighttpd-1.4.31/debian/conf-available2/10-cml.conf 2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available2/10-cml.conf 2012-11-21 02:12:50.000000000 +0100
@@ -2,7 +2,7 @@
## at one side and building a page from its fragments on the
## other side using LUA.
##
-## /usr/share/doc/lighttpd-doc/cml.txt
+## /usr/share/doc/lighttpd/cml.txt
server.modules += ( "mod_cml" )
diff -Nru lighttpd-1.4.31/debian/conf-available2/10-magnet.conf lighttpd-1.4.31/debian/conf-available2/10-magnet.conf
--- lighttpd-1.4.31/debian/conf-available2/10-magnet.conf 2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available2/10-magnet.conf 2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/magnet.txt.gz
+# /usr/share/doc/lighttpd/magnet.txt.gz
# http://trac.lighttpd.net/trac/wiki/Docs%3AModMagnet
server.modules += ( "mod_magnet" )
diff -Nru lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf
--- lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf 2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf 2012-11-21 02:12:50.000000000 +0100
@@ -1,6 +1,6 @@
## A module to prevent deep-linking from other sites.
##
-# /usr/share/doc/lighttpd-doc/trigger-b4-dl.html
+# /usr/share/doc/lighttpd/trigger-b4-dl.html
server.modules += ( "mod_trigger_b4_dl" )
diff -Nru lighttpd-1.4.31/debian/conf-available2/10-webdav.conf lighttpd-1.4.31/debian/conf-available2/10-webdav.conf
--- lighttpd-1.4.31/debian/conf-available2/10-webdav.conf 2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available2/10-webdav.conf 2012-11-21 02:12:50.000000000 +0100
@@ -3,7 +3,7 @@
## the group defined which allows users to collaboratively edit and manage
## files on remote web servers.
##
-# /usr/share/doc/lighttpd-doc/webdav.txt
+# /usr/share/doc/lighttpd/webdav.txt
# http://trac.lighttpd.net/trac/wiki/Docs%3AModWebDAV
server.modules += ( "mod_webdav" )
diff -Nru lighttpd-1.4.31/debian/patches/connection-dos.patch lighttpd-1.4.31/debian/patches/connection-dos.patch
--- lighttpd-1.4.31/debian/patches/connection-dos.patch 1970-01-01 01:00:00.000000000 +0100
+++ lighttpd-1.4.31/debian/patches/connection-dos.patch 2012-11-21 14:44:32.000000000 +0100
@@ -0,0 +1,112 @@
+From: Stefan Bühler <stbuehler@web.de>
+Subject: Fix DoS in header value split (CVE-2012-5533)
+
+Fix DoS in header value split (reported by Jesse Sipprell; CVE-2012-5533)
+
+Any client which is able to connect to lighttpd can cause a DoS by sending
+"strange" Connection headers, for example: "Connection: TE,,Keep-Alive". This
+patch fixes the issue.
+--- a/src/request.c
++++ b/src/request.c
+@@ -209,9 +209,11 @@
+ #endif
+
+ static int http_request_split_value(array *vals, buffer *b) {
+- char *s;
+ size_t i;
+ int state = 0;
++
++ const char *current;
++ const char *token_start = NULL, *token_end = NULL;
+ /*
+ * parse
+ *
+@@ -222,53 +224,52 @@
+
+ if (b->used == 0) return 0;
+
+- s = b->ptr;
+-
+- for (i =0; i < b->used - 1; ) {
+- char *start = NULL, *end = NULL;
++ current = b->ptr;
++ for (i = 0; i < b->used; ++i, ++current) {
+ data_string *ds;
+
+ switch (state) {
+- case 0: /* ws */
+-
+- /* skip ws */
+- for (; (*s == ' ' || *s == '\t') && i < b->used - 1; i++, s++);
+-
+-
+- state = 1;
+- break;
+- case 1: /* value */
+- start = s;
+-
+- for (; *s != ',' && i < b->used - 1; i++, s++);
+- if (start == s) break; /* empty fields are skipped */
+- end = s - 1;
+-
+- for (; end > start && (*end == ' ' || *end == '\t'); end--);
+- if (start == end) break; /* empty fields are skipped */
+-
+- if (NULL == (ds = (data_string *)array_get_unused_element(vals, TYPE_STRING))) {
+- ds = data_string_init();
++ case 0: /* find start of a token */
++ switch (*current) {
++ case ' ':
++ case '\t': /* skip white space */
++ case ',': /* skip empty token */
++ break;
++ case '\0': /* end of string */
++ return 0;
++ default:
++ /* found real data, switch to state 1 to find the end of the token */
++ token_start = token_end = current;
++ state = 1;
++ break;
+ }
++ break;
++ case 1: /* find end of token and last non white space character */
++ switch (*current) {
++ case ' ':
++ case '\t':
++ /* space - don't update token_end */
++ break;
++ case ',':
++ case '\0': /* end of string also marks the end of a token */
++ if (NULL == (ds = (data_string *)array_get_unused_element(vals, TYPE_STRING))) {
++ ds = data_string_init();
++ }
+
+- buffer_copy_string_len(ds->value, start, end-start+1);
+- array_insert_unique(vals, (data_unset *)ds);
++ buffer_copy_string_len(ds->value, token_start, token_end-token_start+1);
++ array_insert_unique(vals, (data_unset *)ds);
+
+- if (*s == ',') {
+ state = 0;
+- i++;
+- s++;
+- } else {
+- /* end of string */
+-
+- state = 2;
++ break;
++ default:
++ /* no white space, update token_end to include current character */
++ token_end = current;
++ break;
+ }
+ break;
+- default:
+- i++;
+- break;
+ }
+ }
++
+ return 0;
+ }
+
diff -Nru lighttpd-1.4.31/debian/patches/series lighttpd-1.4.31/debian/patches/series
--- lighttpd-1.4.31/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ lighttpd-1.4.31/debian/patches/series 2012-11-21 02:12:50.000000000 +0100
@@ -0,0 +1 @@
+connection-dos.patch
unblock lighttpd/1.4.31-3
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.5-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply to: