Debian: lighttpd: fix CVE-2022-37797

Backport the source patch from the upstream https://salsa.debian.org/debian/lighttpd/-/blob/buster-security/debian/patches/CVE-2022-37797.patch Refer to: https://security-tracker.debian.org/tracker/DLA-3133-1 Test Plan: Pass: build-pkgs -c -p lighttpd Pass: build-pkgs -a Pass: build-image Pass: Debian AIO jenkins installation Pass: Successfully host-unlock Pass: Execute the steps from https://redmine.lighttpd.net/issues/3165 without the Segmentation fault. Closes-Bug: 1997327 Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Change-Id: Idbcd0937524278f304eb09956e2def71951c4ff4
2022-11-22 23:14:53 -08:00 · 2022-11-22 23:14:53 -08:00 · cf4c478e66
commit cf4c478e66
parent 282f106a32
2 changed files with 54 additions and 0 deletions
--- a/base/lighttpd/debian/patches/CVE-2022-37797.patch
+++ b/base/lighttpd/debian/patches/CVE-2022-37797.patch
@ -0,0 +1,53 @@
+From 95ae6094a9eb0cdbfb3f678f4c8e3a2db11aacd2 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Tue, 22 Nov 2022 18:58:24 -0800
+Subject: [PATCH] CVE-2022-37797
+
+    [mod_wstunnel] fix crash with bad hybivers (fixes #3165)
+
+    (thx Michał Dardas)
+
+    x-ref:
+      "mod_wstunnel null pointer dereference"
+      https://redmine.lighttpd.net/issues/3165
+
+In order to trigger the reproducer on lighttpd 1.4.53, parsing of the
+Sec-Websocket-Version needs to be fixed as has been done in later versions.
+Due to internal refactoring, the actual NULL pointer dereference has moved
+elsewhere, but still crashes. -- Helmut Grohne
+
+The upstream patch is not a git header format which I have created here.
+[Backport from https://salsa.debian.org/debian/lighttpd/-/blob/buster-security/debian/patches/CVE-2022-37797.patch]
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ src/mod_wstunnel.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/mod_wstunnel.c b/src/mod_wstunnel.c
+index ed5174a..99e3739 100644
+--- a/src/mod_wstunnel.c
+++ b/src/mod_wstunnel.c
+@@ -466,7 +466,7 @@ static int wstunnel_is_allowed_origin(connection *con, handler_ctx *hctx) {
+ static int wstunnel_check_request(connection *con, handler_ctx *hctx) {
+     const buffer * const vers =
+       http_header_request_get(con, HTTP_HEADER_OTHER, CONST_STR_LEN("Sec-WebSocket-Version"));
+-    const long hybivers = (NULL != vers) ? strtol(vers->ptr, NULL, 10) : 0;
+    const long hybivers = (NULL != vers) ? (light_isdigit(*vers->ptr) ? strtol(vers->ptr, NULL, 10) : -1) : 0;
+     if (hybivers < 0 || hybivers > INT_MAX) {
+         DEBUG_LOG(MOD_WEBSOCKET_LOG_ERR, "s", "invalid Sec-WebSocket-Version");
+         con->http_status = 400; /* Bad Request */
+@@ -506,7 +506,10 @@ static handler_t wstunnel_handler_setup (server *srv, connection *con, plugin_da
+     hctx->srv = srv; /*(for mod_wstunnel module-specific DEBUG_LOG() macro)*/
+     hctx->conf = p->conf; /*(copies struct)*/
+     hybivers = wstunnel_check_request(con, hctx);
+-    if (hybivers < 0) return HANDLER_FINISHED;
+    if (hybivers < 0) {
+        con->mode = DIRECT;
+        return HANDLER_FINISHED;
+    }
+     hctx->hybivers = hybivers;
+     if (0 == hybivers) {
+         DEBUG_LOG(MOD_WEBSOCKET_LOG_INFO,"s","WebSocket Version = hybi-00");
+-- 
+2.34.1
+
--- a/base/lighttpd/debian/patches/series
+++ b/base/lighttpd/debian/patches/series
@ -1 +1,2 @@
 check-content-length.patch
+CVE-2022-37797.patch