Bug#428368: lighttpd vuln patch

2007-07-24 Thread Steve Kemp 
  This one isn't going to get released as-is, as there are a couple
 more pending issues with lighttpd.
  I'll roll them all up once I have valid identifiers for them.

Steve
-- 
# The Debian Security Audit Project.
http://www.debian.org/security/audit



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#428368: lighttpd vuln patch

2007-07-20 Thread Pierre Habouzit 
  attached is the patch that fixes it. I'm going to NMU lighttpd in
unstable, please someone takes care of etch.

-- 
·O·  Pierre Habouzit
··O[EMAIL PROTECTED]
OOOhttp://www.madism.org


pgp1FI2boHwx9.pgp
Description: PGP signature

Bug#428368: lighttpd vuln patch

2007-07-20 Thread Pierre Habouzit 
On Fri, Jul 20, 2007 at 11:02:07AM +0200, Pierre Habouzit wrote:
   attached is the patch that fixes it. I'm going to NMU lighttpd in
 unstable, please someone takes care of etch.

  I obviously forgot the patch...

-- 
·O·  Pierre Habouzit
··O[EMAIL PROTECTED]
OOOhttp://www.madism.org
#! /bin/sh /usr/share/dpatch/dpatch-run
## 04_wrapping_headers_bugfix.dpatch by Pierre Habouzit [EMAIL PROTECTED]
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.

@DPATCH@
diff -urNad lighttpd-1.4.15~/src/request.c lighttpd-1.4.15/src/request.c
--- lighttpd-1.4.15~/src/request.c  2007-04-13 17:26:31.0 +0200
+++ lighttpd-1.4.15/src/request.c   2007-07-20 11:03:12.0 +0200
@@ -284,8 +284,6 @@
 
int done = 0;
 
-   data_string *ds = NULL;
-
/*
 * Request: ^(GET|POST|HEAD) ([^ ]+(\\?[^ ]+|)) (HTTP/1\\.[01])$
 * Option : ^([-a-zA-Z]+): (.+)$
@@ -715,12 +713,24 @@
switch(*cur) {
case '\r':
if (con-parse_request-ptr[i+1] == '\n') {
+   data_string *ds = NULL;
+
/* End of Headerline */
con-parse_request-ptr[i] = '\0';
con-parse_request-ptr[i+1] = '\0';
 
if (in_folding) {
-   if (!ds) {
+   buffer *key_b;
+   /**
+* we use a evil hack to handle 
the line-folding
+* 
+* As array_insert_unique() 
deletes 'ds' in the case of a duplicate
+* ds points somewhere and we 
get a evil crash. As a solution we keep the old
+* key and get the current 
value from the hash and append us
+*
+* */
+
+   if (!key || !key_len) {
/* 400 */
 
if 
(srv-srvconf.log_request_header_on_error) {
@@ -737,7 +747,15 @@

con-response.keep_alive = 0;
return 0;
}
-   buffer_append_string(ds-value, 
value);
+
+   key_b = buffer_init();
+   buffer_copy_string_len(key_b, 
key, key_len);
+
+   if (NULL != (ds = (data_string 
*)array_get_element(con-request.headers, key_b-ptr))) {
+   
buffer_append_string(ds-value, value);
+   }
+
+   buffer_free(key_b);
} else {
int s_len;
key = con-parse_request-ptr + 
first;
@@ -969,7 +987,12 @@
first = i+1;
is_key = 1;
value = 0;
-   key_len = 0;
+#if 0
+   /**
+* for Bug 1230 keep the key_len a live
+*/
+   key_len = 0; 
+#endif
in_folding = 0;
} else {
if 
(srv-srvconf.log_request_header_on_error) {
diff -urNad lighttpd-1.4.15~/tests/core-request.t 
lighttpd-1.4.15/tests/core-request.t
--- lighttpd-1.4.15~/tests/core-request.t   2007-02-08 17:34:47.0 
+0100
+++ lighttpd-1.4.15/tests/core-request.t2007-07-20 11:03:12.0 
+0200
@@ -8,7 +8,7 @@
 
 use strict;
 use IO::Socket;
-use Test::More tests = 33;
+use Test::More tests = 36;
 use LightyTest;
 
 my $tf = LightyTest-new();
@@ -273,6 +273,38 @@
 $t-{RESPONSE} = [ { 'HTTP-Protocol' = 'HTTP/1.0', 'HTTP-Status' = 200 } ];
 ok($tf-handle_http($t) == 0, 'uppercase filenames');
 
+$t-{REQUEST}  = ( EOF
+GET / HTTP/1.0
+Location: foo
+Location: foobar
+  baz
+EOF
+ );
+$t-{RESPONSE} = [ { 'HTTP-Protocol' = 'HTTP/1.0', 'HTTP-Status' = 200 } ];
+ok($tf-handle_http($t)

Bug#428368: lighttpd vuln patch

2007-07-20 Thread Steve Kemp 
On Fri Jul 20, 2007 at 11:02:07 +0200, Pierre Habouzit wrote:
   attached is the patch that fixes it. I'm going to NMU lighttpd in
 unstable, please someone takes care of etch.

  Joey if you could allocate a DOS CVE ID I'll do the upload,
 I've already done lighttpd patches for etch.

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#428368: lighttpd vuln patch

2007-07-20 Thread Joey Schulze 
Steve Kemp wrote:
 On Fri Jul 20, 2007 at 11:02:07 +0200, Pierre Habouzit wrote:
attached is the patch that fixes it. I'm going to NMU lighttpd in
  unstable, please someone takes care of etch.
 
   Joey if you could allocate a DOS CVE ID I'll do the upload,
  I've already done lighttpd patches for etch.

Please use CVE-2007-2841.

Regards,

Joey

-- 
Ten years and still binary compatible.  -- XFree86

Please always Cc to me when replying to me on the lists.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]