Re: Wheezy and jessie updates of lighttpd

2016-08-02 Thread Sébastien Delafond 
On Aug/02, Santiago R.R. wrote:
> .changes attached. security-master doesn't handle source-only uploads,
> isn't it?

No, in most cases it does not, so it's always better not to try it. Feel
free to upload to security-master, and I'll probably have time to
release the DSA tomorrow.

Cheers,

--Seb

Re: Wheezy and jessie updates of lighttpd

2016-08-02 Thread Santiago R.R. 
El 02/08/16 a las 10:11, Sébastien Delafond escribió:
> On Aug/01, Santiago R.R. wrote:
> > Please, find attached debdiffs to mitigate this in wheezy (that I plan
> > to upload) and jessie. I have tested it with a python cgi taken from
> > httpoxy's PoCs, and it seems to work well. However, I am not familiar
> > with lighttpd, so any review is welcome.
> 
> Hi Santiago,
> 
> thanks for working on this. Could you please change your jessie debdiff
> so it uses version 1.4.35-4+deb8u1 instead of 1.4.35-5 ? The rest looks
> OK.
> 

Oups! Fixed.

> You'll also need to make sure you build with -sa, as lighttpd will be
> new on security-master.

.changes attached. security-master doesn't handle source-only uploads,
isn't it?

For wheezy user, lighttpd test packages are available at:

  deb https://people.debian.org/~santiago/debian santiago-wheezy/
  deb-src https://people.debian.org/~santiago/debian santiago-wheezy/

Thanks,

Santiago
Format: 1.8
Date: Sun, 31 Jul 2016 20:57:24 +0200
Source: lighttpd
Binary: lighttpd lighttpd-doc lighttpd-mod-mysql-vhost 
lighttpd-mod-trigger-b4-dl lighttpd-mod-cml lighttpd-mod-magnet 
lighttpd-mod-webdav
Architecture: source amd64 all
Version: 1.4.35-4+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian lighttpd maintainers 

Changed-By: Santiago R.R. 
Description:
 lighttpd   - fast webserver with minimal memory footprint
 lighttpd-doc - documentation for lighttpd
 lighttpd-mod-cml - cache meta language module for lighttpd
 lighttpd-mod-magnet - control the request handling module for lighttpd
 lighttpd-mod-mysql-vhost - MySQL-based virtual host configuration for lighttpd
 lighttpd-mod-trigger-b4-dl - anti-deep-linking module for lighttpd
 lighttpd-mod-webdav - WebDAV module for lighttpd
Changes:
 lighttpd (1.4.35-4+deb8u1) jessie-security; urgency=medium
 .
   * Non-maintainer upload.
   * Fix CVE-2016-1000212: Mitigate HTTPoxy vulnerability.
   * Add mitigate-httpoxy-779c133c16f9af168b004dce7a2a64f16c1cb3a4.patch
Checksums-Sha1:
 71b880ac6738f55e6a0685f00244939ce857de28 1929 lighttpd_1.4.35-4+deb8u1.dsc
 90c22d55c9656494d772deb62e253aa35bb5221d 847321 lighttpd_1.4.35.orig.tar.gz
 bca8d5ff2a27d99624fc5ebe0237d08eba31238b 27380 
lighttpd_1.4.35-4+deb8u1.debian.tar.xz
 ea3a16570c70702f13e6139b8ced1ad7e304e139 245054 
lighttpd_1.4.35-4+deb8u1_amd64.deb
 3ab0e23dc3bb4443369ca244ea82a509df2b23f8 61394 
lighttpd-doc_1.4.35-4+deb8u1_all.deb
 eecace5ee43943e2f036dab62a4e01a5807898b5 19958 
lighttpd-mod-mysql-vhost_1.4.35-4+deb8u1_amd64.deb
 e90cfd2cd0465315f75f3f2809f7c819a43ba19d 20776 
lighttpd-mod-trigger-b4-dl_1.4.35-4+deb8u1_amd64.deb
 5b456baf03fcb151e4bfc9647ea041ee527802c0 23088 
lighttpd-mod-cml_1.4.35-4+deb8u1_amd64.deb
 1d106305a394d9324c74ea454e2a1dcc08bf3e85 24646 
lighttpd-mod-magnet_1.4.35-4+deb8u1_amd64.deb
 be572db784ec222fe1c33da9775e3bdf2fc002c4 30102 
lighttpd-mod-webdav_1.4.35-4+deb8u1_amd64.deb
Checksums-Sha256:
 ed42927602f5e59e976f96df34b4375b5d9d05d00551ff5350c06ea7dee53990 1929 
lighttpd_1.4.35-4+deb8u1.dsc
 62c23de053fd82e1bf64f204cb6c6e44ba3c16c01ff1e09da680d982802ef1cc 847321 
lighttpd_1.4.35.orig.tar.gz
 809f136773a28f3d3aad000b9bb74d2cb53e92da0d09e4bb246d755451d14db9 27380 
lighttpd_1.4.35-4+deb8u1.debian.tar.xz
 6f19013234e34977cb05f857421e8e1bc66a17b272eca71c582c0440172f6baf 245054 
lighttpd_1.4.35-4+deb8u1_amd64.deb
 29fbbf46264be0bb0c5cf32fa1e9d55bf614272fb1de521407be6f06cbe4e059 61394 
lighttpd-doc_1.4.35-4+deb8u1_all.deb
 1ce44aa301e1974eb0c4b50d409c63106ba8baccfd2b36fda91602ad295b3960 19958 
lighttpd-mod-mysql-vhost_1.4.35-4+deb8u1_amd64.deb
 45a05c88e23b3a8556068b4c60f0726e9afebecd935639907df542b3856a025a 20776 
lighttpd-mod-trigger-b4-dl_1.4.35-4+deb8u1_amd64.deb
 1d6541fa3af0ec414939b91827a65dd71f87896caf5d8f52194aac14e6183f0f 23088 
lighttpd-mod-cml_1.4.35-4+deb8u1_amd64.deb
 b739d657c7c997b1203a5b13eddaed34fa2af24fbb27980be372b29ce79c2017 24646 
lighttpd-mod-magnet_1.4.35-4+deb8u1_amd64.deb
 a1b734ccc4098d8062c65aeb03cf57da3f23f1ebc89914ec47173f80c0d42ddd 30102 
lighttpd-mod-webdav_1.4.35-4+deb8u1_amd64.deb
Files:
 733c5fd6fe344a29d06cc48bce7fead0 1929 httpd optional 
lighttpd_1.4.35-4+deb8u1.dsc
 69057685df672218d45809539b874917 847321 httpd optional 
lighttpd_1.4.35.orig.tar.gz
 d3e2a03dd80db575902ee96722b11598 27380 httpd optional 
lighttpd_1.4.35-4+deb8u1.debian.tar.xz
 ce497ebd3a8f1baa6aa119b36af3d4ea 245054 httpd optional 
lighttpd_1.4.35-4+deb8u1_amd64.deb
 46be0ace9166e17375c15b9860a0964b 61394 doc optional 
lighttpd-doc_1.4.35-4+deb8u1_all.deb
 6044e7f4079507ca13deb3091cf4b61b 19958 httpd optional 
lighttpd-mod-mysql-vhost_1.4.35-4+deb8u1_amd64.deb
 ccf6d8a31d235239ad0e8440e46d996a 20776 httpd optional 
lighttpd-mod-trigger-b4-dl_1.4.35-4+deb8u1_amd64.deb
 aaa81298e8f9c929ddd470c067bbb81f 23088 httpd optional 
lighttpd-mod-cml_1.4.35-4+deb8u1_amd64.deb
 385be1550836e0157ba40ef82c94927d 24646 httpd optional 
lighttpd-mod-magnet_1.4.35-4+deb8u1_amd64.deb
 8346d52de822696d20506619b577c1ca 30102 httpd optional 
light

Re: Wheezy and jessie updates of lighttpd

2016-08-02 Thread Sébastien Delafond 
On Aug/01, Santiago R.R. wrote:
> Please, find attached debdiffs to mitigate this in wheezy (that I plan
> to upload) and jessie. I have tested it with a python cgi taken from
> httpoxy's PoCs, and it seems to work well. However, I am not familiar
> with lighttpd, so any review is welcome.

Hi Santiago,

thanks for working on this. Could you please change your jessie debdiff
so it uses version 1.4.35-4+deb8u1 instead of 1.4.35-5 ? The rest looks
OK.

You'll also need to make sure you build with -sa, as lighttpd will be
new on security-master.

Cheers,

--Seb

Wheezy and jessie updates of lighttpd

2016-08-01 Thread Santiago R.R. 
Hi,

El 29/07/16 a las 09:54, Krzysztof Krzyżaniak escribió:
> 
> 
> W dniu czw 28 lip, 2016 o 22∶36 użytkownik Thorsten Alteholz
>  napisał:
> 
> Hello dear maintainer(s), the Debian LTS team would like to fix the
> security issues which are currently open in the Wheezy version of 
> lighttpd:
> https://security-tracker.debian.org/tracker/CVE-2016-1000212 Would you 
> like
> to take care of this yourself?
> 
> 
> I don't have any Wheezy on my own. I would need to install it on some vm, it
> think I could maybe do this over the weekend. So if you have someone else to 
> do
> it faster feel free to do it. 
> 
>   eloy
> *

Please, find attached debdiffs to mitigate this in wheezy (that I plan
to upload) and jessie. I have tested it with a python cgi taken from
httpoxy's PoCs, and it seems to work well. However, I am not familiar
with lighttpd, so any review is welcome.

Cheers,

Santiago
diff -Nru lighttpd-1.4.31/debian/changelog lighttpd-1.4.31/debian/changelog
--- lighttpd-1.4.31/debian/changelog2016-02-23 11:10:46.0 +0100
+++ lighttpd-1.4.31/debian/changelog2016-08-01 18:01:58.0 +0200
@@ -1,3 +1,12 @@
+lighttpd (1.4.31-4+deb7u5~1) santiago-wheezy; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS Team.
+  * Fix CVE-2016-1000212: Mitigate HTTPoxy vulnerability.
+  * Add buffer_is_equal_caseless_string.patch
+  * Add mitigate-httpoxy-779c133c16f9af168b004dce7a2a64f16c1cb3a4.patch
+
+ -- Santiago R.R.   Fri, 29 Jul 2016 18:16:19 +0200
+
 lighttpd (1.4.31-4+deb7u4) wheezy-security; urgency=high
 
   * Non-maintainer upload.
diff -Nru lighttpd-1.4.31/debian/patches/buffer_is_equal_caseless_string.patch 
lighttpd-1.4.31/debian/patches/buffer_is_equal_caseless_string.patch
--- lighttpd-1.4.31/debian/patches/buffer_is_equal_caseless_string.patch
1970-01-01 01:00:00.0 +0100
+++ lighttpd-1.4.31/debian/patches/buffer_is_equal_caseless_string.patch
2016-08-01 18:01:58.0 +0200
@@ -0,0 +1,67 @@
+Description: backport buffer.c buffer_is_equal_caseless_string()
+ needed to mitigate httpoxy vulnerability.
+Author: Santiago R.R. 
+
+--- a/src/buffer.c
 b/src/buffer.c
+@@ -533,6 +533,15 @@
+   return buffer_is_equal(a, &b);
+ }
+ 
++/* buffer_is_equal_caseless_string(b, CONST_STR_LEN("value")) */
++int buffer_is_equal_caseless_string(const buffer *a, const char *s, size_t 
b_len) {
++  force_assert(NULL != a);
++  if (a->used != b_len + 1) return 0;
++  force_assert('\0' == a->ptr[a->used - 1]);
++
++  return (0 == strcasecmp(a->ptr, s));
++}
++
+ /* simple-assumption:
+  *
+  * most parts are equal and doing a case conversion needs time
+@@ -1075,3 +1084,10 @@
+ 
+   return 0;
+ }
++
++void log_failed_assert(const char *filename, unsigned int line, const char 
*msg) {
++  /* can't use buffer here; could lead to recursive assertions */
++  fprintf(stderr, "%s.%u: %s\n", filename, line, msg);
++  fflush(stderr);
++  abort();
++}
+--- a/src/buffer.h
 b/src/buffer.h
+@@ -82,6 +82,7 @@
+ int buffer_is_equal(buffer *a, buffer *b);
+ int buffer_is_equal_right_len(buffer *a, buffer *b, size_t len);
+ int buffer_is_equal_string(buffer *a, const char *s, size_t b_len);
++int buffer_is_equal_caseless_string(const buffer *a, const char *s, size_t 
b_len);
+ int buffer_caseless_compare(const char *a, size_t a_len, const char *b, 
size_t b_len);
+ 
+ typedef enum {
+@@ -125,6 +126,8 @@
+ #define CONST_STR_LEN(x) x, x ? sizeof(x) - 1 : 0
+ #define CONST_BUF_LEN(x) x->ptr, x->used ? x->used - 1 : 0
+ 
++void log_failed_assert(const char *filename, unsigned int line, const char 
*msg) LI_NORETURN;
++#define force_assert(x) do { if (!(x)) log_failed_assert(__FILE__, __LINE__, 
"assertion failed: " #x); } while(0)
+ 
+ #define SEGFAULT() do { fprintf(stderr, "%s.%d: aborted\n", __FILE__, 
__LINE__); abort(); } while(0)
+ #define UNUSED(x) ( (void)(x) )
+--- a/src/settings.h
 b/src/settings.h
+@@ -9,6 +9,12 @@
+ # define __USE_GNU /* a hack in my eyes,  F_SETSIG should work with 
_GNU_SOURCE */
+ #endif
+ 
++#ifdef __GNUC__
++# define LI_NORETURN __attribute__((noreturn))
++#else
++# define LI_NORETURN
++#endif
++
+ #define BV(x) (1 << x)
+ 
+ #define INET_NTOP_CACHE_MAX 4
diff -Nru 
lighttpd-1.4.31/debian/patches/mitigate-httpoxy-779c133c16f9af168b004dce7a2a64f16c1cb3a4.patch
 
lighttpd-1.4.31/debian/patches/mitigate-httpoxy-779c133c16f9af168b004dce7a2a64f16c1cb3a4.patch
--- 
lighttpd-1.4.31/debian/patches/mitigate-httpoxy-779c133c16f9af168b004dce7a2a64f16c1cb3a4.patch
  1970-01-01 01:00:00.0 +0100
+++ 
lighttpd-1.4.31/debian/patches/mitigate-httpoxy-779c133c16f9af168b004dce7a2a64f16c1cb3a4.patch
  2016-08-01 18:02:27.0 +0200
@@ -0,0 +1,126 @@
+Description: backported patch to mitigate httpoxy vulnerability
+Origin: upstream, 
https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/779c133c16f9af168b004dce7a2a64f16c1cb3a4/diff
+Reviewed-by: Santiago R.R. 
+
+From 779c133c