From 4bbcb90e709ee7d5c943ae127f3e923d044c7ba0 Mon Sep 17 00:00:00 2001 From: Eric MacDonald Date: Wed, 21 Jun 2023 22:37:03 +0000 Subject: [PATCH] Revert "lighttd: Upgrade to 1.4.59-1+deb11u2" This reverts commit e61f579d8ba5a4c0e08ba397097ea34b6a15ca05. Reason for revert: experiencing lighttpd process failures Closes-Bug: 2024626 Change-Id: I68be7a128dc300c15002683f7cfd3a8c6cd1c11f --- ...t-spec-include-TiS-changes.patch-fro.patch | 187 ++++++------------ base/lighttpd/debian/meta_data.yaml | 9 +- .../debian/patches/CVE-2022-37797.patch | 53 +++++ .../debian/patches/check-content-length.patch | 98 ++++----- base/lighttpd/debian/patches/series | 1 + 5 files changed, 160 insertions(+), 188 deletions(-) create mode 100644 base/lighttpd/debian/patches/CVE-2022-37797.patch diff --git a/base/lighttpd/debian/deb_patches/0001-lighttpd-backport-spec-include-TiS-changes.patch-fro.patch b/base/lighttpd/debian/deb_patches/0001-lighttpd-backport-spec-include-TiS-changes.patch-fro.patch index 784726d7a..17a7165cf 100644 --- a/base/lighttpd/debian/deb_patches/0001-lighttpd-backport-spec-include-TiS-changes.patch-fro.patch +++ b/base/lighttpd/debian/deb_patches/0001-lighttpd-backport-spec-include-TiS-changes.patch-fro.patch @@ -1,32 +1,38 @@ -From 95f82fc840c43c964a6c2dcdeaf33b87b44665f3 Mon Sep 17 00:00:00 2001 -From: Zhixiong Chi -Date: Mon, 12 Jun 2023 12:46:45 +0800 +From 91f1bd05e5acc70789d17de47de7813bb615027c Mon Sep 17 00:00:00 2001 +From: Yue Tao +Date: Tue, 9 Mar 2021 18:26:53 -0800 Subject: [PATCH] lighttpd: backport spec-include-TiS-changes.patch from StarlingX f/centos8 branch Signed-off-by: Yue Tao -Signed-off-by: Zhixiong Chi --- - debian/control | 178 ++++++++++++++++++++++++------------------------- - debian/rules | 11 +-- - 2 files changed, 95 insertions(+), 94 deletions(-) + debian/control | 99 ++++++++++++++++++++++++-------------------------- + debian/rules | 12 +++--- + 2 files changed, 55 insertions(+), 56 deletions(-) diff --git a/debian/control b/debian/control -index 628bfc7..cae8626 100644 +index 7807525..682477b 100644 --- a/debian/control +++ b/debian/control -@@ -74,8 +74,6 @@ Suggests: +@@ -62,15 +62,12 @@ Suggests: + lighttpd-mod-authn-gssapi, + lighttpd-mod-authn-pam, + lighttpd-mod-authn-sasl, +- lighttpd-mod-cml, + lighttpd-mod-geoip, +- lighttpd-mod-magnet, + lighttpd-mod-maxminddb, + lighttpd-mod-trigger-b4-dl, + lighttpd-mod-vhostdb-dbi, lighttpd-mod-vhostdb-pgsql, lighttpd-mod-webdav, - lighttpd-modules-dbi, - lighttpd-modules-ldap, -- lighttpd-modules-lua, lighttpd-modules-mysql, Description: fast webserver with minimal memory footprint lighttpd is a small webserver and fast webserver developed with -@@ -130,61 +128,61 @@ Description: DBI-based modules for lighttpd - Do not depend on this package. Depend on the provided lighttpd-mod-* - packages instead. +@@ -99,29 +96,29 @@ Description: documentation for lighttpd + . + This package contains documentation for lighttpd. -Package: lighttpd-modules-ldap -Architecture: any @@ -51,38 +57,6 @@ index 628bfc7..cae8626 100644 - . - Do not depend on this package. Depend on the provided lighttpd-mod-* - packages instead. -- --Package: lighttpd-modules-lua --Architecture: any --Depends: -- ${misc:Depends}, -- ${shlibs:Depends}, -- lighttpd (= ${binary:Version}), --Breaks: -- lighttpd-mod-cml (<< 1.4.56~rc7-0+exp2), -- lighttpd-mod-magnet (<< 1.4.56~rc7-0+exp2), --Replaces: -- lighttpd (<< 1.4.56~rc7-0+exp2), -- lighttpd-mod-cml (<< 1.4.56~rc7-0+exp2), -- lighttpd-mod-magnet (<< 1.4.56~rc7-0+exp2), --Provides: -- ${lighttpd:ModuleProvides}, --Description: LUA-based modules for lighttpd -- This package contains the following modules: -- * mod_magnet: control the request handling module for lighttpd -- mod_magnet can attract