diff options
| -rw-r--r-- | debian/changelog | 9 | ||||
| -rw-r--r-- | debian/patches/lighttpd-1.4.x_request_header_memleak.patch | 50 | ||||
| -rw-r--r-- | debian/patches/lighttpd-1.4.x_rewrite_redirect_decode_url.patch | 122 | ||||
| -rw-r--r-- | debian/patches/lighttpd-1.4.x_userdir_lowercase.patch | 38 | ||||
| -rw-r--r-- | debian/patches/series | 3 |
5 files changed, 220 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog index 6b5b0e5..1faa1a5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,13 @@ -lighttpd (1.4.19-5) UNRELEASED; urgency=low +lighttpd (1.4.19-5) unstable; urgency=high * Remove the alias.url stanza from 10-cgi.conf (Closes: #499334). + * Add patches for lighttpd security 2008-05 to 2008-07 (no CVE yet): + + patches/lighttpd-1.4.x_request_header_memleak.patch + + patches/lighttpd-1.4.x_rewrite_redirect_decode_url.patch + + patches/lighttpd-1.4.x_userdir_lowercase.patch + * Urgency set to high for security fix. - -- Pierre Habouzit <madcoder@debian.org> Sat, 27 Sep 2008 11:56:34 +0200 + -- Pierre Habouzit <madcoder@debian.org> Sat, 27 Sep 2008 12:00:47 +0200 lighttpd (1.4.19-4) unstable; urgency=high diff --git a/debian/patches/lighttpd-1.4.x_request_header_memleak.patch b/debian/patches/lighttpd-1.4.x_request_header_memleak.patch new file mode 100644 index 0000000..5222cda --- /dev/null +++ b/debian/patches/lighttpd-1.4.x_request_header_memleak.patch @@ -0,0 +1,50 @@ +--- src/request.c.orig ++++ src/request.c +@@ -825,6 +825,7 @@ + "request-header:\n", + con->request.request); + } ++ array_insert_unique(con->request.headers, (data_unset *)ds); + return 0; + } + +@@ -874,6 +875,7 @@ + "request-header:\n", + con->request.request); + } ++ array_insert_unique(con->request.headers, (data_unset *)ds); + return 0; + } + } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Expect")))) { +@@ -911,6 +913,7 @@ + "request-header:\n", + con->request.request); + } ++ array_insert_unique(con->request.headers, (data_unset *)ds); + return 0; + } + } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("If-Modified-Since")))) { +@@ -936,6 +939,7 @@ + "request-header:\n", + con->request.request); + } ++ array_insert_unique(con->request.headers, (data_unset *)ds); + return 0; + } + } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("If-None-Match")))) { +@@ -953,6 +957,7 @@ + "request-header:\n", + con->request.request); + } ++ array_insert_unique(con->request.headers, (data_unset *)ds); + return 0; + } + } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Range")))) { +@@ -976,6 +981,7 @@ + "request-header:\n", + con->request.request); + } ++ array_insert_unique(con->request.headers, (data_unset *)ds); + return 0; + } + } diff --git a/debian/patches/lighttpd-1.4.x_rewrite_redirect_decode_url.patch b/debian/patches/lighttpd-1.4.x_rewrite_redirect_decode_url.patch new file mode 100644 index 0000000..0ac4ae6 --- /dev/null +++ b/debian/patches/lighttpd-1.4.x_rewrite_redirect_decode_url.patch @@ -0,0 +1,122 @@ +--- src/mod_rewrite.c.orig ++++ src/mod_rewrite.c +@@ -350,7 +350,11 @@ + + if (!p->conf.rewrite) return HANDLER_GO_ON; + +- buffer_copy_string_buffer(p->match_buf, con->request.uri); ++ buffer_copy_string_buffer(p->match_buf, con->uri.path); ++ if (con->uri.query->used > 0) { ++ buffer_append_string_len(p->match_buf, CONST_STR_LEN("?")); ++ buffer_append_string_buffer(p->match_buf, con->uri.query); ++ } + + for (i = 0; i < p->conf.rewrite->used; i++) { + pcre *match; +--- src/response.c.orig ++++ src/response.c +@@ -224,27 +224,6 @@ + } + + +- /** +- * +- * call plugins +- * +- * - based on the raw URL +- * +- */ +- +- switch(r = plugins_call_handle_uri_raw(srv, con)) { +- case HANDLER_GO_ON: +- break; +- case HANDLER_FINISHED: +- case HANDLER_COMEBACK: +- case HANDLER_WAIT_FOR_EVENT: +- case HANDLER_ERROR: +- return r; +- default: +- log_error_write(srv, __FILE__, __LINE__, "sd", "handle_uri_raw: unknown return value", r); +- break; +- } +- + /* build filename + * + * - decode url-encodings (e.g. %20 -> ' ') +@@ -252,7 +231,6 @@ + */ + + +- + if (con->request.http_method == HTTP_METHOD_OPTIONS && + con->uri.path_raw->ptr[0] == '*' && con->uri.path_raw->ptr[1] == '\0') { + /* OPTIONS * ... */ +@@ -268,6 +246,28 @@ + log_error_write(srv, __FILE__, __LINE__, "sb", "URI-path : ", con->uri.path); + } + ++ ++ /** ++ * ++ * call plugins ++ * ++ * - based on the raw URL ++ * ++ */ ++ ++ switch(r = plugins_call_handle_uri_raw(srv, con)) { ++ case HANDLER_GO_ON: ++ break; ++ case HANDLER_FINISHED: ++ case HANDLER_COMEBACK: ++ case HANDLER_WAIT_FOR_EVENT: ++ case HANDLER_ERROR: ++ return r; ++ default: ++ log_error_write(srv, __FILE__, __LINE__, "sd", "handle_uri_raw: unknown return value", r); ++ break; ++ } ++ + /** + * + * call plugins +--- tests/mod-rewrite.t.orig ++++ tests/mod-rewrite.t +@@ -8,7 +8,7 @@ + + use strict; + use IO::Socket; +-use Test::More tests => 5; ++use Test::More tests => 4; + use LightyTest; + + my $tf = LightyTest->new(); +@@ -44,5 +44,13 @@ + $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => 'bar&a=b' } ]; + ok($tf->handle_http($t) == 0, 'valid request'); + ++ $t->{REQUEST} = ( <<EOF ++GET %2Frewrite/f%6Fo?a=b HTTP/1.0 ++Host: www.example.org ++EOF ++ ); ++ $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => 'a=b' } ]; ++ ok($tf->handle_http($t) == 0, 'valid request with url encoded characters'); ++ + ok($tf->stop_proc == 0, "Stopping lighttpd"); + } +--- src/mod_redirect.c.orig ++++ src/mod_redirect.c +@@ -178,7 +178,11 @@ + + mod_redirect_patch_connection(srv, con, p); + +- buffer_copy_string_buffer(p->match_buf, con->request.uri); ++ buffer_copy_string_buffer(p->match_buf, con->uri.path); ++ if (con->uri.query->used > 0) { ++ buffer_append_string_len(p->match_buf, CONST_STR_LEN("?")); ++ buffer_append_string_buffer(p->match_buf, con->uri.query); ++ } + + for (i = 0; i < p->conf.redirect->used; i++) { + pcre *match; diff --git a/debian/patches/lighttpd-1.4.x_userdir_lowercase.patch b/debian/patches/lighttpd-1.4.x_userdir_lowercase.patch new file mode 100644 index 0000000..8880101 --- /dev/null +++ b/debian/patches/lighttpd-1.4.x_userdir_lowercase.patch @@ -0,0 +1,38 @@ +--- src/mod_userdir.c.orig ++++ src/mod_userdir.c +@@ -262,6 +262,9 @@ + return HANDLER_GO_ON; + } + } ++ if (con->conf.force_lowercase_filenames) { ++ buffer_to_lower(p->username); ++ } + + buffer_copy_string_buffer(p->temp_path, p->conf.basepath); + BUFFER_APPEND_SLASH(p->temp_path); +@@ -284,8 +287,24 @@ + } + } + ++ /* the physical rel_path is basically the same as uri.path; ++ * but it is converted to lowercase in case of force_lowercase_filenames and some special handling ++ * for trailing '.', ' ' and '/' on windows ++ * we assume that no docroot/physical handler changed this ++ * (docroot should only set the docroot/server name, phyiscal should only change the phyiscal.path; ++ * the exception mod_secure_download doesn't work with userdir anyway) ++ */ + BUFFER_APPEND_SLASH(p->temp_path); +- buffer_append_string(p->temp_path, rel_url + 1); /* skip the / */ ++ /* if no second '/' is found, we assume that it was stripped from the uri.path for the special handling ++ * on windows. ++ * we do not care about the trailing slash here on windows, as we already ensured it is a directory ++ * ++ * TODO: what to do with trailing dots in usernames on windows? they may result in the same directory ++ * as a username without them. ++ */ ++ if (NULL != (rel_url = strchr(con->physical.rel_path->ptr + 2, '/'))) { ++ buffer_append_string(p->temp_path, rel_url + 1); /* skip the / */ ++ } + buffer_copy_string_buffer(con->physical.path, p->temp_path); + + buffer_reset(p->temp_path); diff --git a/debian/patches/series b/debian/patches/series index a38644a..c41eb2e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,6 @@ ldap_leak_bugfix.patch ldap_build_filter_fix.patch ldap-deprecated.patch ssl-connection-errors.patch +lighttpd-1.4.x_request_header_memleak.patch -p0 +lighttpd-1.4.x_userdir_lowercase.patch -p0 +lighttpd-1.4.x_rewrite_redirect_decode_url.patch -p0 |