mirror of
https://git.yoctoproject.org/poky
synced 2026-01-29 21:08:42 +01:00
lighttpd: backport a fix for CVE-2022-22707
Backport the fix for CVE-2022-22707, a buffer overflow in mod_extforward. (From OE-Core rev: 7758596613cc442f647fd4625b36532f30e6129f) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Ross Burton
committed by
Richard Purdie
Richard Purdie
parent
40c56a5019
commit
3b52dee71b
@@ -0,0 +1,97 @@
|
||||
Upstream-Status: Backport
|
||||
CVE: CVE-2022-22707
|
||||
Signed-off-by: Ross Burton <ross.burton@arm.com>
|
||||
|
||||
From 27103f3f8b1a2857aa45b889e775435f7daf141f Mon Sep 17 00:00:00 2001
|
||||
From: povcfe <povcfe@qq.com>
|
||||
Date: Wed, 5 Jan 2022 11:11:09 +0000
|
||||
Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134)
|
||||
|
||||
(thx povcfe)
|
||||
|
||||
(edited: gstrauss)
|
||||
|
||||
There is a potential remote denial of service in lighttpd mod_extforward
|
||||
under specific, non-default and uncommon 32-bit lighttpd mod_extforward
|
||||
configurations.
|
||||
|
||||
Under specific, non-default and uncommon lighttpd mod_extforward
|
||||
configurations, a remote attacker can trigger a 4-byte out-of-bounds
|
||||
write of value '-1' to the stack. This is not believed to be exploitable
|
||||
in any way beyond triggering a crash of the lighttpd server on systems
|
||||
where the lighttpd server has been built 32-bit and with compiler flags
|
||||
which enable a stack canary -- gcc/clang -fstack-protector-strong or
|
||||
-fstack-protector-all, but bug not visible with only -fstack-protector.
|
||||
|
||||
With standard lighttpd builds using -O2 optimization on 64-bit x86_64,
|
||||
this bug has not been observed to cause adverse behavior, even with
|
||||
gcc/clang -fstack-protector-strong.
|
||||
|
||||
For the bug to be reachable, the user must be using a non-default
|
||||
lighttpd configuration which enables mod_extforward and configures
|
||||
mod_extforward to accept and parse the "Forwarded" header from a trusted
|
||||
proxy. At this time, support for RFC7239 Forwarded is not common in CDN
|
||||
providers or popular web server reverse proxies. It bears repeating that
|
||||
for the user to desire to configure lighttpd mod_extforward to accept
|
||||
"Forwarded", the user must also be using a trusted proxy (in front of
|
||||
lighttpd) which understands and actively modifies the "Forwarded" header
|
||||
sent to lighttpd.
|
||||
|
||||
lighttpd natively supports RFC7239 "Forwarded"
|
||||
hiawatha natively supports RFC7239 "Forwarded"
|
||||
|
||||
nginx can be manually configured to add a "Forwarded" header
|
||||
https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
|
||||
|
||||
A 64-bit build of lighttpd on x86_64 (not known to be affected by bug)
|
||||
in front of another 32-bit lighttpd will detect and reject a malicious
|
||||
"Forwarded" request header, thereby thwarting an attempt to trigger
|
||||
this bug in an upstream 32-bit lighttpd.
|
||||
|
||||
The following servers currently do not natively support RFC7239 Forwarded:
|
||||
nginx
|
||||
apache2
|
||||
caddy
|
||||
node.js
|
||||
haproxy
|
||||
squid
|
||||
varnish-cache
|
||||
litespeed
|
||||
|
||||
Given the general dearth of support for RFC7239 Forwarded in popular
|
||||
CDNs and web server reverse proxies, and given the prerequisites in
|
||||
lighttpd mod_extforward needed to reach this bug, the number of lighttpd
|
||||
servers vulnerable to this bug is estimated to be vanishingly small.
|
||||
Large systems using reverse proxies are likely running 64-bit lighttpd,
|
||||
which is not known to be adversely affected by this bug.
|
||||
|
||||
In the future, it is desirable for more servers to implement RFC7239
|
||||
Forwarded. lighttpd developers would like to thank povcfe for reporting
|
||||
this bug so that it can be fixed before more CDNs and web servers
|
||||
implement RFC7239 Forwarded.
|
||||
|
||||
x-ref:
|
||||
"mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1"
|
||||
https://redmine.lighttpd.net/issues/3134
|
||||
(not yet written or published)
|
||||
CVE-2022-22707
|
||||
---
|
||||
src/mod_extforward.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/mod_extforward.c b/src/mod_extforward.c
|
||||
index ba957e04..fdaef7f6 100644
|
||||
--- a/src/mod_extforward.c
|
||||
+++ b/src/mod_extforward.c
|
||||
@@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c
|
||||
while (s[i] == ' ' || s[i] == '\t') ++i;
|
||||
if (s[i] == ';') { ++i; continue; }
|
||||
if (s[i] == ',') {
|
||||
- if (j >= (int)(sizeof(offsets)/sizeof(int))) break;
|
||||
+ if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break;
|
||||
offsets[++j] = -1; /*("offset" separating params from next proxy)*/
|
||||
++i;
|
||||
continue;
|
||||
--
|
||||
2.25.1
|
||||
|
||||
@@ -14,6 +14,7 @@ RRECOMMENDS:${PN} = "lighttpd-module-access \
|
||||
lighttpd-module-accesslog"
|
||||
|
||||
SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.xz \
|
||||
file://0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch \
|
||||
file://index.html.lighttpd \
|
||||
file://lighttpd.conf \
|
||||
file://lighttpd \
|
||||
|
||||
Reference in New Issue
Block a user