a request in several stages in the request-handling. -- either at the same level as mod_rewrite, before any parsing of the URL is -- done or at a later stage, when the doc-root is known and the physical-path -- is already setup. -- * mod_cml: cache meta language module for lighttpd -- With the cache meta language, it is possible to describe to the -- dependencies of a cached file to its source files/scripts. For the -- cache files, the scripting language Lua is used. -- THIS MODULE IS OBSOLETED, USE mod_magnet INSTEAD. -- . -- Do not depend on this package. Depend on the provided lighttpd-mod-* -- packages instead. -- +#Package: lighttpd-modules-ldap +#Architecture: any +#Depends: @@ -106,116 +80,69 @@ index 628bfc7..cae8626 100644 +# . +# Do not depend on this package. Depend on the provided lighttpd-mod-* +# packages instead. -+# -+#Package: lighttpd-modules-lua -+#Architecture: any -+#Depends: -+# ${misc:Depends}, -+# ${shlibs:Depends}, -+# lighttpd (= ${binary:Version}), -+#Breaks: -+# lighttpd-mod-cml (<< 1.4.56~rc7-0+exp2), -+# lighttpd-mod-magnet (<< 1.4.56~rc7-0+exp2), -+#Replaces: -+# lighttpd (<< 1.4.56~rc7-0+exp2), -+# lighttpd-mod-cml (<< 1.4.56~rc7-0+exp2), -+# lighttpd-mod-magnet (<< 1.4.56~rc7-0+exp2), -+#Provides: -+# ${lighttpd:ModuleProvides}, -+#Description: LUA-based modules for lighttpd -+# This package contains the following modules: -+# * mod_magnet: control the request handling module for lighttpd -+# mod_magnet can attract a request in several stages in the request-handling. -+# either at the same level as mod_rewrite, before any parsing of the URL is -+# done or at a later stage, when the doc-root is known and the physical-path -+# is already setup. -+# * mod_cml: cache meta language module for lighttpd -+# With the cache meta language, it is possible to describe to the -+# dependencies of a cached file to its source files/scripts. For the -+# cache files, the scripting language Lua is used. -+# THIS MODULE IS OBSOLETED, USE mod_magnet INSTEAD. -+# . -+# Do not depend on this package. Depend on the provided lighttpd-mod-* -+# packages instead. -+# + Package: lighttpd-modules-mysql Architecture: any - Depends: -@@ -231,39 +229,39 @@ Description: anti-deep-linking module for lighttpd +@@ -165,32 +162,32 @@ Description: anti-deep-linking module for lighttpd from other sites by requiring users to visit a trigger URL to be able to download certain files. -Package: lighttpd-mod-cml --Section: oldlibs -Architecture: any -Depends: - ${misc:Depends}, - ${shlibs:Depends}, -- lighttpd-modules-lua (= ${binary:Version}), --Description: Transitional dummy package for: cache meta language module for lighttpd +- lighttpd (= ${binary:Version}), +-Recommends: +- memcached, +-Description: cache meta language module for lighttpd - With the cache meta language, it is possible to describe to the - dependencies of a cached file to its source files/scripts. For the - cache files, the scripting language Lua is used. - . - THIS MODULE IS OBSOLETED, USE mod_magnet INSTEAD. -- . -- While this transitional dummy package will go away, the package name -- continues to exist as a virtual package provided by lighttpd-modules-lua. -- --Package: lighttpd-mod-magnet --Section: oldlibs --Architecture: any --Depends: -- ${misc:Depends}, -- ${shlibs:Depends}, -- lighttpd-modules-lua (= ${binary:Version}), --Description: Transitional dummy package for: control the request handling module for lighttpd -- mod_magnet can attract a request in several stages in the request-handling. -- either at the same level as mod_rewrite, before any parsing of the URL is done -- or at a later stage, when the doc-root is known and the physical-path is -- already setup -- . -- While this transitional dummy package will