--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package lighttpd
The upload fixes a security issue (crash) in a non-default
configuration. #926885 aka CVE-2019-11072. In addition, this update
fixes a number of other crashes which total to 5 patches some of which
include new test cases. We hope that these patches are acceptable for
buster. Please let us know if we need to reduce them. You'll find the
full .debdiff attached for review.
unblock lighttpd/1.4.53-4
Helmut
diff --minimal -Nru lighttpd-1.4.53/debian/changelog
lighttpd-1.4.53/debian/changelog
--- lighttpd-1.4.53/debian/changelog 2019-02-23 08:51:11.000000000 +0100
+++ lighttpd-1.4.53/debian/changelog 2019-04-13 06:00:00.000000000 +0200
@@ -1,3 +1,15 @@
+lighttpd (1.4.53-4) unstable; urgency=high
+
+ * QA upload.
+ * fix mixed use of srv->split_vals array (regression)
+ * mod_magnet:fix invalid script return-type crash
+ * fix assertion with server.error-handler
+ * mod_wstunnel:fix wstunnel.ping-interval for big-endian architectures
+ * fix abort in server.http-parseopts with url-path-2f-decode enabled
+ CVE-2019-11072 (closes: #926885)
+
+ -- Glenn Strauss <gstra...@gluelogic.com> Sat, 13 Apr 2019 00:00:00 -0400
+
lighttpd (1.4.53-3) unstable; urgency=medium
* QA upload.
diff --minimal -Nru lighttpd-1.4.53/debian/lighttpd.conf
lighttpd-1.4.53/debian/lighttpd.conf
--- lighttpd-1.4.53/debian/lighttpd.conf 2019-01-28 12:33:22.000000000
+0100
+++ lighttpd-1.4.53/debian/lighttpd.conf 2019-04-13 06:00:00.000000000
+0200
@@ -26,7 +26,7 @@
"url-ctrls-reject" => "enable",# recommended
"url-path-2f-decode" => "enable",# recommended highly (unless breaks
app)
#"url-path-2f-reject" => "enable",
- "url-path-dotseg-remove" => "enable",# recommended
+ "url-path-dotseg-remove" => "enable",# recommended highly (unless breaks
app)
#"url-path-dotseg-reject" => "enable",
#"url-query-20-plus" => "enable",# consistency in query string
)
diff --minimal -Nru
lighttpd-1.4.53/debian/patches/core-fix-abort-in-http-parseopts-fixes-2945.patch
lighttpd-1.4.53/debian/patches/core-fix-abort-in-http-parseopts-fixes-2945.patch
---
lighttpd-1.4.53/debian/patches/core-fix-abort-in-http-parseopts-fixes-2945.patch
1970-01-01 01:00:00.000000000 +0100
+++
lighttpd-1.4.53/debian/patches/core-fix-abort-in-http-parseopts-fixes-2945.patch
2019-04-13 06:00:00.000000000 +0200
@@ -0,0 +1,44 @@
+commit 32120d5b8b3203fc21ccb9eafb0eaf824bb59354
+Author: Glenn Strauss <gstra...@gluelogic.com>
+Date: Wed, 10 Apr 2019 11:28:10 -0400
+
+[core] fix abort in http-parseopts (fixes #2945)
+
+fix abort in server.http-parseopts with url-path-2f-decode enabled
+
+(thx stze)
+
+x-ref:
+ "Security - SIGABRT during GET request handling with url-path-2f-decode
enabled"
+ https://redmine.lighttpd.net/issues/2945
+
+diff --git a/src/burl.c b/src/burl.c
+index 51182628..c4b928fd 100644
+--- a/src/burl.c
++++ b/src/burl.c
+@@ -252,8 +252,10 @@ static int burl_normalize_2F_to_slash_fix (buffer *b, int
qs, int i)
+ }
+ }
+ if (qs >= 0) {
+- memmove(s+j, s+qs, blen - qs);
+- j += blen - qs;
++ const int qslen = blen - qs;
++ memmove(s+j, s+qs, (size_t)qslen);
++ qs = j;
++ j += qslen;
+ }
+ buffer_string_set_length(b, j);
+ return qs;
+diff --git a/src/t/test_burl.c b/src/t/test_burl.c
+index 7be9be50..f7a16815 100644
+--- a/src/t/test_burl.c
++++ b/src/t/test_burl.c
