Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!

Full Text Bug Listing

c&p from secunia
Description:
A vulnerability has been reported in lighttpd, which can be exploited by
malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to a calculation error when allocating the
global file descriptor array and can be exploited to crash an affected server.

The vulnerability is reported in version 1.4.18. Other versions may also be
affected.

Solution:
A temporary patch is available.
http://trac.lighttpd.net/trac/attachment/ticket/1562/Fix-372-and-1562.patch

Restrict network access to the service.

Provided and/or discovered by:
fdeletang

Original Advisory:
http://trac.lighttpd.net/trac/ticket/1562

Thanks for the report. maintainers, please bump as necessary.

looking at the patch/bugreport one gets the feelling that this is solaris only?
a/src/fdevent_solaris_devpoll.c

secunia does not mention which arches are affected...
security, please investigate.

As far as I understand, the vulnerability is not Solaris specific.
It was introduced by a workaround for a Solaris specific bug, but affects Linux
as well.

Ok... I'm able to reprodce the problem on Linux (x86_64) and don't see a reason
why it should be Solaris-specific (so I guess other archs are affected as
well).

# on a root console
$ cat > lighttpd.conf
server.port = 8080
server.bind = "127.0.0.1"
server.document-root = "/tmp"

$ ulimit -n 20
$ lighttpd -Df lighttpd.conf

# on another console (does not have to be root)
$ ab -c 20 -n20 http://localhost:8080/ # app-admin/apache-tools


This makes it segfault for me. The mentioned patch solves it.
So, summary:
  * All archs are affected
  * The bug can only be triggered if lighty is spawned as root (indepedent
    of whether it drops privileges later or not)
  * Apparently (just from testing...) it only works if lighty is spawned in
    the foreground (-D command line option), which is neither upstream default
    nor our default. I'm not exactly sure here though. If this is the case, our
    default setup would not be vulnerable.
  * The patch works.

I asked Markus Rueckert (upstream 1.4 maintainer). He is aware of the issue and
will do some research on the issue itself and the correctness of the patch.
I'll keep this bug updated.

Bumped (before I saw that bangert's comments were from today *ahem*, oh well) -
bangert, I guess that if all looks ok to you, we can get this stable?

bangert?

sorry! it looks fine - thanks welp!
are exotic archs also asked to mark stable?

archs: please mark www-servers/lighttpd-1.4.18-r1 stable
Target keywords: alpha amd64 arm hppa ia64 ~mips ppc ppc64 sh sparc ~sparc-fbsd
x86 ~x86-fbsd

x86 stable

Stable for HPPA.

Adding release to CC.

ppc64 stable

#### AMD64 TEST REPORT #####

* overall emerge:       PASS
* multilib-strict:      PASS
* collision-protect:    PASS
* test phase:           PASS
* manual testing:       PASS

USE="bzip2 fastcgi ipv6 pcre ssl test -doc -fam -gdbm -ldap -lua -memcache
-minimal -mysql -php -rrdtool -webdav -xattr"

---

Portage 2.1.4.4 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0,
2.6.23-gentoo-r8 x86_64)
=================================================================
System uname: 2.6.23-gentoo-r8 x86_64 AMD Turion(tm) 64 X2 Mobile Technology
TL-50
Timestamp of tree: Tue, 26 Feb 2008 12:00:01 +0000
app-shells/bash:     3.2_p17-r1
dev-java/java-config: 1.3.7, 2.1.4
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -msse3 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf
/etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=athlon64 -msse3 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="buildpkg collision-protect distlocks metadata-transfer
multilib-strict sandbox sfperms strict test unmerge-orphans userfetch"
GENTOO_MIRRORS="http://ftp.uni-erlangen.de/pub/mirrors/gentoo
ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/
ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo
ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo
ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo
ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/
ftp://ftp.gentoo.mesh-solutions.com/gentoo/
ftp://pandemonium.tiscali.de/pub/gentoo/"
LANG="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
MAKEOPTS="-j1"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --stats --timeout=180 --exclude=/distfiles
--exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acpi alsa amd64 arts bash-completion bitmap-fonts bzip2 cdda
cdparanoia cdr cgi cli cracklib crypt cups curl cvs dbus divx dri dts dvd
dvdnav dvdr dvdread encode exif fastcgi ffmpeg firefox fortran ftp fuse gcj gif
glitz glut gmail gnutls gstreamer gtk gtk2 hal hbci history httpd iconv icq
imagemagick imap ipv6 isdnlog jabber jack java jpeg jpeg2k kde kdm keyring midi
mmx mod mozdevelop mp3 mpd mpeg mplayer mudflap ncurses network nntp nptl
nptlonly nsplugin nvidia offensive ogg opengl openmp openvpn oscar pam pcmcia
pcre pdf png pop pppd python qt3 qt3support qt4 quicktime quotes readline
reflection rtsp sdl sdl-image shout skins smp soup spl sql sqlite sqlite3 sse
sse2 ssl statistics stream subversion svg symlink taglib tcpd theora threads
tiff truetype truetype-fonts type1-fonts unicode usb vcd vim-syntax vorbis
widescreen wifi wxwindows x264 xcomposite xinerama xml xorg xv xvid zip zlib"
ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare
dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw
multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias
auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm
authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache
dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache
filter headers include info log_config logio mem_cache mime mime_magic
negotiation rewrite setenvif speling status unique_id userdir usertrack
vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse synaptics"
KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001
mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS,
PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS,
PORTDIR_OVERLAY

alpha/ia64/sparc stable

ppc stable

amd64 done, thanks Torsten

Fixed in release snapshot.

This is ready for GLSA vote. I vote YES.

i dont know if my vote counts, but as other distros (rPath) have released an
annoucement, i think we should too... thanks!

YES, filed.

Thilo, by policy your vote does not count, but a maintainer's word is also very
valuable to security because you you know the package, configuration and
surroundings usually better than we do. 

sh, arm: please skip this one and go directly to lighttpd-1.4.18-r2 - see also
bug #211956

GLSA 200803-10