!4 Fix CVE-2022-22707

Merge pull request !4 from starlet_dx/openEuler-22.03-LTS-Next
2022-01-14 08:07:15 +00:00 · 2022-01-14 08:07:15 +00:00 · 3a9a033a6b
commit 3a9a033a6b
parent 53416846a3 e8bceea446
2 changed files with 96 additions and 1 deletions
--- a/CVE-2022-22707.patch
+++ b/CVE-2022-22707.patch
@ -0,0 +1,90 @@
+From 8c62a890e23f5853b1a562b03fe3e1bccc6e7664 Mon Sep 17 00:00:00 2001
+From: povcfe <povcfe@qq.com>
+Date: Wed, 5 Jan 2022 11:11:09 +0000
+Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134)
+
+(thx povcfe)
+
+(edited: gstrauss)
+
+There is a potential remote denial of service in lighttpd mod_extforward
+under specific, non-default and uncommon 32-bit lighttpd mod_extforward
+configurations.
+
+Under specific, non-default and uncommon lighttpd mod_extforward
+configurations, a remote attacker can trigger a 4-byte out-of-bounds
+write of value '-1' to the stack. This is not believed to be exploitable
+in any way beyond triggering a crash of the lighttpd server on systems
+where the lighttpd server has been built 32-bit and with compiler flags
+which enable a stack canary -- gcc/clang -fstack-protector-strong or
+-fstack-protector-all, but bug not visible with only -fstack-protector.
+
+With standard lighttpd builds using -O2 optimization on 64-bit x86_64,
+this bug has not been observed to cause adverse behavior, even with
+gcc/clang -fstack-protector-strong.
+
+For the bug to be reachable, the user must be using a non-default
+lighttpd configuration which enables mod_extforward and configures
+mod_extforward to accept and parse the "Forwarded" header from a trusted
+proxy. At this time, support for RFC7239 Forwarded is not common in CDN
+providers or popular web server reverse proxies. It bears repeating that
+for the user to desire to configure lighttpd mod_extforward to accept
+"Forwarded", the user must also be using a trusted proxy (in front of
+lighttpd) which understands and actively modifies the "Forwarded" header
+sent to lighttpd.
+
+lighttpd natively supports RFC7239 "Forwarded"
+hiawatha natively supports RFC7239 "Forwarded"
+
+nginx can be manually configured to add a "Forwarded" header
+https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
+
+A 64-bit build of lighttpd on x86_64 (not known to be affected by bug)
+in front of another 32-bit lighttpd will detect and reject a malicious
+"Forwarded" request header, thereby thwarting an attempt to trigger
+this bug in an upstream 32-bit lighttpd.
+
+The following servers currently do not natively support RFC7239 Forwarded:
+nginx
+apache2
+caddy
+node.js
+haproxy
+squid
+varnish-cache
+litespeed
+
+Given the general dearth of support for RFC7239 Forwarded in popular
+CDNs and web server reverse proxies, and given the prerequisites in
+lighttpd mod_extforward needed to reach this bug, the number of lighttpd
+servers vulnerable to this bug is estimated to be vanishingly small.
+Large systems using reverse proxies are likely running 64-bit lighttpd,
+which is not known to be adversely affected by this bug.
+
+In the future, it is desirable for more servers to implement RFC7239
+Forwarded.  lighttpd developers would like to thank povcfe for reporting
+this bug so that it can be fixed before more CDNs and web servers
+implement RFC7239 Forwarded.
+
+x-ref:
+  "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1"
+  https://redmine.lighttpd.net/issues/3134
+  (not yet written or published)
+  CVE-2022-22707
+---
+ src/mod_extforward.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mod_extforward.c b/src/mod_extforward.c
+index 733231fd2..1a04befa6 100644
+--- a/src/mod_extforward.c
+++ b/src/mod_extforward.c
+@@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c
+         while (s[i] == ' ' || s[i] == '\t') ++i;
+         if (s[i] == ';') { ++i; continue; }
+         if (s[i] == ',') {
+-            if (j >= (int)(sizeof(offsets)/sizeof(int))) break;
+            if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break;
+             offsets[++j] = -1; /*("offset" separating params from next proxy)*/
+             ++i;
+             continue;
--- a/lighttpd.spec
+++ b/lighttpd.spec
@ -20,7 +20,7 @@
 Summary:             Lightning fast webserver with light system requirements
 Name:                lighttpd
 Version:             1.4.63
-Release:             1
+Release:             2
 License:             BSD-3-Clause and OML and GPLv3 and GPLv2
 URL:                 https://github.com/lighttpd/lighttpd1.4
 Source0:             https://github.com/lighttpd/lighttpd1.4/archive/lighttpd-1.4.63.tar.gz
@ -31,6 +31,7 @@ Source4:             lighttpd.service
 Patch0:              lighttpd-1.4.62-defaultconf.patch
 Patch1:              5a257fab511225bbfa56b4f1a8b2bb7085f96478.patch
 Patch2:              492773a20f8a1deb1c94e25d40023970dd9608a1.patch
+Patch3:              CVE-2022-22707.patch
 Requires:            %{name}-filesystem
 %if %{with systemd}
 Requires(post):      systemd
@ -110,6 +111,7 @@ for the directories.
 %patch0 -p0 -b .defaultconf
 %patch1 -p1 -b .setrlimit
 %patch2 -p1 -b .fixtrace
+%patch3 -p1

 %build
 autoreconf -if
@ -256,6 +258,9 @@ fi
 %attr(0700, lighttpd, lighttpd) %dir %{webroot}/

 %changelog
+* Fri Jan 14 2022 yaoxin <yaoxin30@huawei.com> - 1.4.63-2
+- Fix CVE-2022-22707
+
 * Thu Jan 13 2022 liyanan <liyanan32@huawei.com> - 1.4.63-1
 - update to 1.4.63