+@@ -97,6 +97,8 @@ static void test_burl_normalize (void) {
+ flags |= HTTP_PARSEOPT_URL_NORMALIZE_PATH_2F_DECODE;
+ run_burl_normalize(psrc, ptmp, flags, __LINE__,
CONST_STR_LEN("/a/b?c=/"), CONST_STR_LEN("/a/b?c=/"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__,
CONST_STR_LEN("/a/b?c=%2f"), CONST_STR_LEN("/a/b?c=/"));
++ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("%2f?"),
CONST_STR_LEN("/?"));
++ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/%2f?"),
CONST_STR_LEN("//?"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2fb"),
CONST_STR_LEN("/a/b"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2Fb"),
CONST_STR_LEN("/a/b"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__,
CONST_STR_LEN("/a%2fb?c=/"), CONST_STR_LEN("/a/b?c=/"));
diff --minimal -Nru
lighttpd-1.4.53/debian/patches/core-fix-assertion-with-server.error-handler-fixes-2.patch
lighttpd-1.4.53/debian/patches/core-fix-assertion-with-server.error-handler-fixes-2.patch
---
lighttpd-1.4.53/debian/patches/core-fix-assertion-with-server.error-handler-fixes-2.patch
1970-01-01 01:00:00.000000000 +0100
+++
lighttpd-1.4.53/debian/patches/core-fix-assertion-with-server.error-handler-fixes-2.patch
2019-04-13 06:00:00.000000000 +0200
@@ -0,0 +1,25 @@
+commit 5440f04e8a9476e9a8665a93db3934a566f8beec
+Author: Glenn Strauss <gstra...@gluelogic.com>
+Date: Wed, 13 Mar 2019 00:46:49 -0400
+
+[core] fix assertion with server.error-handler (fixes #2941)
+
+(thx andpr)
+
+x-ref:
+ "failed assertion on incoming bad request when server.error-handler option
is used"
+ https://redmine.lighttpd.net/issues/2941
+
+diff --git a/src/connections.c b/src/connections.c
+index 2e2be98f..a67c377a 100644
+--- a/src/connections.c
++++ b/src/connections.c
+@@ -1193,6 +1193,8 @@ static int connection_handle_request(server *srv,
connection *con) {
+
con->error_handler_saved_status = -con->http_status; /*(negative to flag old
behavior)*/
+ }
+
++ if
(con->request.http_version == HTTP_VERSION_UNSET) con->request.http_version =
HTTP_VERSION_1_0;
++
+
buffer_copy_buffer(con->request.uri, error_handler);
+
connection_handle_errdoc_init(con);
+ con->http_status = 0;
/*(after connection_handle_errdoc_init())*/
diff --minimal -Nru
lighttpd-1.4.53/debian/patches/core-fix-mixed-use-of-srv-split_vals-array-fixes-293.patch
lighttpd-1.4.53/debian/patches/core-fix-mixed-use-of-srv-split_vals-array-fixes-293.patch
---
lighttpd-1.4.53/debian/patches/core-fix-mixed-use-of-srv-split_vals-array-fixes-293.patch
1970-01-01 01:00:00.000000000 +0100
+++
lighttpd-1.4.53/debian/patches/core-fix-mixed-use-of-srv-split_vals-array-fixes-293.patch
2019-04-13 06:00:00.000000000 +0200
@@ -0,0 +1,36 @@
+commit 9459c0546842930265c8bc19b07609286e7e67cb
+Author: Glenn Strauss <gstra...@gluelogic.com>
+Date: Wed, 13 Feb 2019 19:53:04 -0500
+
+[core] fix mixed use of srv->split_vals array (fixes #2932)
+
+regression in mod_evhost in lighttpd 1.4.53
+regression in mod_flv_streaming in lighttpd 1.4.51 - lighttpd 1.4.53
+
+(thx moisseev)
+
+x-ref:
+ "[regression] %0 pattern does not match hostnames without the domain part"
+ https://redmine.lighttpd.net/issues/2932
+
+diff --git a/src/array.c b/src/array.c
+index 4331b67b..1b54ec5c 100644
+--- a/src/array.c
++++ b/src/array.c
+@@ -64,6 +64,7 @@ void array_reset(array *a) {
+
+ for (i = 0; i < a->used; i++) {
