starlingx
/
integ
Code Issues Proposed changes

lighttd: Upgrade to 1.4.59-1+deb11u2 

Fix CVE-2022-22707 issue.

Refer to:
https://security-tracker.debian.org/tracker/CVE-2022-22707

Meanwhile rebase the local patches for new version.

TestPlan:
PASS: build-pkgs -a
PASS: build-image
PASS: Jenkins Installation.
PASS: Check the package version with 'dpkg -l'

Closes-Bug: 2021548

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: Id4b245ed4ba7c00d854ce758a3d241ad74fd1a0f
This commit is contained in:
Zhixiong Chi 2023-06-13 10:43:00 +08:00
parent d03fd2ebaa
commit e61f579d8b
5 changed files with 188 additions and 160 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

187
base/lighttpd/debian/deb_patches/0001-lighttpd-backport-spec-include-TiS-changes.patch-fro.patch
View File

@ -1,38 +1,32 @@
From 91f1bd05e5acc70789d17de47de7813bb615027c Mon Sep 17 00:00:00 2001
From: Yue Tao <Yue.Tao@windriver.com>
Date: Tue, 9 Mar 2021 18:26:53 -0800
From 95f82fc840c43c964a6c2dcdeaf33b87b44665f3 Mon Sep 17 00:00:00 2001
From: Zhixiong Chi <zhixiong.chi@windriver.com>
Date: Mon, 12 Jun 2023 12:46:45 +0800
Subject: [PATCH] lighttpd: backport spec-include-TiS-changes.patch from
StarlingX f/centos8 branch
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
debian/control | 99 ++++++++++++++++++++++++--------------------------
debian/rules | 12 +++---
2 files changed, 55 insertions(+), 56 deletions(-)
debian/control | 178 ++++++++++++++++++++++++-------------------------
debian/rules | 11 +--
2 files changed, 95 insertions(+), 94 deletions(-)
diff --git a/debian/control b/debian/control
index 7807525..682477b 100644
index 628bfc7..cae8626 100644
--- a/debian/control
+++ b/debian/control
@@ -62,15 +62,12 @@ Suggests:
lighttpd-mod-authn-gssapi,
lighttpd-mod-authn-pam,
lighttpd-mod-authn-sasl,
- lighttpd-mod-cml,
lighttpd-mod-geoip,
- lighttpd-mod-magnet,
lighttpd-mod-maxminddb,
lighttpd-mod-trigger-b4-dl,
lighttpd-mod-vhostdb-dbi,
@@ -74,8 +74,6 @@ Suggests:
lighttpd-mod-vhostdb-pgsql,
lighttpd-mod-webdav,
lighttpd-modules-dbi,
- lighttpd-modules-ldap,
- lighttpd-modules-lua,
lighttpd-modules-mysql,
Description: fast webserver with minimal memory footprint
lighttpd is a small webserver and fast webserver developed with
@@ -99,29 +96,29 @@ Description: documentation for lighttpd
.
This package contains documentation for lighttpd.
@@ -130,61 +128,61 @@ Description: DBI-based modules for lighttpd
Do not depend on this package. Depend on the provided lighttpd-mod-*
packages instead.
-Package: lighttpd-modules-ldap
-Architecture: any
@ -57,6 +51,38 @@ index 7807525..682477b 100644
- .
- Do not depend on this package. Depend on the provided lighttpd-mod-*
- packages instead.
-
-Package: lighttpd-modules-lua
-Architecture: any
-Depends:
- ${misc:Depends},
- ${shlibs:Depends},
- lighttpd (= ${binary:Version}),
-Breaks:
- lighttpd-mod-cml (<< 1.4.56~rc7-0+exp2),
- lighttpd-mod-magnet (<< 1.4.56~rc7-0+exp2),
-Replaces:
- lighttpd (<< 1.4.56~rc7-0+exp2),
- lighttpd-mod-cml (<< 1.4.56~rc7-0+exp2),
- lighttpd-mod-magnet (<< 1.4.56~rc7-0+exp2),
-Provides:
- ${lighttpd:ModuleProvides},
-Description: LUA-based modules for lighttpd
- This package contains the following modules:
- * mod_magnet: control the request handling module for lighttpd
- mod_magnet can attract a request in several stages in the request-handling.
- either at the same level as mod_rewrite, before any parsing of the URL is
- done or at a later stage, when the doc-root is known and the physical-path
