diff --git a/base/lighttpd/debian/deb_patches/0001-lighttpd-backport-spec-include-TiS-changes.patch-fro.patch b/base/lighttpd/debian/deb_patches/0001-lighttpd-backport-spec-include-TiS-changes.patch-fro.patch index 17a7165cf..784726d7a 100644 --- a/base/lighttpd/debian/deb_patches/0001-lighttpd-backport-spec-include-TiS-changes.patch-fro.patch +++ b/base/lighttpd/debian/deb_patches/0001-lighttpd-backport-spec-include-TiS-changes.patch-fro.patch @@ -1,38 +1,32 @@ -From 91f1bd05e5acc70789d17de47de7813bb615027c Mon Sep 17 00:00:00 2001 -From: Yue Tao -Date: Tue, 9 Mar 2021 18:26:53 -0800 +From 95f82fc840c43c964a6c2dcdeaf33b87b44665f3 Mon Sep 17 00:00:00 2001 +From: Zhixiong Chi +Date: Mon, 12 Jun 2023 12:46:45 +0800 Subject: [PATCH] lighttpd: backport spec-include-TiS-changes.patch from StarlingX f/centos8 branch Signed-off-by: Yue Tao +Signed-off-by: Zhixiong Chi --- - debian/control | 99 ++++++++++++++++++++++++-------------------------- - debian/rules | 12 +++--- - 2 files changed, 55 insertions(+), 56 deletions(-) + debian/control | 178 ++++++++++++++++++++++++------------------------- + debian/rules | 11 +-- + 2 files changed, 95 insertions(+), 94 deletions(-) diff --git a/debian/control b/debian/control -index 7807525..682477b 100644 +index 628bfc7..cae8626 100644 --- a/debian/control +++ b/debian/control -@@ -62,15 +62,12 @@ Suggests: - lighttpd-mod-authn-gssapi, - lighttpd-mod-authn-pam, - lighttpd-mod-authn-sasl, -- lighttpd-mod-cml, - lighttpd-mod-geoip, -- lighttpd-mod-magnet, - lighttpd-mod-maxminddb, - lighttpd-mod-trigger-b4-dl, - lighttpd-mod-vhostdb-dbi, +@@ -74,8 +74,6 @@ Suggests: lighttpd-mod-vhostdb-pgsql, lighttpd-mod-webdav, + lighttpd-modules-dbi, - lighttpd-modules-ldap, +- lighttpd-modules-lua, lighttpd-modules-mysql, Description: fast webserver with minimal memory footprint lighttpd is a small webserver and fast webserver developed with -@@ -99,29 +96,29 @@ Description: documentation for lighttpd - . - This package contains documentation for lighttpd. +@@ -130,61 +128,61 @@ Description: DBI-based modules for lighttpd + Do not depend on this package. Depend on the provided lighttpd-mod-* + packages instead. -Package: lighttpd-modules-ldap -Architecture: any @@ -57,6 +51,38 @@ index 7807525..682477b 100644 - . - Do not depend on this package. Depend on the provided lighttpd-mod-* - packages instead. +- +-Package: lighttpd-modules-lua +-Architecture: any +-Depends: +- ${misc:Depends}, +- ${shlibs:Depends}, +- lighttpd (= ${binary:Version}), +-Breaks: +- lighttpd-mod-cml (<< 1.4.56~rc7-0+exp2), +- lighttpd-mod-magnet (<< 1.4.56~rc7-0+exp2), +-Replaces: +- lighttpd (<< 1.4.56~rc7-0+exp2), +- lighttpd-mod-cml (<< 1.4.56~rc7-0+exp2), +- lighttpd-mod-magnet (<< 1.4.56~rc7-0+exp2), +-Provides: +- ${lighttpd:ModuleProvides}, +-Description: LUA-based modules for lighttpd +- This package contains the following modules: +- * mod_magnet: control the request handling module for lighttpd +- mod_magnet can attract a request in several stages in the request-handling. +- either at the same level as mod_rewrite, before any parsing of the URL is +- done or at a later stage, when the doc-root is known and the physical-path +- is already setup. +- * mod_cml: cache meta language module for lighttpd +- With the cache meta language, it is possible to describe to the +- dependencies of a cached file to its source files/scripts. For the +- cache files, the scripting language Lua is used. +- THIS MODULE IS OBSOLETED, USE mod_magnet INSTEAD. +- . +- Do not depend on this package. Depend on the provided lighttpd-mod-* +- packages