Bug 869890 (CVE-2022-37797, CVE-2022-41556)

Summary:	<www-servers/lighttpd-1.4.67: DoS via uninitialized function pointer
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	maintainer-needed
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://redmine.lighttpd.net/issues/3165
Whiteboard:	B3 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	855146, 873064
Bug Blocks:

Description John Helmert III archtester

2022-09-12 18:25:37 UTC

CVE-2022-37797:

In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.

Looks to be fixed in 1.4.66.

Comment 1 Larry the Git Cow gentoo-dev

2022-09-19 02:25:31 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34695b742edb316871d6148030da940b45182ebf

commit 34695b742edb316871d6148030da940b45182ebf
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-09-19 02:24:20 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-09-19 02:25:00 +0000

    www-servers/lighttpd: add 1.4.67
    
    Bug: https://bugs.gentoo.org/869890
    Closes: https://bugs.gentoo.org/855146
    Signed-off-by: Sam James <sam@gentoo.org>

 www-servers/lighttpd/Manifest               |   1 +
 www-servers/lighttpd/lighttpd-1.4.67.ebuild | 237 ++++++++++++++++++++++++++++
 2 files changed, 238 insertions(+)

Comment 2 Sam James archtester

2022-09-19 02:26:11 UTC

Note that in the bump, I also ported to Meson, so I wouldn't stable too quickly.

Comment 3 John Helmert III archtester

2022-10-07 00:28:38 UTC

CVE-2022-41556 (https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/b18de6f9264f914f7bf493abd3b6059343548e50):

A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67.

Comment 4 Larry the Git Cow gentoo-dev

2022-10-21 18:03:16 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=415f7077d34890d4693b4b8c1aaf024961b29620

commit 415f7077d34890d4693b4b8c1aaf024961b29620
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-10-21 17:58:30 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-21 17:58:30 +0000

    www-servers/lighttpd: drop 1.4.64-r1
    
    Bug: https://bugs.gentoo.org/869890
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 www-servers/lighttpd/Manifest                  |   1 -
 www-servers/lighttpd/lighttpd-1.4.64-r1.ebuild | 237 -------------------------
 2 files changed, 238 deletions(-)

Comment 5 John Helmert III archtester

2022-10-21 18:06:31 UTC

GLSA request filed

Comment 6 Larry the Git Cow gentoo-dev

2022-10-31 01:42:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=57d24f954d7b5db2ffb4dcde78429e76722d5387

commit 57d24f954d7b5db2ffb4dcde78429e76722d5387
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:09:14 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:14 +0000

    [ GLSA 202210-12 ] Lighttpd: Denial of Service
    
    Bug: https://bugs.gentoo.org/869890
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-12.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

Comment 7 John Helmert III archtester

2022-10-31 01:51:15 UTC

GLSA released, all done!