- is already setup.
- * mod_cml: cache meta language module for lighttpd
- With the cache meta language, it is possible to describe to the
- dependencies of a cached file to its source files/scripts. For the
- cache files, the scripting language Lua is used.
- THIS MODULE IS OBSOLETED, USE mod_magnet INSTEAD.
- .
- Do not depend on this package. Depend on the provided lighttpd-mod-*
- packages instead.
-
+#Package: lighttpd-modules-ldap
+#Architecture: any
+#Depends:
@ -80,69 +106,116 @@ index 7807525..682477b 100644
+# .
+# Do not depend on this package. Depend on the provided lighttpd-mod-*
+# packages instead.
+#
+#Package: lighttpd-modules-lua
+#Architecture: any
+#Depends:
+# ${misc:Depends},
+# ${shlibs:Depends},
+# lighttpd (= ${binary:Version}),
+#Breaks:
+# lighttpd-mod-cml (<< 1.4.56~rc7-0+exp2),
+# lighttpd-mod-magnet (<< 1.4.56~rc7-0+exp2),
+#Replaces:
+# lighttpd (<< 1.4.56~rc7-0+exp2),
+# lighttpd-mod-cml (<< 1.4.56~rc7-0+exp2),
+# lighttpd-mod-magnet (<< 1.4.56~rc7-0+exp2),
+#Provides:
+# ${lighttpd:ModuleProvides},
+#Description: LUA-based modules for lighttpd
+# This package contains the following modules:
+# * mod_magnet: control the request handling module for lighttpd
+# mod_magnet can attract a request in several stages in the request-handling.
+# either at the same level as mod_rewrite, before any parsing of the URL is
+# done or at a later stage, when the doc-root is known and the physical-path
+# is already setup.
+# * mod_cml: cache meta language module for lighttpd
+# With the cache meta language, it is possible to describe to the
+# dependencies of a cached file to its source files/scripts. For the
+# cache files, the scripting language Lua is used.
+# THIS MODULE IS OBSOLETED, USE mod_magnet INSTEAD.
+# .
+# Do not depend on this package. Depend on the provided lighttpd-mod-*
+# packages instead.
+#
Package: lighttpd-modules-mysql
Architecture: any
@@ -165,32 +162,32 @@ Description: anti-deep-linking module for lighttpd
Depends:
@@ -231,39 +229,39 @@ Description: anti-deep-linking module for lighttpd
from other sites by requiring users to visit a trigger URL to
be able to download certain files.
-Package: lighttpd-mod-cml
-Section: oldlibs
-Architecture: any
-Depends:
- ${misc:Depends},
- ${shlibs:Depends},
- lighttpd (= ${binary:Version}),
-Recommends:
- memcached,
-Description: cache meta language module for lighttpd
- lighttpd-modules-lua (= ${binary:Version}),
-Description: Transitional dummy package for: cache meta language module for lighttpd
- With the cache meta language, it is possible to describe to the
- dependencies of a cached file to its source files/scripts. For the
- cache files, the scripting language Lua is used.
- .
- THIS MODULE IS OBSOLETED, USE mod_magnet INSTEAD.
- .
- While this transitional dummy package will go away, the package name
- continues to exist as a virtual package provided by lighttpd-modules-lua.
-
-Package: lighttpd-mod-magnet
-Section: oldlibs
-Architecture: any
-Depends:
- ${misc:Depends},
- ${shlibs:Depends},
- lighttpd-modules-lua (= ${binary:Version}),
-Description: Transitional dummy package for: control the request handling module for lighttpd
- mod_magnet can attract a request in several stages in the request-handling.
- either at the same level as mod_rewrite, before any parsing of the URL is done
- or at a later stage, when the doc-root is known and the physical-path is
- already setup
- .
- While this transitional dummy package will go away, the package name