+ a->data[i]->fn->reset(a->data[i]);
++ a->data[i]->is_index_key = 0;
+ }
+
+ a->used = 0;
+@@ -76,6 +77,7 @@ void array_reset_data_strings(array *a) {
+ for (size_t i = 0; i < a->used; ++i) {
+ data_string * const ds = (data_string *)a->data[i];
+ /*force_assert(ds->type == TYPE_STRING);*/
++ ds->is_index_key = 0;
+ buffer_reset(ds->key);
+ buffer_reset(ds->value);
+ }
+
diff --minimal -Nru
lighttpd-1.4.53/debian/patches/core-remove-repeated-slashes-in-http-parseopts.patch
lighttpd-1.4.53/debian/patches/core-remove-repeated-slashes-in-http-parseopts.patch
---
lighttpd-1.4.53/debian/patches/core-remove-repeated-slashes-in-http-parseopts.patch
1970-01-01 01:00:00.000000000 +0100
+++
lighttpd-1.4.53/debian/patches/core-remove-repeated-slashes-in-http-parseopts.patch
2019-04-13 06:00:00.000000000 +0200
@@ -0,0 +1,49 @@
+commit e757978497c35b2857784f3b4452d0ebef7793f9
+Author: Glenn Strauss <gstra...@gluelogic.com>
+Date: Mon, 15 Apr 2019 23:36:21 -0400
+
+[core] remove repeated slashes in http-parseopts
+
+remove repeated slashes in server.http-parseopts
+with url-path-dotseg-remove, including leading "//"
+
+(prior to this patch, leading "//" was skipped)
+
+diff --git a/src/burl.c b/src/burl.c
+index c4b928fd..b62a5cd5 100644
+--- a/src/burl.c
++++ b/src/burl.c
+@@ -289,7 +289,7 @@ static int burl_normalize_path (buffer *b, buffer *t, int
qs, int flags)
+ path_simplify = 1;
+ break;
+ }
+- do { ++i; } while (i < len && s[i] != '/');
++ while (i < len && s[i] != '/') ++i;
+ if (s[i] == '/' && s[i+1] == '/') { /*(s[len] != '/')*/
+ path_simplify = 1;
+ break;
+diff --git a/src/t/test_burl.c b/src/t/test_burl.c
+index f7a16815..e9cc80de 100644
+--- a/src/t/test_burl.c
++++ b/src/t/test_burl.c
+@@ -98,6 +98,8 @@ static void test_burl_normalize (void) {
+ run_burl_normalize(psrc, ptmp, flags, __LINE__,
CONST_STR_LEN("/a/b?c=/"), CONST_STR_LEN("/a/b?c=/"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__,
CONST_STR_LEN("/a/b?c=%2f"), CONST_STR_LEN("/a/b?c=/"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("%2f?"),
CONST_STR_LEN("/?"));
++ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("%2f%2f"),
CONST_STR_LEN("//"));
++ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("%2f%2f?"),
CONST_STR_LEN("//?"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/%2f?"),
CONST_STR_LEN("//?"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2fb"),
CONST_STR_LEN("/a/b"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a%2Fb"),
CONST_STR_LEN("/a/b"));
+@@ -112,6 +114,8 @@ static void test_burl_normalize (void) {
+ flags &= ~HTTP_PARSEOPT_URL_NORMALIZE_PATH_2F_REJECT;
+
+ flags |= HTTP_PARSEOPT_URL_NORMALIZE_PATH_DOTSEG_REMOVE;
++ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("//"),
CONST_STR_LEN("/"));
++ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a//b"),
CONST_STR_LEN("/a/b"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("./a/b"),
CONST_STR_LEN("/a/b"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("../a/b"),
CONST_STR_LEN("/a/b"));
+ run_burl_normalize(psrc, ptmp, flags, __LINE__, CONST_STR_LEN("/a/./b"),
CONST_STR_LEN("/a/b"));
+--
+2.20.1
+
diff --minimal -Nru
lighttpd-1.4.53/debian/patches/mod_magnet-fix-invalid-script-return-type-crash-fixe.patch
lighttpd-1.4.53/debian/patches/mod_magnet-fix-invalid-script-return-type-crash-fixe.patch
