Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 719462 (CVE-2019-11072) - <www-servers/lighttpd-1.4.54: Denial of service vulnerability (CVE-2019-11072)
Summary: <www-servers/lighttpd-1.4.54: Denial of service vulnerability (CVE-2019-11072)
Status: RESOLVED FIXED
Alias: CVE-2019-11072
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://redmine.lighttpd.net/issues/2945
Whiteboard: C3 [noglsa cve]
Keywords: CC-ARCHES
Depends on:
Blocks:
 
Reported: 2020-04-26 00:24 UTC by GLSAMaker/CVETool Bot
Modified: 2020-06-18 21:35 UTC (History)
1 user (show)

See Also:
Package list:
=www-servers/lighttpd-1.4.55
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-26 00:24:55 UTC 
CVE-2019-11072 (https://nvd.nist.gov/vuln/detail/CVE-2019-11072):
  ** DISPUTED ** lighttpd before 1.4.54 has a signed integer overflow, which
  might allow remote attackers to cause a denial of service (application
  crash) or possibly have unspecified other impact via a malicious HTTP GET
  request, as demonstrated by mishandling of /%2F? in
  burl_normalize_2F_to_slash_fix in burl.c. NOTE: The developer states "The
  feature which can be abused to cause the crash is a new feature in lighttpd
  1.4.50, and is not enabled by default. It must be explicitly configured in
  the config file (e.g. lighttpd.conf). Certain input will trigger an abort()
  in lighttpd when that feature is enabled. lighttpd detects the underflow or
  realloc() will fail (in both 32-bit and 64-bit executables), also detected
  in lighttpd. Either triggers an explicit abort() by lighttpd. This is not
  exploitable beyond triggering the explicit abort() with subsequent
  application exit."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-26 00:26:13 UTC 
Note that the dispute is about the severity of the bug. It still seems valid.

It can still cause a denial of service - and only with a non-default config option, but nothing more serious.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-04 09:44:21 UTC 
@maintainer(s): ping
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-04 16:57:02 UTC 
I'll go ahead in a few days if no objections?

Doing 1.4.55 because it fixes a small OOB read.
Comment 4 Agostino Sarubbo gentoo-dev 2020-06-06 17:30:22 UTC 
arm stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-06-06 17:33:06 UTC 
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-06 17:37:38 UTC 
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-06 18:09:58 UTC 
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-06-07 08:46:12 UTC 
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-06-07 08:49:28 UTC 
x86 stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-06-18 21:33:08 UTC 
s390 stable