Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 444179 (CVE-2012-5533) - <www-servers/lighttpd-1.4.32 : HTTP Header Processing Denial of Service Vulnerability (CVE-2012-5533)
Summary: <www-servers/lighttpd-1.4.32 : HTTP Header Processing Denial of Service Vulne...
Status: RESOLVED FIXED
Alias: CVE-2012-5533
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-21 16:35 UTC by Agostino Sarubbo
Modified: 2014-06-13 20:44 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-11-21 16:35:17 UTC
From https://secunia.com/advisories/51268/ :

Description
A vulnerability has been reported in lighttpd, which can be exploited by malicious people to cause 
a DoS (Denial of Service).

The vulnerability is caused due to an error in the "http_request_split_value()" function 
(src/request.c) when processing certain HTTP headers. This can be exploited to cause an endless 
loop denying further request processing via a specially crafted "Connection" header.

The vulnerability is reported in version 1.4.31 only.


Solution
Update to version 1.4.32.

Provided and/or discovered by
The vendor credits Jesse Sipprell, McClatchy Interactive, Inc.

Original Advisory
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt
Comment 1 Markos Chandras (RETIRED) gentoo-dev 2012-11-21 18:54:28 UTC
Ebuild in portage. Please test with various use flag combinations
Comment 2 Agostino Sarubbo gentoo-dev 2012-11-22 09:57:19 UTC
(In reply to comment #1)
> Ebuild in portage. Please test with various use flag combinations

http://bpaste.net/raw/59688/ should be enough.


Arches, please test and mark stable:
=www-servers/lighttpd-1.4.32
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 3 Markos Chandras (RETIRED) gentoo-dev 2012-11-22 10:03:30 UTC
(In reply to comment #2)
> (In reply to comment #1)
> > Ebuild in portage. Please test with various use flag combinations
> 
> http://bpaste.net/raw/59688/ should be enough.
> 
> 
> Arches, please test and mark stable:
> =www-servers/lighttpd-1.4.32
> Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

I asked you multiple times to not use online paste services as they may not be available in the future (or when are teams get around to handle this bug)
Comment 4 Agostino Sarubbo gentoo-dev 2012-11-22 10:11:21 UTC
(In reply to comment #3)
> I asked you multiple times to not use online paste services as they may not
> be available in the future (or when are teams get around to handle this bug)

This paste will never be useful in the future, is just to say it passed multiple compile test
Comment 5 Agostino Sarubbo gentoo-dev 2012-11-22 10:33:13 UTC
amd64 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2012-11-22 15:26:46 UTC
Stable for HPPA.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2012-11-22 15:28:10 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > I asked you multiple times to not use online paste services as they may not
> > be available in the future (or when are teams get around to handle this bug)
> 
> This paste will never be useful in the future, is just to say it passed
> multiple compile test

   "You should never use URL to point to pastebins for error messages, logs,
    emerge --info output, screenshots or similar information. Instead, these
    should always be attached to the bug."

http://www.gentoo.org/doc/en/bugzilla-howto.xml
Comment 8 Anthony Basile gentoo-dev 2012-11-22 17:30:45 UTC
stable ppc ppc64
Comment 9 Mark Reiche 2012-11-22 22:02:56 UTC
x86 ok.
emerge, test and run successfully.
repoman complains about file.size of lighttpd-1.4.29-mod_uploadprogress.patch

my use-flags: bzip2 gdbm pcre rrdtool ssl {test} webdav zlib -doc -fam -ipv6 -kerberos -ldap -libev -lua -memcache -minimal -mmap -mysql -php (-selinux) -uploadprogress -xattr
Comment 10 Anthony Basile gentoo-dev 2012-11-23 04:56:58 UTC
stable arm
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2012-11-25 19:03:20 UTC
alpha/ia64/sh/sparc/x86 stable
Comment 12 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-26 01:16:32 UTC
Thanks, everyone.

GLSA vote: yes.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-11-28 22:37:58 UTC
CVE-2012-5533 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5533):
  The http_request_split_value function in request.c in lighttpd 1.4.32 allows
  remote attackers to cause a denial of service (infinite loop) via a request
  with a header containing an empty token, as demonstrated using the
  "Connection: TE,,Keep-Alive" header.
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2012-12-16 21:49:31 UTC
Vote: yes.
GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-06-13 20:44:09 UTC
This issue was resolved and addressed in
 GLSA 201406-10 at http://security.gentoo.org/glsa/glsa-201406-10.xml
by GLSA coordinator Sergey Popov (pinkbyte).