go away, the package name -- continues to exist as a virtual package provided by lighttpd-modules-lua. -- +#Package: lighttpd-mod-cml -+#Section: oldlibs +#Architecture: any +#Depends: +# ${misc:Depends}, +# ${shlibs:Depends}, -+# lighttpd-modules-lua (= ${binary:Version}), -+#Description: Transitional dummy package for: cache meta language module for lighttpd ++# lighttpd (= ${binary:Version}), ++#Recommends: ++# memcached, ++#Description: cache meta language module for lighttpd +# With the cache meta language, it is possible to describe to the +# dependencies of a cached file to its source files/scripts. For the +# cache files, the scripting language Lua is used. +# . +# THIS MODULE IS OBSOLETED, USE mod_magnet INSTEAD. -+# . -+# While this transitional dummy package will go away, the package name -+# continues to exist as a virtual package provided by lighttpd-modules-lua. -+# + +-Package: lighttpd-mod-magnet +-Architecture: any +-Depends: +- ${misc:Depends}, +- ${shlibs:Depends}, +- lighttpd (= ${binary:Version}), +-Description: control the request handling module for lighttpd +- mod_magnet can attract a request in several stages in the request-handling. +- either at the same level as mod_rewrite, before any parsing of the URL is done +- or at a later stage, when the doc-root is known and the physical-path is +- already setup +#Package: lighttpd-mod-magnet -+#Section: oldlibs +#Architecture: any +#Depends: +# ${misc:Depends}, +# ${shlibs:Depends}, -+# lighttpd-modules-lua (= ${binary:Version}), -+#Description: Transitional dummy package for: control the request handling module for lighttpd ++# lighttpd (= ${binary:Version}), ++#Description: control the request handling module for lighttpd +# mod_magnet can attract a request in several stages in the request-handling. +# either at the same level as mod_rewrite, before any parsing of the URL is done +# or at a later stage, when the doc-root is known and the physical-path is +# already setup -+# . -+# While this transitional dummy package will go away, the package name -+# continues to exist as a virtual package provided by lighttpd-modules-lua. -+# + Package: lighttpd-mod-webdav Architecture: any - Depends: diff --git a/debian/rules b/debian/rules -index 5317ce6..7535999 100755 +index 7c0440b..e456781 100755 --- a/debian/rules +++ b/debian/rules @@ -16,6 +16,7 @@ override_dh_clean: @@ -227,21 +154,21 @@ index 5317ce6..7535999 100755 --libexecdir="/usr/lib/lighttpd" \ --with-attr \ @@ -23,10 +24,12 @@ override_dh_auto_configure: - --with-dbi \ + --with-fam \ --with-gdbm \ --with-krb5 \ - --with-ldap \ + --without-ldap \ --with-geoip \ --with-memcached \ -- --with-lua=lua5.3 \ +- --with-lua=lua5.1 \ + --without-lua \ + --without-bzip2 \ + --without-memcache \ --with-maxminddb \ - --with-mbedtls \ --with-mysql \ -@@ -37,8 +40,8 @@ override_dh_auto_configure: + --with-openssl \ +@@ -34,8 +37,8 @@ override_dh_auto_configure: --with-pcre \ --with-pgsql \ --with-sasl \ @@ -249,9 +176,17 @@ index 5317ce6..7535999 100755 - --with-webdav-props \ + --without-webdav-locks \ + --without-webdav-props \ - --with-wolfssl \ - --with-xxhash \ $(if $(filter pkg.lighttpd.libunwind,$(DEB_BUILD_PROFILES)),--with-libunwind) \ + CFLAGS_FOR_BUILD="$(shell dpkg-buildflags --get CFLAGS)" \ + LDFLAGS_FOR_BUILD="$(shell dpkg-buildflags --get LDFLAGS)" \ +@@ -49,7 +52,6 @@ override_dh_missing: + dh_missing --fail-missing + + DOCLESS_PACKAGES=\ +- lighttpd-modules-ldap \ + lighttpd-modules-mysql \ + lighttpd-mod-authn-pam \ + lighttpd-mod-authn-sasl \ -- -2.34.1 +2.31.1 diff --git a/base/lighttpd/debian/meta_data.yaml b/base/lighttpd/debian/meta_data.yaml index 4e23f10f1..2162ed374 100644 --- a/base/lighttpd/debian/meta_data.yaml +++ b/base/lighttpd/debian/meta_data.yaml @@ -1,10 +1,11 @@ --- -debver: 1.4.59-1+deb11u2 +debver: 1.4.55-1~bpo10+1 debname: lighttpd dl_path: - name: lighttpd-debian-1.4.59-1+deb11u2.tar.gz - url: https://salsa.debian.org/debian/lighttpd/-/archive/debian/1.4.59-1+deb11u2/lighttpd-debian-1.4.59-1+deb11u2.tar.gz - sha256sum: d5d7deda6da461030b4b25111f4f6c535128d2b865c6b2b4b009e83334a275ea + name: lighttpd-debian-1.4.55-1_bpo10+1.tar.gz + url: https://salsa.debian.org/debian/lighttpd/-/archive/debian/1.4.55-1_bpo10+1/lighttpd-debian-1.4.55-1_bpo10+1.tar.gz + md5sum: 453d7710982ee44fb5ce41673c6bd0df + sha256sum: 34326941ba0f7c6ff6f2c72890e2a568d0924c11c2c3f3d4174c82a484be81d3 revision: dist: $STX_DIST PKG_GITREVCOUNT: diff --git a/base/lighttpd/debian/patches/CVE-2022-37797.patch b/base/lighttpd/debian/patches/CVE-2022-37797.patch new file mode 100644 index 000000000..43200dbfe --- /dev/null +++ b/base/lighttpd/debian/patches/CVE-2022-37797.patch @@ -0,0 +1,53 @@ +From 95ae6094a9eb0cdbfb3f678f4c8e3a2db11aacd2 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss +Date: Tue, 22 Nov 2022 18:58:24 -0800 +Subject: [PATCH] CVE-2022-37797 + + [mod_wstunnel] fix crash with bad hybivers (fixes #3165) + + (thx MichaƂ Dardas) + + x-ref: + "mod_wstunnel null pointer dereference" + https://redmine.lighttpd.net/issues/3165 + +In order to trigger the reproducer on lighttpd 1.4.53, parsing of the +Sec-Websocket-Version needs to be fixed as has been done in later versions. +Due to internal refactoring, the actual NULL pointer dereference has moved +elsewhere, but still crashes. -- Helmut Grohne + +The upstream patch is not a git header format which I have created here. +[Backport from https://salsa.debian.org/debian/lighttpd/-/blob/buster-security/debian/patches/CVE-2022-37797.patch] +Signed-off-by: Zhixiong Chi +--- + src/mod_wstunnel.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/mod_wstunnel.c b/src/mod_wstunnel.c +index ed5174a..99e3739 100644 +--- a/src/mod_wstunnel.c ++++ b/src/mod_wstunnel.c +@@ -466,7 +466,7 @@ static int wstunnel_is_allowed_origin(connection *con, handler_ctx *hctx) { + static int wstunnel_check_request(connection *con, handler_ctx *hctx) { + const buffer * const vers = + http_header_request_get(con, HTTP_HEADER_OTHER, CONST_STR_LEN("Sec-WebSocket-Version")); +- const long hybivers = (NULL != vers) ? strtol(vers->ptr, NULL, 10) : 0; ++ const long hybivers = (NULL != vers) ? (light_isdigit(*vers->ptr) ? strtol(vers->ptr, NULL, 10) : -1) : 0; + if (hybivers < 0 || hybivers > INT_MAX) { + DEBUG_LOG(MOD_WEBSOCKET_LOG_ERR, "s", "invalid Sec-WebSocket-Version"); + con->http_status = 400; /* Bad Request */ +@@ -506,7 +506,10 @@ static handler_t wstunnel_handler_setup (server *srv, connection *con, plugin_da + hctx->srv = srv; /*(for mod_wstunnel module-specific DEBUG_LOG() macro)*/ + hctx->conf = p->conf; /*(copies struct)*/ + hybivers = wstunnel_check_request(con, hctx); +- if (hybivers < 0) return HANDLER_FINISHED; ++ if (hybivers < 0) { ++ con->mode = DIRECT; ++ return HANDLER_FINISHED; ++ } + hctx->hybivers = hybivers; + if (0 == hybivers) { + DEBUG_LOG(MOD_WEBSOCKET_LOG_INFO,"s","WebSocket Version = hybi-00"); +-- +2.34.1 + diff --git a/base/lighttpd/debian/patches/check-content-length.patch b/base/lighttpd/debian/patches/check-content-length.patch index 2be33fe7e..d2fbcb025 100644 --- a/base/lighttpd/debian/patches/check-content-length.patch +++ b/base/lighttpd/debian/patches/check-content-length.patch @@ -1,49 +1,37 @@ -From 98b8cbc80e14e6b47b13bcddfedc0bdc8d2abf19 Mon Sep 17 00:00:00 2001 -From: Zhixiong Chi -Date: Mon, 12 Jun 2023 02:23:58 -0700 -Subject: [PATCH] check content-length - -Rebase this local patch for StarlingX. +From 65107586a55c594c44b0a97a2d6756f6a0f0a5ca Mon Sep 17 00:00:00 2001 +From: Giao Le +Date: Mon, 27 Aug 2018 19:41:36 +0800 +Subject: [PATCH] check-length Signed-off-by: zhipengl -Signed-off-by: Giao Le -Signed-off-by: Zhixiong Chi --- - src/request.