- continues to exist as a virtual package provided by lighttpd-modules-lua.
-
+#Package: lighttpd-mod-cml
+#Section: oldlibs
+#Architecture: any
+#Depends:
+# ${misc:Depends},
+# ${shlibs:Depends},
+# lighttpd (= ${binary:Version}),
+#Recommends:
+# memcached,
+#Description: cache meta language module for lighttpd
+# lighttpd-modules-lua (= ${binary:Version}),
+#Description: Transitional dummy package for: cache meta language module for lighttpd
+# With the cache meta language, it is possible to describe to the
+# dependencies of a cached file to its source files/scripts. For the
+# cache files, the scripting language Lua is used.
+# .
+# THIS MODULE IS OBSOLETED, USE mod_magnet INSTEAD.
-Package: lighttpd-mod-magnet
-Architecture: any
-Depends:
- ${misc:Depends},
- ${shlibs:Depends},
- lighttpd (= ${binary:Version}),
-Description: control the request handling module for lighttpd
- mod_magnet can attract a request in several stages in the request-handling.
- either at the same level as mod_rewrite, before any parsing of the URL is done
- or at a later stage, when the doc-root is known and the physical-path is
- already setup
+# .
+# While this transitional dummy package will go away, the package name
+# continues to exist as a virtual package provided by lighttpd-modules-lua.
+#
+#Package: lighttpd-mod-magnet
+#Section: oldlibs
+#Architecture: any
+#Depends:
+# ${misc:Depends},
+# ${shlibs:Depends},
+# lighttpd (= ${binary:Version}),
+#Description: control the request handling module for lighttpd
+# lighttpd-modules-lua (= ${binary:Version}),
+#Description: Transitional dummy package for: control the request handling module for lighttpd
+# mod_magnet can attract a request in several stages in the request-handling.
+# either at the same level as mod_rewrite, before any parsing of the URL is done
+# or at a later stage, when the doc-root is known and the physical-path is
+# already setup
+# .
+# While this transitional dummy package will go away, the package name
+# continues to exist as a virtual package provided by lighttpd-modules-lua.
+#
Package: lighttpd-mod-webdav
Architecture: any
Depends:
diff --git a/debian/rules b/debian/rules
index 7c0440b..e456781 100755
index 5317ce6..7535999 100755
--- a/debian/rules
+++ b/debian/rules
@@ -16,6 +16,7 @@ override_dh_clean:
@ -154,21 +227,21 @@ index 7c0440b..e456781 100755
--libexecdir="/usr/lib/lighttpd" \
--with-attr \
@@ -23,10 +24,12 @@ override_dh_auto_configure:
--with-fam \
--with-dbi \
--with-gdbm \
--with-krb5 \
- --with-ldap \
+ --without-ldap \
--with-geoip \
--with-memcached \
- --with-lua=lua5.1 \
- --with-lua=lua5.3 \
+ --without-lua \
+ --without-bzip2 \
+ --without-memcache \
--with-maxminddb \
--with-mbedtls \
--with-mysql \
--with-openssl \
@@ -34,8 +37,8 @@ override_dh_auto_configure:
@@ -37,8 +40,8 @@ override_dh_auto_configure:
--with-pcre \
--with-pgsql \
--with-sasl \
@ -176,17 +249,9 @@ index 7c0440b..e456781 100755
- --with-webdav-props \
+ --without-webdav-locks \
+ --without-webdav-props \
--with-wolfssl \
--with-xxhash \
$(if $(filter pkg.lighttpd.libunwind,$(DEB_BUILD_PROFILES)),--with-libunwind) \
CFLAGS_FOR_BUILD="$(shell dpkg-buildflags --get CFLAGS)" \
LDFLAGS_FOR_BUILD="$(shell dpkg-buildflags --get LDFLAGS)" \
@@ -49,7 +52,6 @@ override_dh_missing:
dh_missing --fail-missing
DOCLESS_PACKAGES=\
- lighttpd-modules-ldap \
lighttpd-modules-mysql \
lighttpd-mod-authn-pam \
lighttpd-mod-authn-sasl \
--
2.31.1
2.34.1