---
lighttpd-1.4.53/debian/patches/mod_magnet-fix-invalid-script-return-type-crash-fixe.patch
1970-01-01 01:00:00.000000000 +0100
+++
lighttpd-1.4.53/debian/patches/mod_magnet-fix-invalid-script-return-type-crash-fixe.patch
2019-04-13 06:00:00.000000000 +0200
@@ -0,0 +1,41 @@
+commit 8064b7483ae4b2bd58a5ab56b2bf7e2663cc094c
+Author: Glenn Strauss <gstra...@gluelogic.com>
+Date: Wed, 6 Mar 2019 23:12:22 -0500
+
+[mod_magnet] fix invalid script return-type crash (fixes #2938)
+
+(thx flynn)
+
+x-ref:
+ "Lighttpd crashes on wrong return type in lua script"
+ https://redmine.lighttpd.net/issues/2938
+
+diff --git a/src/mod_magnet.c b/src/mod_magnet.c
+index dcb1fd8c..8f570f3a 100644
+--- a/src/mod_magnet.c
++++ b/src/mod_magnet.c
+@@ -965,7 +965,20 @@ static handler_t magnet_attract(server *srv, connection
*con, plugin_data *p, bu
+ /* we should have the function, the lighty table and the return value
on the stack */
+ force_assert(lua_gettop(L) == 3);
+
+- lua_return_value = (int) luaL_optinteger(L, -1, -1);
++ switch (lua_type(L, -1)) {
++ case LUA_TNUMBER:
++ case LUA_TNIL:
++ lua_return_value = (int) luaL_optinteger(L, -1, -1);
++ break;
++ default:
++ log_error_write(srv, __FILE__, __LINE__, "sss",
++ "lua_pcall():",
++ "unexpected return type:",
++ luaL_typename(L, -1));
++ lua_return_value = -1;
++ break;
++ }
++
+ lua_pop(L, 1); /* pop return value */
+
+ magnet_copy_response_header(con, L, lighty_table_ndx);
+--
+2.20.1
+
diff --minimal -Nru
lighttpd-1.4.53/debian/patches/mod_wstunnel-fix-ping-interval-for-big-endian-fixes-.patch
lighttpd-1.4.53/debian/patches/mod_wstunnel-fix-ping-interval-for-big-endian-fixes-.patch
---
lighttpd-1.4.53/debian/patches/mod_wstunnel-fix-ping-interval-for-big-endian-fixes-.patch
1970-01-01 01:00:00.000000000 +0100
+++
lighttpd-1.4.53/debian/patches/mod_wstunnel-fix-ping-interval-for-big-endian-fixes-.patch
2019-04-13 06:00:00.000000000 +0200
@@ -0,0 +1,27 @@
+commit 107fa1f2827d281468e2c12b539751a5a68acbe5
+Author: Glenn Strauss <gstra...@gluelogic.com>
+Date: Wed, 10 Apr 2019 11:26:02 -0400
+
+[mod_wstunnel] fix ping-interval for big-endian (fixes #2944)
+
+fix wstunnel.ping-interval for big-endian architectures
+
+(thx ste_p_james)
+
+x-ref:
+ "[patch] wstunnel.ping-interval ineffective"
+ https://redmine.lighttpd.net/issues/2944
+
+diff --git a/src/mod_wstunnel.c b/src/mod_wstunnel.c
+index 238791a9..ba3ddc17 100644
+--- a/src/mod_wstunnel.c
++++ b/src/mod_wstunnel.c
+@@ -107,7 +107,7 @@ typedef struct {
+ gw_plugin_config gw;
+ buffer *frame_type;
+ array *origins;
+- unsigned int ping_interval;
++ unsigned short int ping_interval;
+ } plugin_config;
+
+ typedef struct plugin_data {
diff --minimal -Nru lighttpd-1.4.53/debian/patches/series
lighttpd-1.4.53/debian/patches/series
--- lighttpd-1.4.53/debian/patches/series 2019-01-28 12:55:50.000000000
+0100
+++ lighttpd-1.4.53/debian/patches/series 2019-04-13 06:00:00.000000000
+0200
@@ -0,0 +1,6 @@
+core-fix-mixed-use-of-srv-split_vals-array-fixes-293.patch
+mod_magnet-fix-invalid-script-return-type-crash-fixe.patch
+core-fix-assertion-with-server.error-handler-fixes-2.patch
+mod_wstunnel-fix-ping-interval-for-big-endian-fixes-.patch
+core-fix-abort-in-http-parseopts-fixes-2945.patch
+core-remove-repeated-slashes-in-http-parseopts.patch
--- End Message ---
