Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 211230 (CVE-2008-0983) - www-servers/lighttpd < 1.4.18-r1 File Descriptor Array Denial of Service Vulnerability (CVE-2008-0983)
Summary: www-servers/lighttpd < 1.4.18-r1 File Descriptor Array Denial of Service Vuln...
Status: RESOLVED FIXED
Alias: CVE-2008-0983
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/29066/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-02-24 03:44 UTC by Allen Parker
Modified: 2008-03-05 21:43 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Allen Parker 2008-02-24 03:44:43 UTC
c&p from secunia
Description:
A vulnerability has been reported in lighttpd, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to a calculation error when allocating the global file descriptor array and can be exploited to crash an affected server.

The vulnerability is reported in version 1.4.18. Other versions may also be affected.

Solution:
A temporary patch is available.
http://trac.lighttpd.net/trac/attachment/ticket/1562/Fix-372-and-1562.patch

Restrict network access to the service.

Provided and/or discovered by:
fdeletang

Original Advisory:
http://trac.lighttpd.net/trac/ticket/1562
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-24 09:04:15 UTC
Thanks for the report. maintainers, please bump as necessary.
Comment 2 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2008-02-24 12:35:26 UTC
looking at the patch/bugreport one gets the feelling that this is solaris only?
a/src/fdevent_solaris_devpoll.c

secunia does not mention which arches are affected...
security, please investigate.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-02-24 12:54:06 UTC
As far as I understand, the vulnerability is not Solaris specific.
It was introduced by a workaround for a Solaris specific bug, but affects Linux as well.
Comment 4 Christian Hoffmann (RETIRED) gentoo-dev 2008-02-24 16:03:24 UTC
Ok... I'm able to reprodce the problem on Linux (x86_64) and don't see a reason why it should be Solaris-specific (so I guess other archs are affected as well).

# on a root console
$ cat > lighttpd.conf
server.port = 8080
server.bind = "127.0.0.1"
server.document-root = "/tmp"

$ ulimit -n 20
$ lighttpd -Df lighttpd.conf

# on another console (does not have to be root)
$ ab -c 20 -n20 http://localhost:8080/ # app-admin/apache-tools


This makes it segfault for me. The mentioned patch solves it.
So, summary:
  * All archs are affected
  * The bug can only be triggered if lighty is spawned as root (indepedent
    of whether it drops privileges later or not)
  * Apparently (just from testing...) it only works if lighty is spawned in
    the foreground (-D command line option), which is neither upstream default
    nor our default. I'm not exactly sure here though. If this is the case, our
    default setup would not be vulnerable.
  * The patch works.

I asked Markus Rueckert (upstream 1.4 maintainer). He is aware of the issue and will do some research on the issue itself and the correctness of the patch. I'll keep this bug updated.
Comment 5 Peter Weller (RETIRED) gentoo-dev 2008-02-24 16:36:46 UTC
Bumped (before I saw that bangert's comments were from today *ahem*, oh well) - bangert, I guess that if all looks ok to you, we can get this stable?
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2008-02-25 20:19:44 UTC
bangert?
Comment 7 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2008-02-25 22:18:03 UTC
sorry! it looks fine - thanks welp!
are exotic archs also asked to mark stable?

archs: please mark www-servers/lighttpd-1.4.18-r1 stable
Target keywords: alpha amd64 arm hppa ia64 ~mips ppc ppc64 sh sparc ~sparc-fbsd x86 ~x86-fbsd
Comment 8 Dawid Węgliński (RETIRED) gentoo-dev 2008-02-26 00:59:04 UTC
x86 stable
Comment 9 Jeroen Roovers gentoo-dev 2008-02-26 04:42:04 UTC
Stable for HPPA.
Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2008-02-26 10:04:01 UTC
Adding release to CC.
Comment 11 Markus Rothe (RETIRED) gentoo-dev 2008-02-26 11:22:47 UTC
ppc64 stable
Comment 12 Torsten Rehn 2008-02-26 12:42:24 UTC
#### AMD64 TEST REPORT #####

* overall emerge:       PASS
* multilib-strict:      PASS
* collision-protect:    PASS
* test phase:           PASS
* manual testing:       PASS

USE="bzip2 fastcgi ipv6 pcre ssl test -doc -fam -gdbm -ldap -lua -memcache -minimal -mysql -php -rrdtool -webdav -xattr"

---

Portage 2.1.4.4 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r8 x86_64)
=================================================================
System uname: 2.6.23-gentoo-r8 x86_64 AMD Turion(tm) 64 X2 Mobile Technology TL-50
Timestamp of tree: Tue, 26 Feb 2008 12:00:01 +0000
app-shells/bash:     3.2_p17-r1
dev-java/java-config: 1.3.7, 2.1.4
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -msse3 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=athlon64 -msse3 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="buildpkg collision-protect distlocks metadata-transfer multilib-strict sandbox sfperms strict test unmerge-orphans userfetch"
GENTOO_MIRRORS="http://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/"
LANG="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
MAKEOPTS="-j1"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acpi alsa amd64 arts bash-completion bitmap-fonts bzip2 cdda cdparanoia cdr cgi cli cracklib crypt cups curl cvs dbus divx dri dts dvd dvdnav dvdr dvdread encode exif fastcgi ffmpeg firefox fortran ftp fuse gcj gif glitz glut gmail gnutls gstreamer gtk gtk2 hal hbci history httpd iconv icq imagemagick imap ipv6 isdnlog jabber jack java jpeg jpeg2k kde kdm keyring midi mmx mod mozdevelop mp3 mpd mpeg mplayer mudflap ncurses network nntp nptl nptlonly nsplugin nvidia offensive ogg opengl openmp openvpn oscar pam pcmcia pcre pdf png pop pppd python qt3 qt3support qt4 quicktime quotes readline reflection rtsp sdl sdl-image shout skins smp soup spl sql sqlite sqlite3 sse sse2 ssl statistics stream subversion svg symlink taglib tcpd theora threads tiff truetype truetype-fonts type1-fonts unicode usb vcd vim-syntax vorbis widescreen wifi wxwindows x264 xcomposite xinerama xml xorg xv xvid zip zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2008-02-26 15:31:04 UTC
alpha/ia64/sparc stable
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2008-02-26 17:21:55 UTC
ppc stable
Comment 15 Peter Weller (RETIRED) gentoo-dev 2008-02-26 21:29:36 UTC
amd64 done, thanks Torsten
Comment 16 Peter Volkov (RETIRED) gentoo-dev 2008-02-27 07:01:06 UTC
Fixed in release snapshot.
Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2008-02-27 08:18:43 UTC
This is ready for GLSA vote. I vote YES.
Comment 18 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2008-03-01 16:34:27 UTC
i dont know if my vote counts, but as other distros (rPath) have released an annoucement, i think we should too... thanks!
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2008-03-02 13:12:17 UTC
YES, filed.

Thilo, by policy your vote does not count, but a maintainer's word is also very valuable to security because you you know the package, configuration and surroundings usually better than we do. 
Comment 20 Thilo Bangert (RETIRED) (RETIRED) gentoo-dev 2008-03-02 22:02:41 UTC
sh, arm: please skip this one and go directly to lighttpd-1.4.18-r2 - see also bug #211956
Comment 21 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-05 21:43:17 UTC
GLSA 200803-10