From cf4c478e66f90a74cfae913a0c80c3a8af3d1b31 Mon Sep 17 00:00:00 2001 From: Zhixiong Chi Date: Tue, 22 Nov 2022 23:14:53 -0800 Subject: [PATCH] Debian: lighttpd: fix CVE-2022-37797 Backport the source patch from the upstream https://salsa.debian.org/debian/lighttpd/-/blob/buster-security/debian/patches/CVE-2022-37797.patch Refer to: https://security-tracker.debian.org/tracker/DLA-3133-1 Test Plan: Pass: build-pkgs -c -p lighttpd Pass: build-pkgs -a Pass: build-image Pass: Debian AIO jenkins installation Pass: Successfully host-unlock Pass: Execute the steps from https://redmine.lighttpd.net/issues/3165 without the Segmentation fault. Closes-Bug: 1997327 Signed-off-by: Zhixiong Chi Change-Id: Idbcd0937524278f304eb09956e2def71951c4ff4 --- .../debian/patches/CVE-2022-37797.patch | 53 +++++++++++++++++++ base/lighttpd/debian/patches/series | 1 + 2 files changed, 54 insertions(+) create mode 100644 base/lighttpd/debian/patches/CVE-2022-37797.patch diff --git a/base/lighttpd/debian/patches/CVE-2022-37797.patch b/base/lighttpd/debian/patches/CVE-2022-37797.patch new file mode 100644 index 000000000..43200dbfe --- /dev/null +++ b/base/lighttpd/debian/patches/CVE-2022-37797.patch @@ -0,0 +1,53 @@ +From 95ae6094a9eb0cdbfb3f678f4c8e3a2db11aacd2 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss +Date: Tue, 22 Nov 2022 18:58:24 -0800 +Subject: [PATCH] CVE-2022-37797 + + [mod_wstunnel] fix crash with bad hybivers (fixes #3165) + + (thx MichaƂ Dardas) + + x-ref: + "mod_wstunnel null pointer dereference" + https://redmine.lighttpd.net/issues/3165 + +In order to trigger the reproducer on lighttpd 1.4.53, parsing of the +Sec-Websocket-Version needs to be fixed as has been done in later versions. +Due to internal refactoring, the actual NULL pointer dereference has moved +elsewhere, but still crashes. -- Helmut Grohne + +The upstream patch is not a git header format which I have created here. +[Backport from https://salsa.debian.org/debian/lighttpd/-/blob/buster-security/debian/patches/CVE-2022-37797.patch] +Signed-off-by: Zhixiong Chi +--- + src/mod_wstunnel.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/mod_wstunnel.c b/src/mod_wstunnel.c +index ed5174a..99e3739 100644 +--- a/src/mod_wstunnel.c ++++ b/src/mod_wstunnel.c +@@ -466,7 +466,7 @@ static int wstunnel_is_allowed_origin(connection *con, handler_ctx *hctx) { + static int wstunnel_check_request(connection *con, handler_ctx *hctx) { + const buffer * const vers = + http_header_request_get(con, HTTP_HEADER_OTHER, CONST_STR_LEN("Sec-WebSocket-Version")); +- const long hybivers = (NULL != vers) ? strtol(vers->ptr, NULL, 10) : 0; ++ const long hybivers = (NULL != vers) ? (light_isdigit(*vers->ptr) ? strtol(vers->ptr, NULL, 10) : -1) : 0; + if (hybivers < 0 || hybivers > INT_MAX) { + DEBUG_LOG(MOD_WEBSOCKET_LOG_ERR, "s", "invalid Sec-WebSocket-Version"); + con->http_status = 400; /* Bad Request */ +@@ -506,7 +506,10 @@ static handler_t wstunnel_handler_setup (server *srv, connection *con, plugin_da + hctx->srv = srv; /*(for mod_wstunnel module-specific DEBUG_LOG() macro)*/ + hctx->conf = p->conf; /*(copies struct)*/ + hybivers = wstunnel_check_request(con, hctx); +- if (hybivers < 0) return HANDLER_FINISHED; ++ if (hybivers < 0) { ++ con->mode = DIRECT; ++ return HANDLER_FINISHED; ++ } + hctx->hybivers = hybivers; + if (0 == hybivers) { + DEBUG_LOG(MOD_WEBSOCKET_LOG_INFO,"s","WebSocket Version = hybi-00"); +-- +2.34.1 + diff --git a/base/lighttpd/debian/patches/series b/base/lighttpd/debian/patches/series index 0781feede..27197e0f6 100644 --- a/base/lighttpd/debian/patches/series +++ b/base/lighttpd/debian/patches/series @@ -1 +1,2 @@ check-content-length.patch +CVE-2022-37797.patch