Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 830691 (CVE-2022-22707)

Summary: <www-servers/lighttpd-1.4.64: mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (CVE-2022-22707)
Product: Gentoo Security Reporter: filip ambroz <filip.ambroz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: gs-gentoo.org, herb, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2022-22707
Whiteboard: B3 [glsa? cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 820755, 834464    
Bug Blocks:    

Description filip ambroz 2022-01-06 16:51:14 UTC
In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes), as demonstrated by remote denial of service (daemon crash).

URL: https://redmine.lighttpd.net/issues/3134
Comment 1 Herb Miller Jr. 2022-01-18 16:51:22 UTC
There appears to be a fair bit of disagreement in upstream's bug report about whether or not this is a security issue, and the severity. With that in mind, should I hold off on the version bump to 1.4.63 (https://bugs.gentoo.org/820755) or wait for the fix for this issue to land in 1.4.64?
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-18 16:56:55 UTC
(In reply to Herb Miller Jr. from comment #1)
> There appears to be a fair bit of disagreement in upstream's bug report
> about whether or not this is a security issue, and the severity. With that
> in mind, should I hold off on the version bump to 1.4.63
> (https://bugs.gentoo.org/820755) or wait for the fix for this issue to land
> in 1.4.64?

No, let's bump anyway, but try to bump to the new one quickly if it comes out.
Comment 3 gstrauss 2022-01-20 18:47:04 UTC
> There appears to be a fair bit of disagreement in upstream's bug report about whether or not this is a security issue, and the severity.

No, there is no disagreement.  The bug reporter did not do any impact assessment.

An impact assessment was done by lighttpd developers in
https://redmine.lighttpd.net/issues/3134

The bug -- which triggers an assert and crash -- is not known to be reachable except in 32-bit builds of lighttpd which were built with -fstack-protector-strong (not with only -fstack-protector), and when mod_extforward is configured to permit the "Forwarded" header, which itself (the "Forwarded" header) is not well supported in current reverse proxies or CDNs.  These vulnerable configs are expected to be vanishingly rare, especially since any large system behind load balancers and reverse proxies is likely using 64-bit lighttpd, anyway, and 64-bit lighttpd is not known to be adversely affected by the bug.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-12 22:28:33 UTC
Please cleanup