9
base/lighttpd/debian/meta_data.yaml
View File

@ -1,11 +1,10 @@
---
debver: 1.4.55-1~bpo10+1
debver: 1.4.59-1+deb11u2
debname: lighttpd
dl_path:
name: lighttpd-debian-1.4.55-1_bpo10+1.tar.gz
url: https://salsa.debian.org/debian/lighttpd/-/archive/debian/1.4.55-1_bpo10+1/lighttpd-debian-1.4.55-1_bpo10+1.tar.gz
md5sum: 453d7710982ee44fb5ce41673c6bd0df
sha256sum: 34326941ba0f7c6ff6f2c72890e2a568d0924c11c2c3f3d4174c82a484be81d3
name: lighttpd-debian-1.4.59-1+deb11u2.tar.gz
url: https://salsa.debian.org/debian/lighttpd/-/archive/debian/1.4.59-1+deb11u2/lighttpd-debian-1.4.59-1+deb11u2.tar.gz
sha256sum: d5d7deda6da461030b4b25111f4f6c535128d2b865c6b2b4b009e83334a275ea
revision:
dist: $STX_DIST
PKG_GITREVCOUNT:

53
base/lighttpd/debian/patches/CVE-2022-37797.patch
View File

@ -1,53 +0,0 @@
From 95ae6094a9eb0cdbfb3f678f4c8e3a2db11aacd2 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Tue, 22 Nov 2022 18:58:24 -0800
Subject: [PATCH] CVE-2022-37797
[mod_wstunnel] fix crash with bad hybivers (fixes #3165)
(thx Michał Dardas)
x-ref:
"mod_wstunnel null pointer dereference"
https://redmine.lighttpd.net/issues/3165
In order to trigger the reproducer on lighttpd 1.4.53, parsing of the
Sec-Websocket-Version needs to be fixed as has been done in later versions.
Due to internal refactoring, the actual NULL pointer dereference has moved
elsewhere, but still crashes. -- Helmut Grohne
The upstream patch is not a git header format which I have created here.
[Backport from https://salsa.debian.org/debian/lighttpd/-/blob/buster-security/debian/patches/CVE-2022-37797.patch]
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
src/mod_wstunnel.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/mod_wstunnel.c b/src/mod_wstunnel.c
index ed5174a..99e3739 100644
--- a/src/mod_wstunnel.c
+++ b/src/mod_wstunnel.c
@@ -466,7 +466,7 @@ static int wstunnel_is_allowed_origin(connection *con, handler_ctx *hctx) {
static int wstunnel_check_request(connection *con, handler_ctx *hctx) {
const buffer * const vers =
http_header_request_get(con, HTTP_HEADER_OTHER, CONST_STR_LEN("Sec-WebSocket-Version"));
- const long hybivers = (NULL != vers) ? strtol(vers->ptr, NULL, 10) : 0;
+ const long hybivers = (NULL != vers) ? (light_isdigit(*vers->ptr) ? strtol(vers->ptr, NULL, 10) : -1) : 0;
if (hybivers < 0 || hybivers > INT_MAX) {
DEBUG_LOG(MOD_WEBSOCKET_LOG_ERR, "s", "invalid Sec-WebSocket-Version");
con->http_status = 400; /* Bad Request */
@@ -506,7 +506,10 @@ static handler_t wstunnel_handler_setup (server *srv, connection *con, plugin_da
hctx->srv = srv; /*(for mod_wstunnel module-specific DEBUG_LOG() macro)*/
hctx->conf = p->conf; /*(copies struct)*/
hybivers = wstunnel_check_request(con, hctx);
- if (hybivers < 0) return HANDLER_FINISHED;
+ if (hybivers < 0) {
+ con->mode = DIRECT;
+ return HANDLER_FINISHED;
+ }
hctx->hybivers = hybivers;
if (0 == hybivers) {
DEBUG_LOG(MOD_WEBSOCKET_LOG_INFO,"s","WebSocket Version = hybi-00");
--
2.34.1

