Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 830691 (CVE-2022-22707) - <www-servers/lighttpd-1.4.64: mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (CVE-2022-22707)
Summary: <www-servers/lighttpd-1.4.64: mod_extforward_Forwarded function of the mod_ex...
Status: RESOLVED FIXED
Alias: CVE-2022-22707
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 820755 834464
Blocks:
  Show dependency tree
 
Reported: 2022-01-06 16:51 UTC by filip ambroz
Modified: 2022-07-24 01:49 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2022-01-06 16:51:14 UTC
In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes), as demonstrated by remote denial of service (daemon crash).

URL: https://redmine.lighttpd.net/issues/3134
Comment 1 Herb Miller Jr. 2022-01-18 16:51:22 UTC
There appears to be a fair bit of disagreement in upstream's bug report about whether or not this is a security issue, and the severity. With that in mind, should I hold off on the version bump to 1.4.63 (https://bugs.gentoo.org/820755) or wait for the fix for this issue to land in 1.4.64?
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-18 16:56:55 UTC
(In reply to Herb Miller Jr. from comment #1)
> There appears to be a fair bit of disagreement in upstream's bug report
> about whether or not this is a security issue, and the severity. With that
> in mind, should I hold off on the version bump to 1.4.63
> (https://bugs.gentoo.org/820755) or wait for the fix for this issue to land
> in 1.4.64?

No, let's bump anyway, but try to bump to the new one quickly if it comes out.
Comment 3 gstrauss 2022-01-20 18:47:04 UTC
> There appears to be a fair bit of disagreement in upstream's bug report about whether or not this is a security issue, and the severity.

No, there is no disagreement.  The bug reporter did not do any impact assessment.

An impact assessment was done by lighttpd developers in
https://redmine.lighttpd.net/issues/3134

The bug -- which triggers an assert and crash -- is not known to be reachable except in 32-bit builds of lighttpd which were built with -fstack-protector-strong (not with only -fstack-protector), and when mod_extforward is configured to permit the "Forwarded" header, which itself (the "Forwarded" header) is not well supported in current reverse proxies or CDNs.  These vulnerable configs are expected to be vanishingly rare, especially since any large system behind load balancers and reverse proxies is likely using 64-bit lighttpd, anyway, and 64-bit lighttpd is not known to be adversely affected by the bug.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-12 22:28:33 UTC
Please cleanup
Comment 5 Larry the Git Cow gentoo-dev 2022-07-24 01:48:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2f561442e589e60f79873b3f4db5e9935970ac46

commit 2f561442e589e60f79873b3f4db5e9935970ac46
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-07-24 01:48:23 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-07-24 01:48:52 +0000

    www-servers/lighttpd: drop 1.4.55-r102, 1.4.58-r2, 1.4.59-r2
    
    Bug: https://bugs.gentoo.org/851234
    Bug: https://bugs.gentoo.org/830691
    Bug: https://bugs.gentoo.org/803821
    Signed-off-by: Sam James <sam@gentoo.org>

 www-servers/lighttpd/Manifest                      |   3 -
 www-servers/lighttpd/files/conf/lighttpd.conf      | 279 ---------------------
 .../files/lighttpd-1.4.59-nspr-header.patch        |  16 --
 www-servers/lighttpd/files/lighttpd.initd          |  79 ------
 www-servers/lighttpd/lighttpd-1.4.55-r102.ebuild   | 247 ------------------
 www-servers/lighttpd/lighttpd-1.4.58-r2.ebuild     | 268 --------------------
 www-servers/lighttpd/lighttpd-1.4.59-r2.ebuild     | 242 ------------------
 www-servers/lighttpd/metadata.xml                  |   2 -
 8 files changed, 1136 deletions(-)
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-07-24 01:49:47 UTC
noglsa, as disputed upstream, and minimal impact.