From 4a0bceb5ae9b68ae0f8cda2fb03fd6e2e5735e64 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Fri, 14 Jan 2022 15:01:57 +0800 Subject: [PATCH] Fix CVE-2022-22707 (cherry picked from commit 1186aab2a45cadeee1f82c8549d9e2bc59710caa) --- CVE-2022-22707.patch | 90 ++++++++++++++++++++++++++++++++++++++++++++ lighttpd.spec | 7 +++- 2 files changed, 96 insertions(+), 1 deletion(-) create mode 100644 CVE-2022-22707.patch diff --git a/CVE-2022-22707.patch b/CVE-2022-22707.patch new file mode 100644 index 0000000..9c5bbc8 --- /dev/null +++ b/CVE-2022-22707.patch @@ -0,0 +1,90 @@ +From 8c62a890e23f5853b1a562b03fe3e1bccc6e7664 Mon Sep 17 00:00:00 2001 +From: povcfe +Date: Wed, 5 Jan 2022 11:11:09 +0000 +Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134) + +(thx povcfe) + +(edited: gstrauss) + +There is a potential remote denial of service in lighttpd mod_extforward +under specific, non-default and uncommon 32-bit lighttpd mod_extforward +configurations. + +Under specific, non-default and uncommon lighttpd mod_extforward +configurations, a remote attacker can trigger a 4-byte out-of-bounds +write of value '-1' to the stack. This is not believed to be exploitable +in any way beyond triggering a crash of the lighttpd server on systems +where the lighttpd server has been built 32-bit and with compiler flags +which enable a stack canary -- gcc/clang -fstack-protector-strong or +-fstack-protector-all, but bug not visible with only -fstack-protector. + +With standard lighttpd builds using -O2 optimization on 64-bit x86_64, +this bug has not been observed to cause adverse behavior, even with +gcc/clang -fstack-protector-strong. + +For the bug to be reachable, the user must be using a non-default +lighttpd configuration which enables mod_extforward and configures +mod_extforward to accept and parse the "Forwarded" header from a trusted +proxy. At this time, support for RFC7239 Forwarded is not common in CDN +providers or popular web server reverse proxies. It bears repeating that +for the user to desire to configure lighttpd mod_extforward to accept +"Forwarded", the user must also be using a trusted proxy (in front of +lighttpd) which understands and actively modifies the "Forwarded" header +sent to lighttpd. + +lighttpd natively supports RFC7239 "Forwarded" +hiawatha natively supports RFC7239 "Forwarded" + +nginx can be manually configured to add a "Forwarded" header +https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/ + +A 64-bit build of lighttpd on x86_64 (not known to be affected by bug) +in front of another 32-bit lighttpd will detect and reject a malicious +"Forwarded" request header, thereby thwarting an attempt to trigger +this bug in an upstream 32-bit lighttpd. + +The following servers currently do not natively support RFC7239 Forwarded: +nginx +apache2 +caddy +node.js +haproxy +squid +varnish-cache +litespeed + +Given the general dearth of support for RFC7239 Forwarded in popular +CDNs and web server reverse proxies, and given the prerequisites in +lighttpd mod_extforward needed to reach this bug, the number of lighttpd +servers vulnerable to this bug is estimated to be vanishingly small. +Large systems using reverse proxies are likely running 64-bit lighttpd, +which is not known to be adversely affected by this bug. + +In the future, it is desirable for more servers to implement RFC7239 +Forwarded. lighttpd developers would like to thank povcfe for reporting +this bug so that it can be fixed before more CDNs and web servers +implement RFC7239 Forwarded. + +x-ref: + "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1" + https://redmine.lighttpd.net/issues/3134 + (not yet written or published) + CVE-2022-22707 +--- + src/mod_extforward.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mod_extforward.c b/src/mod_extforward.c +index 733231fd2..1a04befa6 100644 +--- a/src/mod_extforward.c ++++ b/src/mod_extforward.c +@@ -673,7 +673,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c + while (s[i] == ' ' || s[i] == '\t') ++i; + if (s[i] == ';') { ++i; continue; } + if (s[i] == ',') { +- if (j >= (int)(sizeof(offsets)/sizeof(int))) break; ++ if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break; + offsets[++j] = -1; /*("offset" separating params from next proxy)*/ + ++i; + continue; diff --git a/lighttpd.spec b/lighttpd.spec index c70cd6a..65afeed 100644 --- a/lighttpd.spec +++ b/lighttpd.spec @@ -20,7 +20,7 @@ Summary: Lightning fast webserver with light system requirements Name: lighttpd Version: 1.4.53 -Release: 1 +Release: 2 License: BSD-3-Clause and OML and GPLv3 and GPLv2 URL: https://github.com/lighttpd/lighttpd1.4 Source0: https://github.com/lighttpd/lighttpd1.4/archive/lighttpd-1.4.53.tar.gz @@ -29,6 +29,7 @@ Source2: php.d-lighttpd.ini Source3: lighttpd.init Source4: lighttpd.service Patch0: lighttpd-1.4.45-defaultconf.patch +Patch1: CVE-2022-22707.patch Requires: %{name}-filesystem %if %{with systemd} Requires(post): systemd @@ -106,6 +107,7 @@ for the directories. %prep %setup -q -n lighttpd1.4-%{name}-%{version} %patch0 -p0 -b .defaultconf +%patch1 -p1 %build autoreconf -if @@ -252,5 +254,8 @@ fi %attr(0700, lighttpd, lighttpd) %dir %{webroot}/ %changelog +* Fri Jan 14 2022 yaoxin - 1.4.53-2 +- Fix CVE-2022-22707 + * Fri Jan 8 2021 chengzihan - 1.4.53-1 - Package init -- Gitee