[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#693890: unblock: lighttpd/1.4.31-3



Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package lighttpd. The upload fixes a critical Denial of Service
attack against the lighttpd web server by sending malicious HTTP Connection
headers.

Note, the upload also includes pure cosmetic non-invasive fixes to conffiles. I
did only include because I commited this fix to the VCS a while ago and I didn't
want to revert that again. These changes should be in order with your freeze
exception policies and I asked informally whether they are okay already. They do
not change any functionality and fix a documentation bug only.

Given the nature of this upload I'd also appreciate if you could age the upload.

A fix follows below inline

diff -Nru lighttpd-1.4.31/debian/changelog lighttpd-1.4.31/debian/changelog
--- lighttpd-1.4.31/debian/changelog    2012-06-02 00:15:25.000000000 +0200
+++ lighttpd-1.4.31/debian/changelog    2012-11-21 14:53:48.000000000 +0100
@@ -1,3 +1,13 @@
+lighttpd (1.4.31-3) unstable; urgency=high
+
+  * Fix "configuration files refer to wrong path for documentation"
+    by merging a patch supplied by  Denis Laxalde <denis@laxalde.org>
+    (Closes: #676641)
+  * CVE-2012-5533: Fix Denial Of Service attacks against Lighttpd by sending
+    faulty Connection headers
+
+ -- Arno Töll <arno@debian.org>  Wed, 21 Nov 2012 14:42:32 +0100
+
 lighttpd (1.4.31-1) unstable; urgency=low
 
   * New upstream release
diff -Nru lighttpd-1.4.31/debian/conf-available/05-auth.conf lighttpd-1.4.31/debian/conf-available/05-auth.conf
--- lighttpd-1.4.31/debian/conf-available/05-auth.conf  2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/05-auth.conf  2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/authentication.txt.gz
+# /usr/share/doc/lighttpd/authentication.txt.gz
 
 server.modules                += ( "mod_auth" )
 
diff -Nru lighttpd-1.4.31/debian/conf-available/10-cgi.conf lighttpd-1.4.31/debian/conf-available/10-cgi.conf
--- lighttpd-1.4.31/debian/conf-available/10-cgi.conf   2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-cgi.conf   2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/cgi.txt
+# /usr/share/doc/lighttpd/cgi.txt
 
 server.modules += ( "mod_cgi" )
 
diff -Nru lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf
--- lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf       2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-fastcgi.conf       2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/fastcgi.txt.gz
+# /usr/share/doc/lighttpd/fastcgi.txt.gz
 # http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ConfigurationOptions#mod_fastcgi-fastcgi
 
 server.modules += ( "mod_fastcgi" )
diff -Nru lighttpd-1.4.31/debian/conf-available/10-proxy.conf lighttpd-1.4.31/debian/conf-available/10-proxy.conf
--- lighttpd-1.4.31/debian/conf-available/10-proxy.conf 2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-proxy.conf 2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/proxy.txt
+# /usr/share/doc/lighttpd/proxy.txt
 
 server.modules   += ( "mod_proxy" )
 
diff -Nru lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf
--- lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf       2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-rrdtool.conf       2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/rrdtool.txt
+# /usr/share/doc/lighttpd/rrdtool.txt
 
 server.modules += ( "mod_rrdtool" )
 
diff -Nru lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf
--- lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf  2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-simple-vhost.conf  2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/simple-vhost.txt
+# /usr/share/doc/lighttpd/simple-vhost.txt
 
 server.modules += ( "mod_simple_vhost" )
 
diff -Nru lighttpd-1.4.31/debian/conf-available/10-ssi.conf lighttpd-1.4.31/debian/conf-available/10-ssi.conf
--- lighttpd-1.4.31/debian/conf-available/10-ssi.conf   2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-ssi.conf   2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/ssi.txt
+# /usr/share/doc/lighttpd/ssi.txt
 
 server.modules += ( "mod_ssi" )
 
diff -Nru lighttpd-1.4.31/debian/conf-available/10-ssl.conf lighttpd-1.4.31/debian/conf-available/10-ssl.conf
--- lighttpd-1.4.31/debian/conf-available/10-ssl.conf   2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-ssl.conf   2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/ssl.txt
+# /usr/share/doc/lighttpd/ssl.txt
 