instead. +- +#Package: lighttpd-modules-ldap +#Architecture: any +#Depends: @@ -80,69 +106,116 @@ index 7807525..682477b 100644 +# . +# Do not depend on this package. Depend on the provided lighttpd-mod-* +# packages instead. - ++# ++#Package: lighttpd-modules-lua ++#Architecture: any ++#Depends: ++# ${misc:Depends}, ++# ${shlibs:Depends}, ++# lighttpd (= ${binary:Version}), ++#Breaks: ++# lighttpd-mod-cml (<< 1.4.56~rc7-0+exp2), ++# lighttpd-mod-magnet (<< 1.4.56~rc7-0+exp2), ++#Replaces: ++# lighttpd (<< 1.4.56~rc7-0+exp2), ++# lighttpd-mod-cml (<< 1.4.56~rc7-0+exp2), ++# lighttpd-mod-magnet (<< 1.4.56~rc7-0+exp2), ++#Provides: ++# ${lighttpd:ModuleProvides}, ++#Description: LUA-based modules for lighttpd ++# This package contains the following modules: ++# * mod_magnet: control the request handling module for lighttpd ++# mod_magnet can attract a request in several stages in the request-handling. ++# either at the same level as mod_rewrite, before any parsing of the URL is ++# done or at a later stage, when the doc-root is known and the physical-path ++# is already setup. ++# * mod_cml: cache meta language module for lighttpd ++# With the cache meta language, it is possible to describe to the ++# dependencies of a cached file to its source files/scripts. For the ++# cache files, the scripting language Lua is used. ++# THIS MODULE IS OBSOLETED, USE mod_magnet INSTEAD. ++# . ++# Do not depend on this package. Depend on the provided lighttpd-mod-* ++# packages instead. ++# Package: lighttpd-modules-mysql Architecture: any -@@ -165,32 +162,32 @@ Description: anti-deep-linking module for lighttpd + Depends: +@@ -231,39 +229,39 @@ Description: anti-deep-linking module for lighttpd from other sites by requiring users to visit a trigger URL to be able to download certain files. -Package: lighttpd-mod-cml +-Section: oldlibs -Architecture: any -Depends: - ${misc:Depends}, - ${shlibs:Depends}, -- lighttpd (= ${binary:Version}), --Recommends: -- memcached, --Description: cache meta language module for lighttpd +- lighttpd-modules-lua (= ${binary:Version}), +-Description: Transitional dummy package for: cache meta language module for lighttpd - With the cache meta language, it is possible to describe to the - dependencies of a cached file to its source files/scripts. For the - cache files, the scripting language Lua is used. - . - THIS MODULE IS OBSOLETED, USE mod_magnet INSTEAD. +- . +- While this transitional dummy package will go away, the package name +- continues to exist as a virtual package provided by lighttpd-modules-lua. +- +-Package: lighttpd-mod-magnet +-Section: oldlibs +-Architecture: any +-Depends: +- ${misc:Depends}, +- ${shlibs:Depends}, +- lighttpd-modules-lua (= ${binary:Version}), +-Description: Transitional dummy package for: control the request handling module for lighttpd +- mod_magnet can attract a request in several stages in the request-handling. +- either at the same level as mod_rewrite, before any parsing of the URL is done +- or at a later stage, when the doc-root is known and the physical-path is +- already setup +- . +- While this transitional dummy package will go away, the package name +- continues to exist as a virtual package provided by lighttpd-modules-lua. +- +#Package: lighttpd-mod-cml ++#Section: oldlibs +#Architecture: any +#Depends: +# ${misc:Depends}, +# ${shlibs:Depends}, -+# lighttpd (= ${binary:Version}), -+#Recommends: -+# memcached, -+#Description: cache meta language module for lighttpd ++# lighttpd-modules-lua (= ${binary:Version}), ++#Description: Transitional dummy package for: cache meta language module