!24 Fix CVE-2022-37797

From: @myp-imago Reviewed-by: @seuzw Signed-off-by: @seuzw
2022-09-19 14:16:21 +00:00 · 2022-09-19 14:16:21 +00:00 · fb3c3f14a9
commit fb3c3f14a9
parent 205badc119 d8d0da602f
2 changed files with 35 additions and 1 deletions
--- a/CVE-2022-37797.patch
+++ b/CVE-2022-37797.patch
@ -0,0 +1,29 @@
+From 726748093336e9c1d0e7b70d7180b2aa8196061b Mon Sep 17 00:00:00 2001
+From: mayp <mayanping@ncti-gba.cn>
+Date: Mon, 19 Sep 2022 19:01:08 +0800
+Subject: [PATCH] [mod_wstunnel] fix crash with bad hybivers (fixes #3165) modified:
+ src/mod_wstunnel.c
+
+---
+ src/mod_wstunnel.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/mod_wstunnel.c b/src/mod_wstunnel.c
+index 6d17d4d..97b89f0 100644
+--- a/src/mod_wstunnel.c
+++ b/src/mod_wstunnel.c
+@@ -483,7 +483,10 @@ static handler_t wstunnel_handler_setup (request_st * const r, plugin_data * con
+     hctx->errh = r->conf.errh;/*(for mod_wstunnel-specific DEBUG_* macros)*/
+     hctx->conf = p->conf; /*(copies struct)*/
+     hybivers = wstunnel_check_request(r, hctx);
+-    if (hybivers < 0) return HANDLER_FINISHED;
+    if (hybivers < 0) {
+        r->handler_module = NULL;
+        return HANDLER_FINISHED;
+    }
+     hctx->hybivers = hybivers;
+     if (0 == hybivers) {
+         DEBUG_LOG_INFO("WebSocket Version = %s", "hybi-00");
+-- 
+2.33.0
+
--- a/lighttpd.spec
+++ b/lighttpd.spec
@ -20,7 +20,7 @@
 Summary:             Lightning fast webserver with light system requirements
 Name:                lighttpd
 Version:             1.4.63
-Release:             4
+Release:             5
 License:             BSD-3-Clause and OML and GPLv3 and GPLv2
 URL:                 https://github.com/lighttpd/lighttpd1.4
 Source0:             https://github.com/lighttpd/lighttpd1.4/archive/lighttpd-1.4.63.tar.gz
@ -32,6 +32,7 @@ Patch0:              lighttpd-1.4.62-defaultconf.patch
 Patch1:              5a257fab511225bbfa56b4f1a8b2bb7085f96478.patch
 Patch2:              492773a20f8a1deb1c94e25d40023970dd9608a1.patch
 Patch3:              CVE-2022-22707.patch
+Patch4:              CVE-2022-37797.patch
 Requires:            %{name}-filesystem
 %if %{with systemd}
 Requires(post):      systemd
@ -112,6 +113,7 @@ for the directories.
 %patch1 -p1 -b .setrlimit
 %patch2 -p1 -b .fixtrace
 %patch3 -p1
+%patch4 -p1

 %build
 autoreconf -if
@ -258,6 +260,9 @@ fi
 %attr(0700, lighttpd, lighttpd) %dir %{webroot}/

 %changelog
+* Mon Sep 19 2022 mayp <mayanping@ncti-gba.cn> - 1.4.63-5
+- Fix CVE-2022-37797 
+
 * Thu Aug 18 2022 caodongxia <caodongxia@h-partners.com> - 1.4.63-4
 - Disable fam support as gamin is deprecated