lighttpd: fix CVE-2022-22707

Fix CVE-2022-22707 issue.

Refer to:
https://security-tracker.debian.org/tracker/CVE-2022-22707

TestPlan:
PASS: build-pkgs -a
PASS: build-image
PASS: Jenkins Installation on AIO-DX lab.
PASS: controller-1 installation.
PASS: Check the package version with 'dpkg -l' both on controller-0
      and controller-1

Closes-Bug: 2021548

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: Iceaf2a89bcac7c5a9892c5eb0c119fa49777a78c
This commit is contained in:
Zhixiong Chi 2023-07-19 01:44:28 -07:00
parent 8d5c5bd6ce
commit 58b0815e45
2 changed files with 94 additions and 0 deletions

View File

@ -0,0 +1,93 @@
From cdd7bba754f46c2c344d7130dec48f0e27a23953 Mon Sep 17 00:00:00 2001
From: povcfe <povcfe@qq.com>
Date: Wed, 5 Jan 2022 11:11:09 +0000
Subject: [PATCH] fix out-of-bounds (OOB) write (fixes #3134)
(thx povcfe)
(edited: gstrauss)
There is a potential remote denial of service in lighttpd mod_extforward
under specific, non-default and uncommon 32-bit lighttpd mod_extforward
configurations.
Under specific, non-default and uncommon lighttpd mod_extforward
configurations, a remote attacker can trigger a 4-byte out-of-bounds
write of value '-1' to the stack. This is not believed to be exploitable
in any way beyond triggering a crash of the lighttpd server on systems
where the lighttpd server has been built 32-bit and with compiler flags
which enable a stack canary -- gcc/clang -fstack-protector-strong or
-fstack-protector-all, but bug not visible with only -fstack-protector.
With standard lighttpd builds using -O2 optimization on 64-bit x86_64,
this bug has not been observed to cause adverse behavior, even with
gcc/clang -fstack-protector-strong.
For the bug to be reachable, the user must be using a non-default
lighttpd configuration which enables mod_extforward and configures
mod_extforward to accept and parse the "Forwarded" header from a trusted
proxy. At this time, support for RFC7239 Forwarded is not common in CDN
providers or popular web server reverse proxies. It bears repeating that
for the user to desire to configure lighttpd mod_extforward to accept
"Forwarded", the user must also be using a trusted proxy (in front of
lighttpd) which understands and actively modifies the "Forwarded" header
sent to lighttpd.
lighttpd natively supports RFC7239 "Forwarded"
hiawatha natively supports RFC7239 "Forwarded"
nginx can be manually configured to add a "Forwarded" header
https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
A 64-bit build of lighttpd on x86_64 (not known to be affected by bug)
in front of another 32-bit lighttpd will detect and reject a malicious
"Forwarded" request header, thereby thwarting an attempt to trigger
this bug in an upstream 32-bit lighttpd.
The following servers currently do not natively support RFC7239 Forwarded:
nginx
apache2
caddy
node.js
haproxy
squid
varnish-cache
litespeed
Given the general dearth of support for RFC7239 Forwarded in popular
CDNs and web server reverse proxies, and given the prerequisites in
lighttpd mod_extforward needed to reach this bug, the number of lighttpd
servers vulnerable to this bug is estimated to be vanishingly small.
Large systems using reverse proxies are likely running 64-bit lighttpd,
which is not known to be adversely affected by this bug.
In the future, it is desirable for more servers to implement RFC7239
Forwarded. lighttpd developers would like to thank povcfe for reporting
this bug so that it can be fixed before more CDNs and web servers
implement RFC7239 Forwarded.
x-ref:
"mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1"
https://redmine.lighttpd.net/issues/3134
(not yet written or published)
CVE-2022-22707
---
src/mod_extforward.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mod_extforward.c b/src/mod_extforward.c
index b53e0d5..1274f8e 100644
--- a/src/mod_extforward.c
+++ b/src/mod_extforward.c
@@ -673,7 +673,7 @@ static handler_t mod_extforward_Forwarded (server *srv, connection *con, plugin_
while (s[i] == ' ' || s[i] == '\t') ++i;
if (s[i] == ';') { ++i; continue; }
if (s[i] == ',') {
- if (j >= (int)(sizeof(offsets)/sizeof(int))) break;
+ if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break;
offsets[++j] = -1; /*("offset" separating params from next proxy)*/
++i;
continue;
--
2.40.0

View File

@ -1,2 +1,3 @@
check-content-length.patch
CVE-2022-37797.patch
CVE-2022-22707.patch