* [PATCH 1/2] vim: update to include latest CVE fixes
@ 2022-01-17 11:20 Ross Burton
2022-01-17 11:20 ` [PATCH 2/2] lighttpd: backport a fix for CVE-2022-22707 Ross Burton
0 siblings, 1 reply; 2+ messages in thread
From: Ross Burton @ 2022-01-17 11:20 UTC (permalink / raw)
To: openembedded-core
Update the version to 4.2.4118, which incorporates the following CVE
fixes:
- CVE-2021-4187
- CVE-2022-0128
- CVE-2022-0156
- CVE-2022-0158
Also remove the explicit whitelisting of CVE-2021-3968 as this is now
handled with an accurate CPE specifying the fixed version.
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
meta/recipes-support/vim/vim.inc | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 34963054fdf..3a5eca41114 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -20,8 +20,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
file://racefix.patch \
"
-PV .= ".3752"
-SRCREV = "8603be338ac810446f23c092f21bc6082f787519"
+PV .= ".4118"
+SRCREV = "0023f82a76cf43a12b41e71f97a2e860d0444e1b"
# Remove when 8.3 is out
UPSTREAM_VERSION_UNKNOWN = "1"
@@ -29,9 +29,6 @@ UPSTREAM_VERSION_UNKNOWN = "1"
# Do not consider .z in x.y.z, as that is updated with every commit
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+)\.0"
-# CVE-2021-3968 is related to an issue which was introduced after 8.2, this can be removed after 8.3.
-CVE_CHECK_WHITELIST += "CVE-2021-3968"
-
S = "${WORKDIR}/git"
VIMDIR = "vim${@d.getVar('PV').split('.')[0]}${@d.getVar('PV').split('.')[1]}"
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH 2/2] lighttpd: backport a fix for CVE-2022-22707
2022-01-17 11:20 [PATCH 1/2] vim: update to include latest CVE fixes Ross Burton
@ 2022-01-17 11:20 ` Ross Burton
0 siblings, 0 replies; 2+ messages in thread
From: Ross Burton @ 2022-01-17 11:20 UTC (permalink / raw)
To: openembedded-core
Backport the fix for CVE-2022-22707, a buffer overflow in mod_extforward.
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
...ix-out-of-bounds-OOB-write-fixes-313.patch | 97 +++++++++++++++++++
.../lighttpd/lighttpd_1.4.63.bb | 1 +
2 files changed, 98 insertions(+)
create mode 100644 meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch
diff --git a/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch
new file mode 100644
index 00000000000..f4e93d1065a
--- /dev/null
+++ b/meta/recipes-extended/lighttpd/lighttpd/0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch
@@ -0,0 +1,97 @@
+Upstream-Status: Backport
+CVE: CVE-2022-22707
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 27103f3f8b1a2857aa45b889e775435f7daf141f Mon Sep 17 00:00:00 2001
+From: povcfe <povcfe@qq.com>
+Date: Wed, 5 Jan 2022 11:11:09 +0000
+Subject: [PATCH] [mod_extforward] fix out-of-bounds (OOB) write (fixes #3134)
+
+(thx povcfe)
+
+(edited: gstrauss)
+
+There is a potential remote denial of service in lighttpd mod_extforward
+under specific, non-default and uncommon 32-bit lighttpd mod_extforward
+configurations.
+
+Under specific, non-default and uncommon lighttpd mod_extforward
+configurations, a remote attacker can trigger a 4-byte out-of-bounds
+write of value '-1' to the stack. This is not believed to be exploitable
+in any way beyond triggering a crash of the lighttpd server on systems
+where the lighttpd server has been built 32-bit and with compiler flags
+which enable a stack canary -- gcc/clang -fstack-protector-strong or
+-fstack-protector-all, but bug not visible with only -fstack-protector.
+
+With standard lighttpd builds using -O2 optimization on 64-bit x86_64,
+this bug has not been observed to cause adverse behavior, even with
+gcc/clang -fstack-protector-strong.
+
+For the bug to be reachable, the user must be using a non-default
+lighttpd configuration which enables mod_extforward and configures
+mod_extforward to accept and parse the "Forwarded" header from a trusted
+proxy. At this time, support for RFC7239 Forwarded is not common in CDN
+providers or popular web server reverse proxies. It bears repeating that
+for the user to desire to configure lighttpd mod_extforward to accept
+"Forwarded", the user must also be using a trusted proxy (in front of
+lighttpd) which understands and actively modifies the "Forwarded" header
+sent to lighttpd.
+
+lighttpd natively supports RFC7239 "Forwarded"
+hiawatha natively supports RFC7239 "Forwarded"
+
+nginx can be manually configured to add a "Forwarded" header
+https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/
+
+A 64-bit build of lighttpd on x86_64 (not known to be affected by bug)
+in front of another 32-bit lighttpd will detect and reject a malicious
+"Forwarded" request header, thereby thwarting an attempt to trigger
+this bug in an upstream 32-bit lighttpd.
+
+The following servers currently do not natively support RFC7239 Forwarded:
+nginx
+apache2
+caddy
+node.js
+haproxy
+squid
+varnish-cache
+litespeed
+
+Given the general dearth of support for RFC7239 Forwarded in popular
+CDNs and web server reverse proxies, and given the prerequisites in
+lighttpd mod_extforward needed to reach this bug, the number of lighttpd
+servers vulnerable to this bug is estimated to be vanishingly small.
+Large systems using reverse proxies are likely running 64-bit lighttpd,
+which is not known to be adversely affected by this bug.
+
+In the future, it is desirable for more servers to implement RFC7239
+Forwarded. lighttpd developers would like to thank povcfe for reporting
+this bug so that it can be fixed before more CDNs and web servers
+implement RFC7239 Forwarded.
+
+x-ref:
+ "mod_extforward plugin has out-of-bounds (OOB) write of 4-byte -1"
+ https://redmine.lighttpd.net/issues/3134
+ (not yet written or published)
+ CVE-2022-22707
+---
+ src/mod_extforward.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mod_extforward.c b/src/mod_extforward.c
+index ba957e04..fdaef7f6 100644
+--- a/src/mod_extforward.c
++++ b/src/mod_extforward.c
+@@ -715,7 +715,7 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c
+ while (s[i] == ' ' || s[i] == '\t') ++i;
+ if (s[i] == ';') { ++i; continue; }
+ if (s[i] == ',') {
+- if (j >= (int)(sizeof(offsets)/sizeof(int))) break;
++ if (j >= (int)(sizeof(offsets)/sizeof(int))-1) break;
+ offsets[++j] = -1; /*("offset" separating params from next proxy)*/
+ ++i;
+ continue;
+--
+2.25.1
+
diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.63.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.63.bb
index 41d6319e1be..6359310772b 100644
--- a/meta/recipes-extended/lighttpd/lighttpd_1.4.63.bb
+++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.63.bb
@@ -14,6 +14,7 @@ RRECOMMENDS:${PN} = "lighttpd-module-access \
lighttpd-module-accesslog"
SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.xz \
+ file://0001-mod_extforward-fix-out-of-bounds-OOB-write-fixes-313.patch \
file://index.html.lighttpd \
file://lighttpd.conf \
file://lighttpd \
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-01-17 11:21 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-17 11:20 [PATCH 1/2] vim: update to include latest CVE fixes Ross Burton
2022-01-17 11:20 ` [PATCH 2/2] lighttpd: backport a fix for CVE-2022-22707 Ross Burton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).