98
base/lighttpd/debian/patches/check-content-length.patch
View File

@ -1,37 +1,49 @@
From 65107586a55c594c44b0a97a2d6756f6a0f0a5ca Mon Sep 17 00:00:00 2001
From: Giao Le <giao.le@windriver.com>
Date: Mon, 27 Aug 2018 19:41:36 +0800
Subject: [PATCH] check-length
From 98b8cbc80e14e6b47b13bcddfedc0bdc8d2abf19 Mon Sep 17 00:00:00 2001
From: Zhixiong Chi <zhixiong.chi@windriver.com>
Date: Mon, 12 Jun 2023 02:23:58 -0700
Subject: [PATCH] check content-length
Rebase this local patch for StarlingX.
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
Signed-off-by: Giao Le <giao.le@windriver.com>
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
src/request.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 45 insertions(+)
src/request.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 49 insertions(+)
diff --git a/src/request.c b/src/request.c
index d25e1e7..fe541a5 100644
index 62f2f0cb..e9668d42 100644
--- a/src/request.c
+++ b/src/request.c
@@ -8,10 +8,39 @@
@@ -8,16 +8,48 @@
#include "first.h"
#include "request.h"
+#include "base.h"
#include "burl.h"
#include "http_header.h"
#include "http_kv.h"
#include "log.h"
#include "sock_addr.h"
+#include <errno.h>
#include <limits.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
+#include <sys/statvfs.h>
+static size_t get_tempdirs_free_space(server *srv)
+
+static size_t get_tempdirs_free_space(request_st * const restrict r)
+{
+ int i;
+ int valid = 0;
+ size_t total = 0;
+ array *dirs = srv->srvconf.upload_tempdirs;
+ array *dirs = r->con->srv->srvconf.upload_tempdirs;
+
+ for (i = 0; i < (int)dirs->used; ++i) {
+ struct statvfs stat;
+ const char *name = ((data_string *)dirs->data[i])->value->ptr;
+ const char *name = ((data_string *)dirs->data[i])->value.ptr;
+ int ret = statvfs(name, &stat);
+
+ if (ret >= 0) {
@ -40,41 +52,47 @@ index d25e1e7..fe541a5 100644
+ valid = 1;
+ }
+ else {
+ log_error_write(srv, __FILE__, __LINE__, "ssss",
+ "dir:", name,
+ "error:", strerror(errno));
+ if (r->conf.log_request_header_on_error) {
+ log_error(r->conf.errh, __FILE__, __LINE__,
+ "statvfs error, dir: %s, eno: %s\n",
+ name, strerror(errno));
+ }
+ }
+ }
+
+ return (valid) ? total : SSIZE_MAX;
+}
+
static int request_check_hostname(buffer *host) {
static int request_check_hostname(buffer * const host) {
enum { DOMAINLABEL, TOPLABEL } stage = TOPLABEL;
size_t i;
@@ -928,6 +957,22 @@ int http_request_parse(server *srv, conn
if (!state.con_length_set) {
return http_request_header_line_invalid(srv, 411, "POST-request, but content-length missing -> 411");
}
+ /* content-length is larger than 64k */
+ if (con->request.content_length > 64*1024) {
+ size_t disk_free = get_tempdirs_free_space(srv);
+ if (con->request.content_length > disk_free) {
+ con->http_status = 413;
+ con->keep_alive = 0;
@@ -1260,10 +1292,27 @@ http_request_parse (request_st * const restrict r, const int scheme_port)
http_header_request_unset(r, HTTP_HEADER_CONTENT_LENGTH, CONST_STR_LEN("Content-Length"));
}
}
+
+ log_error_write(srv, __FILE__, __LINE__, "ssosos",
+ "not enough free space in tempdirs:",
+ "length =", (off_t) con->request.content_length,
+ "free =", (off_t) disk_free,
+ "-> 413");
+ return 0;
+ }
+ }
if (http_method_get_or_head(r->http_method)
&& !(http_parseopts & HTTP_PARSEOPT_METHOD_GET_BODY)) {
return http_request_header_line_invalid(r, 400, "GET/HEAD with content-length -> 400");
}
+
break;
default:
break;
+ /* content-length is larger than 64k */
+ if (r->reqbody_length > 64*1024 && HTTP_METHOD_POST == r->http_method) {
+ size_t disk_free = get_tempdirs_free_space(r);
+ if (r->reqbody_length > disk_free) {
+ r->http_status = 413;
+ r->keep_alive = 0;
+ if (r->conf.log_request_header_on_error) {
+ log_error(r->conf.errh, __FILE__, __LINE__,
+ "not enough free space in tempdirs:\n length =%d\n free=%d\ncontent-length -> 413",
+ r->reqbody_length,
+ disk_free);
+ }
+ return 0;
+ }
+ }
}
return 0;
--
2.21.0
2.39.0

1
base/lighttpd/debian/patches/series
View File

@ -1,2 +1 @@
check-content-length.patch
CVE-2022-37797.patch