Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 238180 - www-servers/lighttpd < 1.4.20 multiple issues (DoS, information disclosure) (CVE-2008-{4298,4359,4360})
Summary: www-servers/lighttpd < 1.4.20 multiple issues (DoS, information disclosure) (...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: http://trac.lighttpd.net/trac/ticket/...
Whiteboard: B3 [glsa]
Keywords:
: 239552 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-09-20 13:57 UTC by Christian Hoffmann (RETIRED)
Modified: 2020-04-10 11:35 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Hoffmann (RETIRED) gentoo-dev 2008-09-20 13:57:26 UTC
lighttpd can be forced to leak memory by sending lots requests with duplicate request headers. Patch is available from the ticket and will be in the VCS in some minutes, lighty-1.4.20, which should include the patch, is supposed to be released in the near future.

By some testing it looks like it takes some time to get lighty use a dangerous amount of memory, but nevertheless it's an issue.

I'll handle bumping/patching.
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2008-09-26 20:10:55 UTC
JFI: CVE request has been sent by lighty upstream to coley directly some days ago already and by bressers from Redhat @ oss-sec as well.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-09-29 14:58:26 UTC
CVE-2008-4298 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4298):
  Memory leak in the http_request_parse function in request.c in
  lighttpd before 1.4.20 allows remote attackers to cause a denial of
  service (memory consumption) via a large number of requests with
  duplicate request headers.

Comment 3 Christian Hoffmann (RETIRED) gentoo-dev 2008-09-30 15:13:03 UTC
www-servers: Apologies for not CC'ing you, I seem to have missed this.

1.4.20 has been released and I just added it to the tree. It fixes two other security problems. The first (mod_userdir-related) does not affect us, as we tracked this in bug 213164. The second is:

(Quoting my mail to oss-sec)
>   * Unexpected behavior of url.redirect / url.rewrite config options
>
>     While this is not a security issue in lighttpd, the user might
>     rely on the fact, that those options are suppoosed to be matched
>     against the urldecoded version of the URL. Depending on the
>     configuration, this would allow for unwanted access to certain
>     resources (information disclosure or even manipulation of data)
>     References: [1] [2]

Two more references to the memory leak issue are at [5] and [6].

Arches, please test and mark stable:
  =www-servers/lighttpd-1.4.20
Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86
                 ~mips ~sparc-fbsd ~x86-fbsd
Already stable: amd64
To stable: alpha arm hppa ia64 ppc ppc64 sh sparc x86

Short note: FEATURES=test seems to be broken here (not only in .20), I'll try to work on either fixing or restricting (preferably the former). Testing can be done just by running it through the init script and browsing some files (or maybe even setting up a webapp).

[1] http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt
[2]
http://www.lighttpd.net/security/lighttpd-1.4.x_rewrite_redirect_decode_url.patch
[5] http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt
[6]
http://www.lighttpd.net/security/lighttpd-1.4.x_request_header_memleak.patch
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2008-09-30 16:43:24 UTC
Actually adding arches.
Comment 5 Christian Hoffmann (RETIRED) gentoo-dev 2008-09-30 18:54:19 UTC
From oss-sec:

>> * Unexpected behavior of url.redirect / url.rewrite config options
> Use CVE-2008-4359, to be filled in later.

>> * Information disclosure w/ mod_userdir on case-insensitive file
>>   systems
> Use CVE-2008-4360, to be filled in later.

(And thanks for fixing my arch CC'ing mess-up, keytoaster ;))
Comment 6 Ferris McCormick (RETIRED) gentoo-dev 2008-09-30 19:42:27 UTC
Sparc stable.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2008-09-30 20:01:51 UTC
Stable for HPPA.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2008-10-01 09:18:49 UTC
alpha/ia64/x86 stable
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2008-10-01 10:21:02 UTC
ppc64 stable
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-01 17:39:41 UTC
ppc stable
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-01 21:22:09 UTC
Ready for vote, I vote YES.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-04 15:45:44 UTC
*** Bug 239552 has been marked as a duplicate of this bug. ***
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 18:42:10 UTC
Voting YES, request filed.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-12-02 17:50:18 UTC
GLSA 200812-04