for lighttpd +# With the cache meta language, it is possible to describe to the +# dependencies of a cached file to its source files/scripts. For the +# cache files, the scripting language Lua is used. +# . +# THIS MODULE IS OBSOLETED, USE mod_magnet INSTEAD. - --Package: lighttpd-mod-magnet --Architecture: any --Depends: -- ${misc:Depends}, -- ${shlibs:Depends}, -- lighttpd (= ${binary:Version}), --Description: control the request handling module for lighttpd -- mod_magnet can attract a request in several stages in the request-handling. -- either at the same level as mod_rewrite, before any parsing of the URL is done -- or at a later stage, when the doc-root is known and the physical-path is -- already setup ++# . ++# While this transitional dummy package will go away, the package name ++# continues to exist as a virtual package provided by lighttpd-modules-lua. ++# +#Package: lighttpd-mod-magnet ++#Section: oldlibs +#Architecture: any +#Depends: +# ${misc:Depends}, +# ${shlibs:Depends}, -+# lighttpd (= ${binary:Version}), -+#Description: control the request handling module for lighttpd ++# lighttpd-modules-lua (= ${binary:Version}), ++#Description: Transitional dummy package for: control the request handling module for lighttpd +# mod_magnet can attract a request in several stages in the request-handling. +# either at the same level as mod_rewrite, before any parsing of the URL is done +# or at a later stage, when the doc-root is known and the physical-path is +# already setup - ++# . ++# While this transitional dummy package will go away, the package name ++# continues to exist as a virtual package provided by lighttpd-modules-lua. ++# Package: lighttpd-mod-webdav Architecture: any + Depends: diff --git a/debian/rules b/debian/rules -index 7c0440b..e456781 100755 +index 5317ce6..7535999 100755 --- a/debian/rules +++ b/debian/rules @@ -16,6 +16,7 @@ override_dh_clean: @@ -154,21 +227,21 @@ index 7c0440b..e456781 100755 --libexecdir="/usr/lib/lighttpd" \ --with-attr \ @@ -23,10 +24,12 @@ override_dh_auto_configure: - --with-fam \ + --with-dbi \ --with-gdbm \ --with-krb5 \ - --with-ldap \ + --without-ldap \ --with-geoip \ --with-memcached \ -- --with-lua=lua5.1 \ +- --with-lua=lua5.3 \ + --without-lua \ + --without-bzip2 \ + --without-memcache \ --with-maxminddb \ + --with-mbedtls \ --with-mysql \ - --with-openssl \ -@@ -34,8 +37,8 @@ override_dh_auto_configure: +@@ -37,8 +40,8 @@ override_dh_auto_configure: --with-pcre \ --with-pgsql \ --with-sasl \ @@ -176,17 +249,9 @@ index 7c0440b..e456781 100755 - --with-webdav-props \ + --without-webdav-locks \ + --without-webdav-props \ + --with-wolfssl \ + --with-xxhash \ $(if $(filter pkg.lighttpd.libunwind,$(DEB_BUILD_PROFILES)),--with-libunwind) \ - CFLAGS_FOR_BUILD="$(shell dpkg-buildflags --get CFLAGS)" \ - LDFLAGS_FOR_BUILD="$(shell dpkg-buildflags --get LDFLAGS)" \ -@@ -49,7 +52,6 @@ override_dh_missing: - dh_missing --fail-missing - - DOCLESS_PACKAGES=\ -- lighttpd-modules-ldap \ - lighttpd-modules-mysql \ - lighttpd-mod-authn-pam \ - lighttpd-mod-authn-sasl \ -- -2.31.1 +2.34.1 diff --git a/base/lighttpd/debian/meta_data.yaml b/base/lighttpd/debian/meta_data.yaml index 2162ed374..4e23f10f1 100644 --- a/base/lighttpd/debian/meta_data.yaml +++ b/base/lighttpd/debian/meta_data.yaml @@ -1,11 +1,10 @@ --- -debver: 1.4.55-1~bpo10+1 +debver: 1.4.59-1+deb11u2 debname: lighttpd dl_path: - name: lighttpd-debian-1.4.55-1_bpo10+1.tar.gz - url: https://salsa.debian.org/debian/lighttpd/-/archive/debian/1.4.55-1_bpo10+1/lighttpd-debian-1.4.55-1_bpo10+1.tar.gz - md5sum: 453d7710982ee44fb5ce41673c6bd0df - sha256sum: 34326941ba0f7c6ff6f2c72890e2a568d0924c11c2c3f3d4174c82a484be81d3 + name: lighttpd-debian-1.4.59-1+deb11u2.tar.gz + url: https://salsa.debian.org/debian/lighttpd/-/archive/debian/1.4.59-1+deb11u2/lighttpd-debian-1.4.59-1+deb11u2.tar.gz + sha256sum: d5d7deda6da461030b4b25111f4f6c535128d2b865c6b2b4b009e83334a275ea revision: dist: $STX_DIST PKG_GITREVCOUNT: diff --git a/base/lighttpd/debian/patches/CVE-2022-37797.patch b/base/lighttpd/debian/patches/CVE-2022-37797.patch deleted file mode 100644 index 43200dbfe..000000000 --- a/base/lighttpd/debian/patches/CVE-2022-37797.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 95ae6094a9eb0cdbfb3f678f4c8e3a2db11aacd2 Mon Sep 17 00:00:00 2001 -From: Glenn Strauss -Date: Tue, 22 Nov 2022 18:58:24 -0800 -Subject: [PATCH] CVE-2022-37797 - - [mod_wstunnel] fix crash with bad hybivers (fixes #3165) - - (thx MichaƂ Dardas) - - x-ref: - "mod_wstunnel null pointer dereference" - https://redmine.lighttpd.net/issues/3165 - -In order to trigger the reproducer on lighttpd 1.4.53, parsing of the -Sec-Websocket-Version needs to be fixed as has been done in later versions. -Due to internal refactoring, the actual NULL pointer dereference has moved -elsewhere, but still crashes. -- Helmut Grohne - -The upstream patch is not a git header format which I have created here. -[Backport from https://salsa.debian.org/debian/lighttpd/-/blob/buster-security/debian/patches/CVE-2022-37797.patch] -Signed-off-by: Zhixiong Chi ---- - src/mod_wstunnel.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/src/mod_wstunnel.c b/src/mod_wstunnel.c -index ed5174a..99e3739 100644 ---- a/src/mod_wstunnel.c -+++ b/src/mod_wstunnel.c -@@ -466,7 +466,7 @@ static int wstunnel_is_allowed_origin(connection *con, handler_ctx *hctx) { - static int wstunnel_check_request(connection *con, handler_ctx *hctx) { - const buffer * const vers = - http_header_request_get(con, HTTP_HEADER_OTHER, CONST_STR_LEN("Sec-WebSocket-Version")); -- const long hybivers = (NULL != vers) ? strtol(vers->ptr, NULL, 10) : 0; -+ const long hybivers = (NULL != vers) ? (light_isdigit(*vers->ptr) ? strtol(vers->ptr, NULL, 10) : -1) : 0; - if (hybivers < 0 || hybivers > INT_MAX) { - DEBUG_LOG(MOD_WEBSOCKET_LOG_ERR, "s", "invalid Sec-WebSocket-Version"); - con->http_status = 400; /* Bad Request */ -@@ -506,7 +506,10 @@ static handler_t wstunnel_handler_setup (server *srv, connection *con, plugin_da - hctx->srv = srv; /*(for mod_wstunnel module-specific DEBUG_LOG() macro)*/ - hctx->conf = p->conf; /*(copies struct)*/ - hybivers = wstunnel_check_request(con, hctx); -- if (hybivers < 0) return HANDLER_FINISHED; -+ if (hybivers < 0) { -+ con->mode = DIRECT; -+ return HANDLER_FINISHED; -+ } - hctx->hybivers = hybivers; - if (0 == hybivers) { - DEBUG_LOG(MOD_WEBSOCKET_LOG_INFO,"s","WebSocket Version = hybi-00"); --- -2.34.1 - diff --git a/base/lighttpd/debian/patches/check-content-length.patch b/base/lighttpd/debian/patches/check-content-length.patch index d2fbcb025..2be33fe7e 100644 --- a/base/lighttpd/debian/patches/check-content-length.patch +++ b/base/lighttpd/debian/patches/check-content-length.patch @@ -1,37 +1,49 @@ -From 65107586a55c594c44b0a97a2d6756f6a0f0a5ca Mon Sep 17 00:00:00 2001 -From: Giao Le -Date: Mon, 27 Aug 2018 19:41:36 +0800 -Subject: [PATCH] check-length +From 98b8cbc80e14e6b47b13bcddfedc0bdc8d2abf19 Mon Sep 17 00:00:00 2001 +From: Zhixiong Chi +Date: Mon, 12 Jun 2023 02:23:58 -0700 +Subject: [PATCH] check content-length + +Rebase this local patch for StarlingX. Signed-off-by: zhipengl +Signed-off-by: Giao Le +Signed-off-by: Zhixiong Chi --- - src/request.