c&p from secunia Description: A vulnerability has been reported in lighttpd, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to a calculation error when allocating the global file descriptor array and can be exploited to crash an affected server. The vulnerability is reported in version 1.4.18. Other versions may also be affected. Solution: A temporary patch is available. http://trac.lighttpd.net/trac/attachment/ticket/1562/Fix-372-and-1562.patch Restrict network access to the service. Provided and/or discovered by: fdeletang Original Advisory: http://trac.lighttpd.net/trac/ticket/1562
Thanks for the report. maintainers, please bump as necessary.
looking at the patch/bugreport one gets the feelling that this is solaris only? a/src/fdevent_solaris_devpoll.c secunia does not mention which arches are affected... security, please investigate.
As far as I understand, the vulnerability is not Solaris specific. It was introduced by a workaround for a Solaris specific bug, but affects Linux as well.
Ok... I'm able to reprodce the problem on Linux (x86_64) and don't see a reason why it should be Solaris-specific (so I guess other archs are affected as well). # on a root console $ cat > lighttpd.conf server.port = 8080 server.bind = "127.0.0.1" server.document-root = "/tmp" $ ulimit -n 20 $ lighttpd -Df lighttpd.conf # on another console (does not have to be root) $ ab -c 20 -n20 http://localhost:8080/ # app-admin/apache-tools This makes it segfault for me. The mentioned patch solves it. So, summary: * All archs are affected * The bug can only be triggered if lighty is spawned as root (indepedent of whether it drops privileges later or not) * Apparently (just from testing...) it only works if lighty is spawned in the foreground (-D command line option), which is neither upstream default nor our default. I'm not exactly sure here though. If this is the case, our default setup would not be vulnerable. * The patch works. I asked Markus Rueckert (upstream 1.4 maintainer). He is aware of the issue and will do some research on the issue itself and the correctness of the patch. I'll keep this bug updated.
Bumped (before I saw that bangert's comments were from today *ahem*, oh well) - bangert, I guess that if all looks ok to you, we can get this stable?
bangert?
sorry! it looks fine - thanks welp! are exotic archs also asked to mark stable? archs: please mark www-servers/lighttpd-1.4.18-r1 stable Target keywords: alpha amd64 arm hppa ia64 ~mips ppc ppc64 sh sparc ~sparc-fbsd x86 ~x86-fbsd
x86 stable
Stable for HPPA.
Adding release to CC.
ppc64 stable
#### AMD64 TEST REPORT ##### * overall emerge: PASS * multilib-strict: PASS * collision-protect: PASS * test phase: PASS * manual testing: PASS USE="bzip2 fastcgi ipv6 pcre ssl test -doc -fam -gdbm -ldap -lua -memcache -minimal -mysql -php -rrdtool -webdav -xattr" --- Portage 2.1.4.4 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r8 x86_64) ================================================================= System uname: 2.6.23-gentoo-r8 x86_64 AMD Turion(tm) 64 X2 Mobile Technology TL-50 Timestamp of tree: Tue, 26 Feb 2008 12:00:01 +0000 app-shells/bash: 3.2_p17-r1 dev-java/java-config: 1.3.7, 2.1.4 dev-lang/python: 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -msse3 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=athlon64 -msse3 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="buildpkg collision-protect distlocks metadata-transfer multilib-strict sandbox sfperms strict test unmerge-orphans userfetch" GENTOO_MIRRORS="http://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/" LANG="en_US.UTF-8" LC_ALL="en_US.UTF-8" MAKEOPTS="-j1" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acpi alsa amd64 arts bash-completion bitmap-fonts bzip2 cdda cdparanoia cdr cgi cli cracklib crypt cups curl cvs dbus divx dri dts dvd dvdnav dvdr dvdread encode exif fastcgi ffmpeg firefox fortran ftp fuse gcj gif glitz glut gmail gnutls gstreamer gtk gtk2 hal hbci history httpd iconv icq imagemagick imap ipv6 isdnlog jabber jack java jpeg jpeg2k kde kdm keyring midi mmx mod mozdevelop mp3 mpd mpeg mplayer mudflap ncurses network nntp nptl nptlonly nsplugin nvidia offensive ogg opengl openmp openvpn oscar pam pcmcia pcre pdf png pop pppd python qt3 qt3support qt4 quicktime quotes readline reflection rtsp sdl sdl-image shout skins smp soup spl sql sqlite sqlite3 sse sse2 ssl statistics stream subversion svg symlink taglib tcpd theora threads tiff truetype truetype-fonts type1-fonts unicode usb vcd vim-syntax vorbis widescreen wifi wxwindows x264 xcomposite xinerama xml xorg xv xvid zip zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
alpha/ia64/sparc stable
ppc stable
amd64 done, thanks Torsten
Fixed in release snapshot.
This is ready for GLSA vote. I vote YES.
i dont know if my vote counts, but as other distros (rPath) have released an annoucement, i think we should too... thanks!
YES, filed. Thilo, by policy your vote does not count, but a maintainer's word is also very valuable to security because you you know the package, configuration and surroundings usually better than we do.
sh, arm: please skip this one and go directly to lighttpd-1.4.18-r2 - see also bug #211956
GLSA 200803-10