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 49 insertions(+) + src/request.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 45 insertions(+) diff --git a/src/request.c b/src/request.c -index 62f2f0cb..e9668d42 100644 +index d25e1e7..fe541a5 100644 --- a/src/request.c +++ b/src/request.c -@@ -8,16 +8,48 @@ - #include "first.h" - - #include "request.h" -+#include "base.h" - #include "burl.h" - #include "http_header.h" - #include "http_kv.h" +@@ -8,10 +8,39 @@ #include "log.h" #include "sock_addr.h" +#include #include - #include #include #include +#include -+ -+static size_t get_tempdirs_free_space(request_st * const restrict r) + ++static size_t get_tempdirs_free_space(server *srv) +{ + int i; + int valid = 0; + size_t total = 0; -+ array *dirs = r->con->srv->srvconf.upload_tempdirs; ++ array *dirs = srv->srvconf.upload_tempdirs; + + for (i = 0; i < (int)dirs->used; ++i) { + struct statvfs stat; -+ const char *name = ((data_string *)dirs->data[i])->value.ptr; ++ const char *name = ((data_string *)dirs->data[i])->value->ptr; + int ret = statvfs(name, &stat); + + if (ret >= 0) { @@ -52,47 +40,41 @@ index 62f2f0cb..e9668d42 100644 + valid = 1; + } + else { -+ if (r->conf.log_request_header_on_error) { -+ log_error(r->conf.errh, __FILE__, __LINE__, -+ "statvfs error, dir: %s, eno: %s\n", -+ name, strerror(errno)); -+ } ++ log_error_write(srv, __FILE__, __LINE__, "ssss", ++ "dir:", name, ++ "error:", strerror(errno)); + } + } + + return (valid) ? total : SSIZE_MAX; +} - - static int request_check_hostname(buffer * const host) { ++ + static int request_check_hostname(buffer *host) { enum { DOMAINLABEL, TOPLABEL } stage = TOPLABEL; -@@ -1260,10 +1292,27 @@ http_request_parse (request_st * const restrict r, const int scheme_port) - http_header_request_unset(r, HTTP_HEADER_CONTENT_LENGTH, CONST_STR_LEN("Content-Length")); - } - } + size_t i; +@@ -928,6 +957,22 @@ int http_request_parse(server *srv, conn + if (!state.con_length_set) { + return http_request_header_line_invalid(srv, 411, "POST-request, but content-length missing -> 411"); + } ++ /* content-length is larger than 64k */ ++ if (con->request.content_length > 64*1024) { ++ size_t disk_free = get_tempdirs_free_space(srv); ++ if (con->request.content_length > disk_free) { ++ con->http_status = 413; ++ con->keep_alive = 0; + - if (http_method_get_or_head(r->http_method) - && !(http_parseopts & HTTP_PARSEOPT_METHOD_GET_BODY)) { - return http_request_header_line_invalid(r, 400, "GET/HEAD with content-length -> 400"); - } ++ log_error_write(srv, __FILE__, __LINE__, "ssosos", ++ "not enough free space in tempdirs:", ++ "length =", (off_t) con->request.content_length, ++ "free =", (off_t) disk_free, ++ "-> 413"); ++ return 0; ++ } ++ } + -+ /* content-length is larger than 64k */ -+ if (r->reqbody_length > 64*1024 && HTTP_METHOD_POST == r->http_method) { -+ size_t disk_free = get_tempdirs_free_space(r); -+ if (r->reqbody_length > disk_free) { -+ r->http_status = 413; -+ r->keep_alive = 0; -+ if (r->conf.log_request_header_on_error) { -+ log_error(r->conf.errh, __FILE__, __LINE__, -+ "not enough free space in tempdirs:\n length =%d\n free=%d\ncontent-length -> 413", -+ r->reqbody_length, -+ disk_free); -+ } -+ return 0; -+ } -+ } - } - - return 0; + break; + default: + break; -- -2.39.0 +2.21.0 diff --git a/base/lighttpd/debian/patches/series b/base/lighttpd/debian/patches/series index 0781feede..27197e0f6 100644 --- a/base/lighttpd/debian/patches/series +++ b/base/lighttpd/debian/patches/series @@ -1 +1,2 @@ check-content-length.patch +CVE-2022-37797.patch