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 45 insertions(+) + src/request.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 49 insertions(+) diff --git a/src/request.c b/src/request.c -index d25e1e7..fe541a5 100644 +index 62f2f0cb..e9668d42 100644 --- a/src/request.c +++ b/src/request.c -@@ -8,10 +8,39 @@ +@@ -8,16 +8,48 @@ + #include "first.h" + + #include "request.h" ++#include "base.h" + #include "burl.h" + #include "http_header.h" + #include "http_kv.h" #include "log.h" #include "sock_addr.h" +#include #include + #include #include #include +#include - -+static size_t get_tempdirs_free_space(server *srv) ++ ++static size_t get_tempdirs_free_space(request_st * const restrict r) +{ + int i; + int valid = 0; + size_t total = 0; -+ array *dirs = srv->srvconf.upload_tempdirs; ++ array *dirs = r->con->srv->srvconf.upload_tempdirs; + + for (i = 0; i < (int)dirs->used; ++i) { + struct statvfs stat; -+ const char *name = ((data_string *)dirs->data[i])->value->ptr; ++ const char *name = ((data_string *)dirs->data[i])->value.ptr; + int ret = statvfs(name, &stat); + + if (ret >= 0) { @@ -40,41 +52,47 @@ index d25e1e7..fe541a5 100644 + valid = 1; + } + else { -+ log_error_write(srv, __FILE__, __LINE__, "ssss", -+ "dir:", name, -+ "error:", strerror(errno)); ++ if (r->conf.log_request_header_on_error) { ++ log_error(r->conf.errh, __FILE__, __LINE__, ++ "statvfs error, dir: %s, eno: %s\n", ++ name, strerror(errno)); ++ } + } + } + + return (valid) ? total : SSIZE_MAX; +} -+ - static int request_check_hostname(buffer *host) { + + static int request_check_hostname(buffer * const host) { enum { DOMAINLABEL, TOPLABEL } stage = TOPLABEL; - size_t i; -@@ -928,6 +957,22 @@ int http_request_parse(server *srv, conn - if (!state.con_length_set) { - return http_request_header_line_invalid(srv, 411, "POST-request, but content-length missing -> 411"); - } -+ /* content-length is larger than 64k */ -+ if (con->request.content_length > 64*1024) { -+ size_t disk_free = get_tempdirs_free_space(srv); -+ if (con->request.content_length > disk_free) { -+ con->http_status = 413; -+ con->keep_alive = 0; +@@ -1260,10 +1292,27 @@ http_request_parse (request_st * const restrict r, const int scheme_port) + http_header_request_unset(r, HTTP_HEADER_CONTENT_LENGTH, CONST_STR_LEN("Content-Length")); + } + } + -+ log_error_write(srv, __FILE__, __LINE__, "ssosos", -+ "not enough free space in tempdirs:", -+ "length =", (off_t) con->request.content_length, -+ "free =", (off_t) disk_free, -+ "-> 413"); -+ return 0; -+ } -+ } + if (http_method_get_or_head(r->http_method) + && !(http_parseopts & HTTP_PARSEOPT_METHOD_GET_BODY)) { + return http_request_header_line_invalid(r, 400, "GET/HEAD with content-length -> 400"); + } + - break; - default: - break; ++ /* content-length is larger than 64k */ ++ if (r->reqbody_length > 64*1024 && HTTP_METHOD_POST == r->http_method) { ++ size_t disk_free = get_tempdirs_free_space(r); ++ if (r->reqbody_length > disk_free) { ++ r->http_status = 413; ++ r->keep_alive = 0; ++ if (r->conf.log_request_header_on_error) { ++ log_error(r->conf.errh, __FILE__, __LINE__, ++ "not enough free space in tempdirs:\n length =%d\n free=%d\ncontent-length -> 413", ++ r->reqbody_length, ++ disk_free); ++ } ++ return 0; ++ } ++ } + } + + return 0; -- -2.21.0 +2.39.0 diff --git a/base/lighttpd/debian/patches/series b/base/lighttpd/debian/patches/series index 27197e0f6..0781feede 100644 --- a/base/lighttpd/debian/patches/series +++ b/base/lighttpd/debian/patches/series @@ -1,2 +1 @@ check-content-length.patch -CVE-2022-37797.patch