 $SERVER["socket"] == "0.0.0.0:443" {
        ssl.engine  = "enable"
diff -Nru lighttpd-1.4.31/debian/conf-available/10-status.conf lighttpd-1.4.31/debian/conf-available/10-status.conf
--- lighttpd-1.4.31/debian/conf-available/10-status.conf        2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-status.conf        2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/status.txt
+# /usr/share/doc/lighttpd/status.txt
 # http://trac.lighttpd.net/trac/wiki/Docs%3AModStatus
 
 server.modules += ( "mod_status" )
diff -Nru lighttpd-1.4.31/debian/conf-available/10-userdir.conf lighttpd-1.4.31/debian/conf-available/10-userdir.conf
--- lighttpd-1.4.31/debian/conf-available/10-userdir.conf       2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/10-userdir.conf       2012-11-21 02:12:50.000000000 +0100
@@ -1,7 +1,7 @@
 ## The userdir module provides a simple way to link user-based directories into
 ## the global namespace of the webserver.
 ##
-# /usr/share/doc/lighttpd-doc/userdir.txt
+# /usr/share/doc/lighttpd/userdir.txt
 
 server.modules      += ( "mod_userdir" )
 
diff -Nru lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf
--- lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf   2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available/15-fastcgi-php.conf   2012-11-21 02:12:50.000000000 +0100
@@ -1,5 +1,5 @@
 # -*- depends: fastcgi -*-
-# /usr/share/doc/lighttpd-doc/fastcgi.txt.gz
+# /usr/share/doc/lighttpd/fastcgi.txt.gz
 # http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ConfigurationOptions#mod_fastcgi-fastcgi
 
 ## Start an FastCGI server for php (needs the php5-cgi package)
diff -Nru lighttpd-1.4.31/debian/conf-available2/10-cml.conf lighttpd-1.4.31/debian/conf-available2/10-cml.conf
--- lighttpd-1.4.31/debian/conf-available2/10-cml.conf  2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available2/10-cml.conf  2012-11-21 02:12:50.000000000 +0100
@@ -2,7 +2,7 @@
 ## at one side and building a page from its fragments on the 
 ## other side using LUA.
 ##
-## /usr/share/doc/lighttpd-doc/cml.txt
+## /usr/share/doc/lighttpd/cml.txt
 
 server.modules += ( "mod_cml" )
 
diff -Nru lighttpd-1.4.31/debian/conf-available2/10-magnet.conf lighttpd-1.4.31/debian/conf-available2/10-magnet.conf
--- lighttpd-1.4.31/debian/conf-available2/10-magnet.conf       2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available2/10-magnet.conf       2012-11-21 02:12:50.000000000 +0100
@@ -1,4 +1,4 @@
-# /usr/share/doc/lighttpd-doc/magnet.txt.gz
+# /usr/share/doc/lighttpd/magnet.txt.gz
 # http://trac.lighttpd.net/trac/wiki/Docs%3AModMagnet
 
 server.modules += ( "mod_magnet" )
diff -Nru lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf
--- lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf        2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available2/10-trigger-b4-dl.conf        2012-11-21 02:12:50.000000000 +0100
@@ -1,6 +1,6 @@
 ## A module to prevent deep-linking from other sites.
 ## 
-# /usr/share/doc/lighttpd-doc/trigger-b4-dl.html
+# /usr/share/doc/lighttpd/trigger-b4-dl.html
 
 server.modules += ( "mod_trigger_b4_dl" )
 
diff -Nru lighttpd-1.4.31/debian/conf-available2/10-webdav.conf lighttpd-1.4.31/debian/conf-available2/10-webdav.conf
--- lighttpd-1.4.31/debian/conf-available2/10-webdav.conf       2012-02-27 19:53:39.000000000 +0100
+++ lighttpd-1.4.31/debian/conf-available2/10-webdav.conf       2012-11-21 02:12:50.000000000 +0100
@@ -3,7 +3,7 @@
 ## the group defined which allows users to collaboratively edit and manage
 ## files on remote web servers.
 ##
-# /usr/share/doc/lighttpd-doc/webdav.txt
+# /usr/share/doc/lighttpd/webdav.txt
 # http://trac.lighttpd.net/trac/wiki/Docs%3AModWebDAV
 
