Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 211956 (CVE-2008-1111) - www-servers/lighttpd <1.4.18-r2 mod_cgi vulnerability (CVE-2008-1111)
Summary: www-servers/lighttpd <1.4.18-r2 mod_cgi vulnerability (CVE-2008-1111)
Status: RESOLVED FIXED
Alias: CVE-2008-1111
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://trac.lighttpd.net/trac/changes...
Whiteboard: C3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-03-01 11:22 UTC by Johan Bergström
Modified: 2020-04-06 21:01 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johan Bergström 2008-03-01 11:22:45 UTC 
When mod_cgi running onlighttpd is unable to fork anymore (for instance if ulimit is reached) lighty sends the full source of the cgi script. This is rather serious and affects all users of mod_cgi. The patch (found at lighttpd's subversion repository) returns a 500 response instead.


Reproducible: Always
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2008-03-01 11:30:11 UTC 
As far as I see, our default config is not vulnerable. We are shipping a default config for mod_cgi (mod_cgi.conf) but we are not including it in lighttpd.conf (and that's what matters).

CC'ing maintainers.
Comment 2 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2008-03-01 17:43:39 UTC 
hoffie: you are right. out of the box lighttpd is not affected (AFAICT). the mod_cgi module is only loaded, if mod_cgi.conf is included (it's not by default).

the patch is now included in lighttpd-1.4.18-r2.
security: do your thing :) thanks
Comment 3 Tobias Heinlein (RETIRED) gentoo-dev 2008-03-01 20:19:44 UTC 
Rating as C4 since the default configuration is not affected. Arches, please stabilize www-servers/lighttpd-1.4.18-r2, target KEYWORDS are "alpha amd64 arm hppa ia64 ~mips ppc ppc64 sh sparc ~sparc-fbsd x86 ~x86-fbsd".
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-01 23:31:38 UTC 
Test fails badly...anyone else?
Comment 5 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2008-03-02 11:01:17 UTC 
sure - they have been failing for some time. sorry for not pointing that out.
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-03-02 11:22:10 UTC 
(In reply to comment #4)
> Test fails badly...anyone else?
> 

With what use-flags?
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-03-02 11:29:13 UTC 
File/password disclosure would be 3.
Comment 8 Peter Volkov (RETIRED) gentoo-dev 2008-03-02 16:00:50 UTC 
(In reply to comment #4)
> Test fails badly...anyone else?

All tests passed and www-apps/mantisbt works fine with lighttpd on amd64.

USE="bzip2 fam fastcgi gdbm ipv6 ldap memcache pcre php rrdtool ssl test webdav xattr -doc -lua -minimal -mysql"
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-02 17:48:26 UTC 
(In reply to comment #6)
> (In reply to comment #4)
> > Test fails badly...anyone else?
> > 
> 
> With what use-flags?

USE=*, USE=-* and USE=<profile>, that's what I usually test.  Tests differ depending on USE flags.
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2008-03-02 20:46:31 UTC 
ppc64 stable
Comment 11 Ryan Hill (RETIRED) gentoo-dev 2008-03-02 21:53:12 UTC 
mips already done.
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2008-03-03 01:56:18 UTC 
Stable for HPPA.
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2008-03-03 10:41:41 UTC 
alpha/ia64/sparc/x86 stable
Comment 14 Peter Volkov (RETIRED) gentoo-dev 2008-03-03 19:03:57 UTC 
amd64 stable. And no tests fail here with different USE flags...
Comment 15 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-04 18:50:51 UTC 
ppc stable
Comment 16 Peter Volkov (RETIRED) gentoo-dev 2008-03-05 06:45:47 UTC 
Fixed in release snapshot.
Comment 17 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-05 21:44:03 UTC 
GLSA 200803-10