diff --git a/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch deleted file mode 100644 index f4e93d1065..0000000000 --- a/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch +++ /dev/null @@ -1,97 +0,0 @@ -Upstream-Status: Backport -CVE: CVE-2022-22707 -Signed-off-by: Ross Burton - -From 27103f3f8b1a2857aa45b889e775435f7daf141f Mon Sep 17 00:00:00 2001 -From: povcfe -Date: Wed, 5 Jan 2022 11:11:09 +0000 -Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134) - -(thx povcfe) - -(edited: gstrauss) - -There is a potential remote denial of service in lighttpd mod_extforward -under specific, non-default and uncommon 32-bit lighttpd mod_extforward -configurations. - -Under specific, non-default and uncommon lighttpd mod_extforward -configurations, a remote attacker can trigger a 4-byte out-of-bounds -write of value '-1' to the stack. This is not believed to be exploitable -in any way beyond triggering a crash of the lighttpd server on systems -where the lighttpd server has been built 32-bit and with compiler flags -which enable a stack canary -- gcc/clang -fstack-protector-strong or --fstack-protector-all, but bug not visible with only -fstack-protector. - -With standard lighttpd builds using -O2 optimization on 64-bit x86_64, -this bug has not been observed to cause adverse behavior, even with -gcc/clang -fstack-protector-strong. - -For the bug to be reachable, the user must be using a non-default -lighttpd configuration which enables mod_extforward and configures -mod_extforward to accept and parse the "Forwarded" header from a trusted -proxy. At this time, support for RFC7239 Forwarded is not common in CDN -providers or popular web server reverse proxies. It bears repeating that -for the user to desire to configure lighttpd mod_extforward to accept -"Forwarded", the user must also be using a trusted proxy (in front of -lighttpd) which understands and actively modifies the "Forwarded" header -sent to lighttpd. - -lighttpd natively supports RFC7239 "Forwarded" -hiawatha natively supports RFC7239 "Forwarded" - -nginx can be manually configured to add a "Forwarded" header -https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/ - -A 64-bit build of lighttpd on x86_64 (not known to be affected by bug) -in front of another 32-bit lighttpd will detect and reject a malicious -"Forwarded" request header, thereby thwarting an attempt to trigger -this bug in an upstream 32-bit lighttpd. - -The following servers currently do not natively support RFC7239 Forwarded: -nginx -apache2 -caddy -node.js -haproxy -squid -varnish-cache -litespeed - -Given the general dearth of support for RFC7239 Forwarded in popular -CDNs and web server reverse proxies, and given the prerequisites in -lighttpd mod_extforward needed to reach this bug, the number of lighttpd -servers vulnerable to this bug is estimated to be vanishingly small. -Large systems using reverse proxies are likely running 64-bit lighttpd, -which is not known to be adversely affected by this bug. - -In the future, it is desirable for more servers to implement RFC7239 -Forwarded. lighttpd developers would like to thank povcfe for reporting -this bug so that it can be fixed before more CDNs and web servers -implement RFC7239 Forwarded. - -x-ref: - "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1" - https://redmine.lighttpd.net/issues/3134 - (not yet written or published) - CVE-2022-22707 ---- - src/mod_extforward.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/mod_extforward.c b/src/mod_extforward.c -index ba957e04..fdaef7f6 100644 ---- a/src/mod_extforward.c -+++ b/src/mod_extforward.c -@@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c - while (s[i] == ' ' || s[i] == '\t') ++i; - if (s[i] == ';') { ++i; continue; } - if (s[i] == ',') { -- if (j >= (int)(sizeof(offsets)/sizeof(int))) break; -+ if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break; - offsets[++j] = -1; /*("offset" separating params from next proxy)*/ - ++i; - continue; --- -2.25.1 - diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.63.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.64.bb similarity index 91% rename from meta/recipes-extended/lighttpd/lighttpd_1.4.63.bb rename to meta/recipes-extended/lighttpd/lighttpd_1.4.64.bb index 6359310772..8d2e77e011 100644 --- a/meta/recipes-extended/lighttpd/lighttpd_1.4.63.bb +++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.64.bb @@ -14,13 +14,12 @@ RRECOMMENDS:${PN} = "lighttpd-module-access \ lighttpd-module-accesslog" SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.xz \ - file://0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch \ file://index.html.lighttpd \ file://lighttpd.conf \ file://lighttpd \ " -SRC_URI[sha256sum] = "2aef7f0102ebf54a1241a1c3ea8976892f8684bfb21697c9fffb8de0e2d6eab9" +SRC_URI[sha256sum] = "e1489d9fa7496fbf2e071c338b593b2300d38c23f1e5967e52c9ef482e1b0e26" DEPENDS = "virtual/crypt" @@ -39,8 +38,6 @@ PACKAGECONFIG[zlib] = "-Dwith_zlib=true,-Dwith_zlib=false,zlib" PACKAGECONFIG[bzip2] = "-Dwith_bzip=true,-Dwith_bzip=false,bzip2" PACKAGECONFIG[webdav-props] = "-Dwith_webdav_props=true,-Dwith_webdav_props=false,libxml2 sqlite3" PACKAGECONFIG[webdav-locks] = "-Dwith_webdav_locks=true,-Dwith_webdav_locks=false,util-linux" -PACKAGECONFIG[gdbm] = "-Dwith_gdbm=true,-Dwith_gdbm=false,gdbm" -PACKAGECONFIG[memcache] = "-Dwith_memcached=true,-Dwith_memcached=false,libmemcached" PACKAGECONFIG[lua] = "-Dwith_lua=true,-Dwith_lua=false,lua" PACKAGECONFIG[zstd] = "-Dwith_zstd=true,-Dwith_zstd=false,zstd"