 server.modules += ( "mod_webdav" )
diff -Nru lighttpd-1.4.31/debian/patches/connection-dos.patch lighttpd-1.4.31/debian/patches/connection-dos.patch
--- lighttpd-1.4.31/debian/patches/connection-dos.patch 1970-01-01 01:00:00.000000000 +0100
+++ lighttpd-1.4.31/debian/patches/connection-dos.patch 2012-11-21 14:44:32.000000000 +0100
@@ -0,0 +1,112 @@
+From: Stefan Bühler <stbuehler@web.de>
+Subject: Fix DoS in header value split (CVE-2012-5533)
+
+Fix DoS in header value split (reported by Jesse Sipprell; CVE-2012-5533)
+
+Any client which is able to connect to lighttpd can cause a DoS by sending
+"strange" Connection headers, for example: "Connection: TE,,Keep-Alive". This
+patch fixes the issue.
+--- a/src/request.c
++++ b/src/request.c
+@@ -209,9 +209,11 @@
+ #endif
+ 
+ static int http_request_split_value(array *vals, buffer *b) {
+-      char *s;
+       size_t i;
+       int state = 0;
++
++      const char *current;
++      const char *token_start = NULL, *token_end = NULL;
+       /*
+        * parse
+        *
+@@ -222,53 +224,52 @@
+ 
+       if (b->used == 0) return 0;
+ 
+-      s = b->ptr;
+-
+-      for (i =0; i < b->used - 1; ) {
+-              char *start = NULL, *end = NULL;
++      current = b->ptr;
++      for (i =  0; i < b->used; ++i, ++current) {
+               data_string *ds;
+ 
+               switch (state) {
+-              case 0: /* ws */
+-
+-                      /* skip ws */
+-                      for (; (*s == ' ' || *s == '\t') && i < b->used - 1; i++, s++);
+-
+-
+-                      state = 1;
+-                      break;
+-              case 1: /* value */
+-                      start = s;
+-
+-                      for (; *s != ',' && i < b->used - 1; i++, s++);
+-                      if (start == s) break; /* empty fields are skipped */
+-                      end = s - 1;
+-
+-                      for (; end > start && (*end == ' ' || *end == '\t'); end--);
+-                      if (start == end) break; /* empty fields are skipped */
+-
+-                      if (NULL == (ds = (data_string *)array_get_unused_element(vals, TYPE_STRING))) {
+-                              ds = data_string_init();
++              case 0: /* find start of a token */
++                      switch (*current) {
++                      case ' ':
++                      case '\t': /* skip white space */
++                      case ',': /* skip empty token */
++                              break;
++                      case '\0': /* end of string */
++                              return 0;
++                      default:
++                              /* found real data, switch to state 1 to find the end of the token */
++                              token_start = token_end = current;
++                              state = 1;
++                              break;
+                       }
++                      break;
++              case 1: /* find end of token and last non white space character */
++                      switch (*current) {
++                      case ' ':
++                      case '\t':
++                              /* space - don't update token_end */
++                              break;
++                      case ',':
++                      case '\0': /* end of string also marks the end of a token */
++                              if (NULL == (ds = (data_string *)array_get_unused_element(vals, TYPE_STRING))) {
++                                      ds = data_string_init();
++                              }
+ 
+-                      buffer_copy_string_len(ds->value, start, end-start+1);
+-                      array_insert_unique(vals, (data_unset *)ds);
++                              buffer_copy_string_len(ds->value, token_start, token_end-token_start+1);
++                              array_insert_unique(vals, (data_unset *)ds);
+ 
+-                      if (*s == ',') {
+                               state = 0;
+-                              i++;
+-                              s++;
+-                      } else {
+-                              /* end of string */
+-
+-                              state = 2;
++                              break;
++                      default:
++                              /* no white space, update token_end to include current character */
++                              token_end = current;
++                              break;
+                       }
+                       break;
+-              default:
+-                      i++;
+-                      break;
+               }
+       }
++
+       return 0;
+ }
+ 
diff -Nru lighttpd-1.4.31/debian/patches/series lighttpd-1.4.31/debian/patches/series
--- lighttpd-1.4.31/debian/patches/series       1970-01-01 01:00:00.000000000 +0100
+++ lighttpd-1.4.31/debian/patches/series       2012-11-21 02:12:50.000000000 +0100
@@ -0,0 +1 @@
+connection-dos.patch


unblock lighttpd/1.4.31-3

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.5-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash


Reply to: