Bug 185442

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) 2007-07-15 19:23:12 UTC

Created attachment 124941 [details, diff]
lighttpd-1.4.x_duplicated_headers_with_folding_crash.patch

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) 2007-07-15 19:23:32 UTC

Created attachment 124943 [details, diff]
lighttpd-1.4.x_mod_access_bypass.patch

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) 2007-07-15 19:23:49 UTC

Created attachment 124944 [details, diff]
lighttpd-1.4.x_mod_fastcgi_local_dos.patch

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) 2007-07-15 19:29:55 UTC

Thilo please provide an updated ebuild for prestable testing. Friendly note: Do NOT commit anything yet.

Further details (not patches) will be attached later.

Comment 5 Thilo Bangert (RETIRED) (RETIRED) 2007-07-15 22:01:48 UTC

Created attachment 124966 [details]
lighttpd-1.4.15-r1.ebuild

Comment 6 Thilo Bangert (RETIRED) (RETIRED) 2007-07-15 22:02:19 UTC

Created attachment 124968 [details]
07_all_lighttpd-1.4.15-duplicated_headers_with_folding_crash.diff

Comment 7 Thilo Bangert (RETIRED) (RETIRED) 2007-07-15 22:02:54 UTC

Created attachment 124969 [details]
08_all_lighttpd-1.4.15-mod_access_bypass.diff

Comment 8 Thilo Bangert (RETIRED) (RETIRED) 2007-07-15 22:05:50 UTC

Created attachment 124971 [details]
09_all_lighttpd-1.4.15-mod_fastcgi_local_dos.diff

drop the patches into files/1.4.15/ and use the attached ebuild.
the patches have been modified in naming (as to work with epatch) and minor layout (remove header) and the NEWS section update of the duplicate headers patch has been removed (clash)

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) 2007-07-16 19:36:09 UTC

Thx Thilo for the fast response.

Arch security liaisons please test and report back on this bug.

Comment 10 Sune Kloppenborg Jeppesen (RETIRED) 2007-07-16 19:44:15 UTC

*** Bug 185549 has been marked as a duplicate of this bug. ***

Comment 11 Markus Rothe (RETIRED) 2007-07-16 19:45:37 UTC

compiles and runs fine on ppc64

Comment 12 Jeroen Roovers (RETIRED) 2007-07-16 22:07:11 UTC

Works for hppa.

Comment 13 Gustavo Zacarias (RETIRED) 2007-07-17 14:19:03 UTC

sparc okie dokie.

Comment 14 Sune Kloppenborg Jeppesen (RETIRED) 2007-07-17 17:53:46 UTC

Release date is tomorrow, still need status from:

x86 ppc amd64 alpha

Comment 15 Thilo Bangert (RETIRED) (RETIRED) 2007-07-20 06:23:10 UTC

the next 10 days i'll be on vacation and thus not able to commit this babe...  sorry.

Comment 16 Stefan Cornelius (RETIRED) 2007-07-20 13:13:50 UTC

public now. somebody please commit this.

Comment 17 Pierre-Yves Rofes (RETIRED) 2007-07-20 13:25:48 UTC

*** Bug 185978 has been marked as a duplicate of this bug. ***

Comment 18 Christian Heim (RETIRED) 2007-07-20 13:41:30 UTC

(In reply to comment #14)
> Release date is tomorrow, still need status from:
> 
> x86 ppc amd64 alpha

Works for me on x86 and amd64 (passes collision-protect and works like before),
though I'm no arch team person.

Comment 19 Markus Rothe (RETIRED) 2007-07-20 13:43:05 UTC

I just wanted to commit, but wasn't sure how to do so. If we drop the patches
in ${FILESDIR}/1.4.15, then 1.4.15-r1 will be the exact same ebuild as 1.4.15
and everybody who compiles 1.4.15 will get the patches from this bug, too.

( Due to this line in the ebuild:
EPATCH_SUFFIX="diff" EPATCH_OPTS="-l" epatch ${FILESDIR}/${PV} || die "Patching
failed!" )

I could create ${FILESDIR}/1.4.15-r1, but then we have to copy over the files
from ${FILESDIR}/1.4.15, which means duplicated patches in CVS. I would do the
copy, but as this is not my package I would like to hear a comment before I
commit.

Comment 20 Gustavo Zacarias (RETIRED) 2007-07-20 13:56:45 UTC

There's another bug as pointed by smithj, it's RPL-1554 (https://issues.rpath.com/browse/RPL-1554 and http://lists.rpath.com/pipermail/distro-commits/2007-July/055669.html).
It's patched in 1.4.15-r1 in the tree so arches will have to stable themselves because of this addition.
Corsair: switch to PVR, duplicate it for now (with 1.4.15-r1 having the sec patches) and when arches are done do a simple cleanup.
Security: arches should be called in now.

Comment 21 Markus Rothe (RETIRED) 2007-07-20 18:16:23 UTC

gustavoz: thanks for commiting, real life catched me for some hours..

ppc64 stable

Comment 22 Jeroen Roovers (RETIRED) 2007-07-20 19:36:35 UTC

Stable for HPPA.

Comment 23 Gustavo Zacarias (RETIRED) 2007-07-20 21:08:13 UTC

sparc stable.

