Author: glen Date: Tue Feb 2 11:56:29 2010 GMT Module: packages Tag: HEAD ---- Log message: - up to svn -r2711, fixes CVE-2010-0295 - rel 5
---- Files affected: packages/lighttpd: lighttpd-branch.diff (1.66 -> 1.67) , lighttpd.spec (1.322 -> 1.323) ---- Diffs: ================================================================ Index: packages/lighttpd/lighttpd-branch.diff diff -u packages/lighttpd/lighttpd-branch.diff:1.66 packages/lighttpd/lighttpd-branch.diff:1.67 --- packages/lighttpd/lighttpd-branch.diff:1.66 Sat Dec 12 15:41:24 2009 +++ packages/lighttpd/lighttpd-branch.diff Tue Feb 2 12:56:22 2010 @@ -1,9 +1,230 @@ -# Revision 2698 +# Revision 2711 +Index: src/mod_cgi.c +=================================================================== +--- src/mod_cgi.c (.../tags/lighttpd-1.4.25) ++++ src/mod_cgi.c (.../branches/lighttpd-1.4.x) +@@ -747,6 +747,8 @@ + } + + if (pipe(from_cgi_fds)) { ++ close(to_cgi_fds[0]); ++ close(to_cgi_fds[1]); + log_error_write(srv, __FILE__, __LINE__, "ss", "pipe failed:", strerror(errno)); + return -1; + } +@@ -1035,6 +1037,10 @@ + case -1: + /* error */ + log_error_write(srv, __FILE__, __LINE__, "ss", "fork failed:", strerror(errno)); ++ close(from_cgi_fds[0]); ++ close(from_cgi_fds[1]); ++ close(to_cgi_fds[0]); ++ close(to_cgi_fds[1]); + return -1; + break; + default: { +@@ -1181,6 +1187,7 @@ + plugin_config *s = p->config_storage[0]; + + PATCH(cgi); ++ PATCH(execute_x_only); + + /* skip the first, the global context */ + for (i = 1; i < srv->config_context->used; i++) { +Index: src/base.h +=================================================================== +--- src/base.h (.../tags/lighttpd-1.4.25) ++++ src/base.h (.../branches/lighttpd-1.4.x) +@@ -431,7 +431,6 @@ + + #ifdef USE_OPENSSL + SSL *ssl; +- buffer *ssl_error_want_reuse_buffer; + # ifndef OPENSSL_NO_TLSEXT + buffer *tlsext_server_name; + # endif +Index: src/mod_rewrite.c +=================================================================== +--- src/mod_rewrite.c (.../tags/lighttpd-1.4.25) ++++ src/mod_rewrite.c (.../branches/lighttpd-1.4.x) +@@ -394,7 +394,7 @@ + buffer_reset(con->request.uri); + + start = 0; +- for (k = 0; k < pattern_len; k++) { ++ for (k = 0; k+1 < pattern_len; k++) { + if (pattern[k] == '$' || pattern[k] == '%') { + /* got one */ + Index: src/connections.c =================================================================== --- src/connections.c (.../tags/lighttpd-1.4.25) +++ src/connections.c (.../branches/lighttpd-1.4.x) -@@ -945,62 +945,50 @@ +@@ -192,40 +192,42 @@ + + static int connection_handle_read_ssl(server *srv, connection *con) { + #ifdef USE_OPENSSL +- int r, ssl_err, len, count = 0; ++ int r, ssl_err, len, count = 0, read_offset, toread; + buffer *b = NULL; + + if (!con->conf.is_ssl) return -1; + +- /* don't resize the buffer if we were in SSL_ERROR_WANT_* */ +- + ERR_clear_error(); + do { +- if (!con->ssl_error_want_reuse_buffer) { +- b = buffer_init(); +- buffer_prepare_copy(b, SSL_pending(con->ssl) + (16 * 1024)); /* the pending bytes + 16kb */ ++ if (NULL != con->read_queue->last) { ++ b = con->read_queue->last->mem; ++ } + ++ if (NULL == b || b->size - b->used < 1024) { ++ b = chunkqueue_get_append_buffer(con->read_queue); ++ len = SSL_pending(con->ssl); ++ if (len < 4*1024) len = 4*1024; /* always alloc >= 4k buffer */ ++ buffer_prepare_copy(b, len + 1); ++ + /* overwrite everything with 0 */ + memset(b->ptr, 0, b->size); +- } else { +- b = con->ssl_error_want_reuse_buffer; + } + +- len = SSL_read(con->ssl, b->ptr, b->size - 1); +- con->ssl_error_want_reuse_buffer = NULL; /* reuse it only once */ ++ read_offset = (b->used > 0) ? b->used - 1 : 0; ++ toread = b->size - 1 - read_offset; + ++ len = SSL_read(con->ssl, b->ptr + read_offset, toread); ++ + if (len > 0) { +- b->used = len; ++ if (b->used > 0) b->used--; ++ b->used += len; + b->ptr[b->used++] = '\0'; + +- /* we move the buffer to the chunk-queue, no need to free it */ ++ con->bytes_read += len; + +- chunkqueue_append_buffer_weak(con->read_queue, b); + count += len; +- con->bytes_read += len; +- b = NULL; + } +- } while (len > 0 && count < MAX_READ_LIMIT); ++ } while (len == toread && count < MAX_READ_LIMIT); + + + if (len < 0) { +@@ -234,11 +236,11 @@ + case SSL_ERROR_WANT_READ: + case SSL_ERROR_WANT_WRITE: + con->is_readable = 0; +- con->ssl_error_want_reuse_buffer = b; + +- b = NULL; ++ /* the manual says we have to call SSL_read with the same arguments next time. ++ * we ignore this restriction; no one has complained about it in 1.5 yet, so it probably works anyway. ++ */ + +- /* we have to steal the buffer from the queue-queue */ + return 0; + case SSL_ERROR_SYSCALL: + /** +@@ -297,16 +299,11 @@ + + connection_set_state(srv, con, CON_STATE_ERROR); + +- buffer_free(b); +- + return -1; + } else if (len == 0) { + con->is_readable = 0; + /* the other end close the connection -> KEEP-ALIVE */ + +- /* pipelining */ +- buffer_free(b); +- + return -2; + } + +@@ -321,26 +318,41 @@ + static int connection_handle_read(server *srv, connection *con) { + int len; + buffer *b; +- int toread; ++ int toread, read_offset; + + if (con->conf.is_ssl) { + return connection_handle_read_ssl(srv, con); + } + ++ b = (NULL != con->read_queue->last) ? con->read_queue->last->mem : NULL; ++ ++ /* default size for chunks is 4kb; only use bigger chunks if FIONREAD tells ++ * us more than 4kb is available ++ * if FIONREAD doesn't signal a big chunk we fill the previous buffer ++ * if it has >= 1kb free ++ */ + #if defined(__WIN32) +- b = chunkqueue_get_append_buffer(con->read_queue); +- buffer_prepare_copy(b, 4 * 1024); +- len = recv(con->fd, b->ptr, b->size - 1, 0); +-#else +- if (ioctl(con->fd, FIONREAD, &toread) || toread == 0) { ++ if (NULL == b || b->size - b->used < 1024) { + b = chunkqueue_get_append_buffer(con->read_queue); + buffer_prepare_copy(b, 4 * 1024); ++ } ++ ++ read_offset = (b->used == 0) ? 0 : b->used - 1; ++ len = recv(con->fd, b->ptr + read_offset, b->size - 1 - read_offset, 0); ++#else ++ if (ioctl(con->fd, FIONREAD, &toread) || toread == 0 || toread <= 4*1024) { ++ if (NULL == b || b->size - b->used < 1024) { ++ b = chunkqueue_get_append_buffer(con->read_queue); ++ buffer_prepare_copy(b, 4 * 1024); ++ } + } else { + if (toread > MAX_READ_LIMIT) toread = MAX_READ_LIMIT; + b = chunkqueue_get_append_buffer(con->read_queue); + buffer_prepare_copy(b, toread + 1); + } +- len = read(con->fd, b->ptr, b->size - 1); ++ ++ read_offset = (b->used == 0) ? 0 : b->used - 1; ++ len = read(con->fd, b->ptr + read_offset, b->size - 1 - read_offset); + #endif + + if (len < 0) { +@@ -374,7 +386,8 @@ + con->is_readable = 0; + } + +- b->used = len; ++ if (b->used > 0) b->used--; ++ b->used += len; + b->ptr[b->used++] = '\0'; + + con->bytes_read += len; +@@ -850,13 +863,6 @@ + /* The cond_cache gets reset in response.c */ + /* config_cond_cache_reset(srv, con); */ + +-#ifdef USE_OPENSSL +- if (con->ssl_error_want_reuse_buffer) { +- buffer_free(con->ssl_error_want_reuse_buffer); +- con->ssl_error_want_reuse_buffer = NULL; +- } +-#endif +- + con->header_len = 0; + con->in_error_handler = 0; + +@@ -945,62 +951,50 @@ last_chunk = NULL; last_offset = 0; @@ -91,6 +312,161 @@ /* found */ if (last_chunk) { +@@ -1140,8 +1134,15 @@ + } else { + buffer *b; + +- b = chunkqueue_get_append_buffer(dst_cq); +- buffer_copy_string_len(b, c->mem->ptr + c->offset, toRead); ++ if (dst_cq->last && ++ dst_cq->last->type == MEM_CHUNK) { ++ b = dst_cq->last->mem; ++ } else { ++ b = chunkqueue_get_append_buffer(dst_cq); ++ /* prepare buffer size for remaining POST data; is < 64kb */ ++ buffer_prepare_copy(b, con->request.content_length - dst_cq->bytes_in + 1); ++ } ++ buffer_append_string_len(b, c->mem->ptr + c->offset, toRead); + } + + c->offset += toRead; +Index: src/chunk.c +=================================================================== +--- src/chunk.c (.../tags/lighttpd-1.4.25) ++++ src/chunk.c (.../branches/lighttpd-1.4.x) +@@ -197,8 +197,6 @@ + int chunkqueue_append_buffer_weak(chunkqueue *cq, buffer *mem) { + chunk *c; + +- if (mem->used == 0) return 0; +- + c = chunkqueue_get_unused_chunk(cq); + c->type = MEM_CHUNK; + c->offset = 0; +Index: src/mod_proxy.c +=================================================================== +--- src/mod_proxy.c (.../tags/lighttpd-1.4.25) ++++ src/mod_proxy.c (.../branches/lighttpd-1.4.x) +@@ -1047,12 +1047,33 @@ + * + */ + +- proxy_connection_close(srv, hctx); +- joblist_append(srv, con); ++ if (hctx->host) { ++ hctx->host->is_disabled = 1; ++ hctx->host->disable_ts = srv->cur_ts; ++ log_error_write(srv, __FILE__, __LINE__, "sbdd", "proxy-server disabled:", ++ hctx->host->host, ++ hctx->host->port, ++ hctx->fd); + +- con->http_status = 503; +- con->mode = DIRECT; ++ /* disable this server */ ++ hctx->host->is_disabled = 1; ++ hctx->host->disable_ts = srv->cur_ts; + ++ proxy_connection_close(srv, hctx); ++ ++ /* reset the enviroment and restart the sub-request */ ++ buffer_reset(con->physical.path); ++ con->mode = DIRECT; ++ ++ joblist_append(srv, con); ++ } else { ++ proxy_connection_close(srv, hctx); ++ joblist_append(srv, con); ++ ++ con->mode = DIRECT; ++ con->http_status = 503; ++ } ++ + return HANDLER_FINISHED; + } + +Index: src/mod_redirect.c +=================================================================== +--- src/mod_redirect.c (.../tags/lighttpd-1.4.25) ++++ src/mod_redirect.c (.../branches/lighttpd-1.4.x) +@@ -210,7 +210,7 @@ + buffer_reset(p->location); + + start = 0; +- for (k = 0; k < pattern_len; k++) { ++ for (k = 0; k + 1 < pattern_len; k++) { + if (pattern[k] == '$' || pattern[k] == '%') { + /* got one */ + +Index: src/mod_fastcgi.c +=================================================================== +--- src/mod_fastcgi.c (.../tags/lighttpd-1.4.25) ++++ src/mod_fastcgi.c (.../branches/lighttpd-1.4.x) +@@ -2307,6 +2307,9 @@ + filename = pos; + if (NULL == (range = strchr(pos, ' '))) { + /* missing range */ ++ if (p->conf.debug) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", "Couldn't find range after filename:", filename); ++ } + return 1; + } + buffer_copy_string_len(srv->tmp_buf, filename, range - filename); +@@ -2338,14 +2341,24 @@ + char *rpos = NULL; + errno = 0; + begin_range = strtoll(range, &rpos, 10); +- if (errno != 0 || begin_range < 0 || rpos == range) return 1; +- if ('-' != *rpos++) return 1; ++ if (errno != 0 || begin_range < 0 || rpos == range) goto range_failed; ++ if ('-' != *rpos++) goto range_failed; + if (rpos != pos) { + range = rpos; + end_range = strtoll(range, &rpos, 10); +- if (errno != 0 || end_range < 0 || rpos == range) return 1; ++ if (errno != 0 || end_range < 0 || rpos == range) goto range_failed; + } +- if (rpos != pos) return 1; ++ if (rpos != pos) goto range_failed; ++ ++ goto range_success; ++ ++range_failed: ++ if (p->conf.debug) { ++ log_error_write(srv, __FILE__, __LINE__, "ss", "Couldn't decode range after filename:", filename); ++ } ++ return 1; ++ ++range_success: ; + } + + /* no parameters accepted */ +Index: src/mod_accesslog.c +=================================================================== +--- src/mod_accesslog.c (.../tags/lighttpd-1.4.25) ++++ src/mod_accesslog.c (.../branches/lighttpd-1.4.x) +@@ -788,6 +788,13 @@ + buffer_append_string_len(b, CONST_STR_LEN("-")); + } + break; ++ case FORMAT_ENV: ++ if (NULL != (ds = (data_string *)array_get_element(con->environment, p->conf.parsed_format->ptr[j]->string->ptr))) { ++ accesslog_append_escaped(b, ds->value); ++ } else { ++ buffer_append_string_len(b, CONST_STR_LEN("-")); ++ } ++ break; + case FORMAT_FILENAME: + if (con->physical.path->used > 1) { + buffer_append_string_buffer(b, con->physical.path); +@@ -864,7 +871,6 @@ + { 'A', FORMAT_LOCAL_ADDR }, + { 'C', FORMAT_COOKIE }, + { 'D', FORMAT_TIME_USED_MS }, +- { 'e', FORMAT_ENV }, + */ + + break; Index: tests/request.t =================================================================== --- tests/request.t (.../tags/lighttpd-1.4.25) @@ -384,13 +760,21 @@ =================================================================== --- NEWS (.../tags/lighttpd-1.4.25) +++ NEWS (.../branches/lighttpd-1.4.x) -@@ -3,7 +3,10 @@ +@@ -3,7 +3,18 @@ NEWS ==== -- 1.4.25 - +- 1.4.26 - -+ * ++ * Fix request parser to handle packets with splitted \r\n\r\n (fixes #2105) ++ * Remove dependency on automake >= 1.11 with m4_ifdef check ++ * mod_accesslog: support %e (fixes #2113, thx presbrey) ++ * Fix mod_cgi cgi.execute-x-only option in global block ++ * mod_fastcgi: x-sendfile2 parse error debugging ++ * Fix mod_proxy dead host detection if connect() fails ++ * Fix fd leaks in mod_cgi (fds not closed on pipe/fork failures, found by Rodrigo, fixes #2158, #2159) ++ * Fix segfault with broken rewrite/redirect patterns (fixes #2140, found by crypt) ++ * Append to previous buffer in con read (fixes #2147, found by liming, CVE-2010-0295) + +- 1.4.25 - 2009-11-21 * mod_magnet: fix pairs() for normal tables and strings (fixes #1307) ================================================================ Index: packages/lighttpd/lighttpd.spec diff -u packages/lighttpd/lighttpd.spec:1.322 packages/lighttpd/lighttpd.spec:1.323 --- packages/lighttpd/lighttpd.spec:1.322 Mon Jan 4 12:18:08 2010 +++ packages/lighttpd/lighttpd.spec Tue Feb 2 12:56:22 2010 @@ -24,7 +24,7 @@ Summary(pl.UTF-8): Szybki i lekki serwer HTTP Name: lighttpd Version: 1.4.25 -Release: 4 +Release: 5 License: BSD Group: Networking/Daemons/HTTP Source0: http://download.lighttpd.net/lighttpd/releases-1.4.x/%{name}-%{version}.tar.bz2 @@ -85,7 +85,7 @@ Source135: %{name}-mod_extforward.conf Source136: %{name}-mod_h264_streaming.conf Source137: %{name}-mod_cgi_php.conf -#Patch100: %{name}-branch.diff +Patch100: %{name}-branch.diff Patch0: %{name}-use_bin_sh.patch Patch1: %{name}-mod_evasive-status_code.patch Patch2: %{name}-mod_h264_streaming.patch @@ -812,7 +812,7 @@ %prep %setup -q -#%patch100 -p0 +%patch100 -p0 %patch4 -p0 %patch0 -p1 %patch1 -p1 @@ -1306,6 +1306,10 @@ All persons listed below can be reached at <cvs_login>@pld-linux.org $Log$ +Revision 1.323 2010/02/02 11:56:22 glen +- up to svn -r2711, fixes CVE-2010-0295 +- rel 5 + Revision 1.322 2010/01/04 11:18:08 glen - release 4 ================================================================ ---- CVS-web: http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/lighttpd/lighttpd-branch.diff?r1=1.66&r2=1.67&f=u http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/lighttpd/lighttpd.spec?r1=1.322&r2=1.323&f=u _______________________________________________ pld-cvs-commit mailing list pld-cvs-commit@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit