| Summary: | <www-servers/lighttpd-1.4.64: mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (CVE-2022-22707) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | filip ambroz <filip.ambroz> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | gs-gentoo.org, herbmillerjr, proxy-maint |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://nvd.nist.gov/vuln/detail/CVE-2022-22707 | ||
| Whiteboard: | B3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 820755, 834464 | ||
| Bug Blocks: | |||
|
Description
filip ambroz
2022-01-06 16:51:14 UTC
There appears to be a fair bit of disagreement in upstream's bug report about whether or not this is a security issue, and the severity. With that in mind, should I hold off on the version bump to 1.4.63 (https://bugs.gentoo.org/820755) or wait for the fix for this issue to land in 1.4.64? (In reply to Herb Miller Jr. from comment #1) > There appears to be a fair bit of disagreement in upstream's bug report > about whether or not this is a security issue, and the severity. With that > in mind, should I hold off on the version bump to 1.4.63 > (https://bugs.gentoo.org/820755) or wait for the fix for this issue to land > in 1.4.64? No, let's bump anyway, but try to bump to the new one quickly if it comes out. > There appears to be a fair bit of disagreement in upstream's bug report about whether or not this is a security issue, and the severity. No, there is no disagreement. The bug reporter did not do any impact assessment. An impact assessment was done by lighttpd developers in https://redmine.lighttpd.net/issues/3134 The bug -- which triggers an assert and crash -- is not known to be reachable except in 32-bit builds of lighttpd which were built with -fstack-protector-strong (not with only -fstack-protector), and when mod_extforward is configured to permit the "Forwarded" header, which itself (the "Forwarded" header) is not well supported in current reverse proxies or CDNs. These vulnerable configs are expected to be vanishingly rare, especially since any large system behind load balancers and reverse proxies is likely using 64-bit lighttpd, anyway, and 64-bit lighttpd is not known to be adversely affected by the bug. Please cleanup The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2f561442e589e60f79873b3f4db5e9935970ac46 commit 2f561442e589e60f79873b3f4db5e9935970ac46 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-07-24 01:48:23 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-07-24 01:48:52 +0000 www-servers/lighttpd: drop 1.4.55-r102, 1.4.58-r2, 1.4.59-r2 Bug: https://bugs.gentoo.org/851234 Bug: https://bugs.gentoo.org/830691 Bug: https://bugs.gentoo.org/803821 Signed-off-by: Sam James <sam@gentoo.org> www-servers/lighttpd/Manifest | 3 - www-servers/lighttpd/files/conf/lighttpd.conf | 279 --------------------- .../files/lighttpd-1.4.59-nspr-header.patch | 16 -- www-servers/lighttpd/files/lighttpd.initd | 79 ------ www-servers/lighttpd/lighttpd-1.4.55-r102.ebuild | 247 ------------------ www-servers/lighttpd/lighttpd-1.4.58-r2.ebuild | 268 -------------------- www-servers/lighttpd/lighttpd-1.4.59-r2.ebuild | 242 ------------------ www-servers/lighttpd/metadata.xml | 2 - 8 files changed, 1136 deletions(-) noglsa, as disputed upstream, and minimal impact. |