Comment 24 Raúl Porcel (RETIRED) 2007-07-21 17:22:42 UTC

make[3]: Entering directory `/var/tmp/portage/www-servers/lighttpd-1.4.15-r1/work/lighttpd-1.4.15/tests'
cp: cannot stat `./docroot/www/*.html~': No such file or directory
preparing infrastructure                PASS: prepare.sh
./core-var-include....ok
./core-condition......ok
./core-request........ok
./core-response.......ok
./core-keepalive......ok
./core................ok
./mod-access..........# status failed: expected '403', got '404'

#   Failed test '\#1230 - forbid access to ...~ - trailing slash'
#   at ./mod-access.t line 31.
# Looks like you failed 1 test of 4.
dubious
        Test returned status 1 (wstat 256, 0x100)
DIED. FAILED test 3
        Failed 1/4 tests, 75.00% okay
./mod-auth............ok
./mod-cgi.............ok
./mod-compress........ok
./mod-fastcgi.........# header vary is duplicated: Accept-Encoding and Accept-Encoding
ok
        34/47 skipped: various reasons
./mod-redirect........ok
./mod-userdir.........ok
./mod-rewrite.........ok
        5/5 skipped: various reasons
./request.............ok
./mod-ssi.............ok
./mod-setenv..........ok
./lowercase...........ok
./cachable............ok
Failed Test    Stat Wstat Total Fail  List of Failed
-------------------------------------------------------------------------------
./mod-access.t    1   256     4    1  3
39 subtests skipped.
Failed 1/19 test scripts. 1/278 subtests failed.
Files=19, Tests=278, 10 wallclock secs ( 2.33 cusr +  0.42 csys =  2.75 CPU)
Failed 1/19 test programs. 1/278 subtests failed.
FAIL: run-tests.pl
cleaning up                             PASS: cleanup.sh
================================
1 of 3 tests failed
Please report to jan@kneschke.de
================================
make[3]: *** [check-TESTS] Error 1
make[3]: Leaving directory `/var/tmp/portage/www-servers/lighttpd-1.4.15-r1/work/lighttpd-1.4.15/tests'
make[2]: *** [check-am] Error 2
make[2]: Leaving directory `/var/tmp/portage/www-servers/lighttpd-1.4.15-r1/work/lighttpd-1.4.15/tests'
make[1]: *** [check-recursive] Error 1
make[1]: Leaving directory `/var/tmp/portage/www-servers/lighttpd-1.4.15-r1/work/lighttpd-1.4.15/tests'
make: *** [check-recursive] Error 1

Should we ignore them? actual stable version works fine

Comment 25 Christian Faulhammer (RETIRED) 2007-07-25 07:01:04 UTC

x86 stable, the test failure is caused by the mod_access patch, but seems to be no loss in functionality....so I say: Go.

Comment 26 Raúl Porcel (RETIRED) 2007-07-25 13:53:14 UTC

alpha/ia64 stable

Removing liaisons and adding remaining arches

Comment 27 Tobias Scherbaum (RETIRED) 2007-07-27 20:59:55 UTC

Same test failure on ppc, ppc stable

Comment 28 Pierre-Yves Rofes (RETIRED) 2007-07-30 09:58:25 UTC

adding refs.

Comment 29 Christoph Mende (RETIRED) 2007-07-31 19:37:22 UTC

amd64 stable

Comment 30 Matt Drew (RETIRED) 2007-08-05 10:51:21 UTC

1.4.16 has been released - are we interested in moving to that for easier maintenance or sticking with our patchset?

Comment 31 Thilo Bangert (RETIRED) (RETIRED) 2007-08-05 13:09:55 UTC

well - someone will surely ask for it, so I put it in. I don't know where the scgi patch comes from, and it looks like it hasn't been applied upstream, so i left it out... for now.

security: can you advice? the subject mentions five CVEs, there is only three patches on this bug, while the release announcement by lighttpd lists four (and no CVEs).

Anyway, it appears that the three patches on this bug are covered by the 1.4.16 release. So, ARM: Please mark 1.4.16 stable instead of 1.4.15-r1. Thanks.

Comment 32 Pierre-Yves Rofes (RETIRED) 2007-08-09 09:51:46 UTC

Thilo: according to http://www.lighttpd.net/download, the patch about mod_auth covers 4 issues, and secunia added one more CVE ref...
wrt to the current situation, I'd tend to say that it would be much simpler to stabilize 1.4.16 instead of trying to figure out this patching mess.
I'm sorry for putting more work on arches teams, but I think that's the best way to go from here.

Comment 33 Thilo Bangert (RETIRED) (RETIRED) 2007-08-09 17:44:04 UTC

arch teams: please mark stable: lighttpd-1.4.16

Comment 34 Gustavo Zacarias (RETIRED) 2007-08-09 18:16:21 UTC

sparc stable.

Comment 35 Christian Faulhammer (RETIRED) 2007-08-10 06:40:23 UTC

x86 stable, changing status to "stable" again.

Comment 36 Raúl Porcel (RETIRED) 2007-08-10 13:42:38 UTC

alpha/ia64 stable

Comment 37 Markus Rothe (RETIRED) 2007-08-10 17:46:43 UTC

ppc64 stable

Comment 38 Steve Dibb (RETIRED) 2007-08-12 14:48:10 UTC

amd64 stable

Comment 39 Tobias Scherbaum (RETIRED) 2007-08-14 18:04:56 UTC

ppc stable

Comment 40 Raphael Marichez (Falco) (RETIRED) 2007-08-14 23:01:47 UTC

hppa, does something cause any trouble?

Comment 41 Jeroen Roovers (RETIRED) 2007-08-15 01:56:43 UTC

(In reply to comment #40)
> hppa, does something cause any trouble?

No, we're just temporarily understaffed.

Stable for HPPA.

Comment 42 Sune Kloppenborg Jeppesen (RETIRED) 2007-08-15 05:43:50 UTC

Rerating and setting status to glsa.

Comment 43 Raphael Marichez (Falco) (RETIRED) 2007-08-16 22:05:56 UTC

GLSA 200708-11, thanks everybody (in time, at last ;) )