[Midnightbsd-cvs] mports: www/lighttpd: Fix 3 security vulnerabilities in lighttpd.

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Tue Sep 30 11:43:28 EDT 2008 

Log Message:
-----------
Fix 3 security vulnerabilities in lighttpd.  Remind me why this is better than apache again?

Modified Files:
--------------
    mports/www/lighttpd:
        Makefile (r1.8 -> r1.9)

Added Files:
-----------
    mports/www/lighttpd/files:
        patch-sa_2008_05 (r1.1)
        patch-sa_2008_06 (r1.1)
        patch-sa_2008_07 (r1.1)

-------------- next part --------------
Index: Makefile
===================================================================
RCS file: /home/cvs/mports/www/lighttpd/Makefile,v
retrieving revision 1.8
retrieving revision 1.9
diff -L www/lighttpd/Makefile -L www/lighttpd/Makefile -u -r1.8 -r1.9
--- www/lighttpd/Makefile
+++ www/lighttpd/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	lighttpd
 PORTVERSION=	1.4.19
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	www
 MASTER_SITES=	http://www.lighttpd.net/download/ \
 		http://mirrors.cat.pdx.edu/lighttpd/
--- /dev/null
+++ www/lighttpd/files/patch-sa_2008_06
@@ -0,0 +1,49 @@
+#
+# http://www.lighttpd.net/security/lighttpd_sa_2008_06.txt
+#
+Index: src/mod_userdir.c
+===================================================================
+--- src/mod_userdir.c (revision 2120)
++++ src/mod_userdir.c (revision 2283)
+@@ -263,4 +263,7 @@
+ 			}
+ 		}
++		if (con->conf.force_lowercase_filenames) {
++			buffer_to_lower(p->username);
++		}
+ 
+ 		buffer_copy_string_buffer(p->temp_path, p->conf.basepath);
+@@ -285,6 +288,22 @@
+ 	}
+ 
++	/* the physical rel_path is basically the same as uri.path;
++	 * but it is converted to lowercase in case of force_lowercase_filenames and some special handling
++	 * for trailing '.', ' ' and '/' on windows
++	 * we assume that no docroot/physical handler changed this
++	 * (docroot should only set the docroot/server name, phyiscal should only change the phyiscal.path;
++	 *  the exception mod_secure_download doesn't work with userdir anyway)
++	 */
+ 	BUFFER_APPEND_SLASH(p->temp_path);
+-	buffer_append_string(p->temp_path, rel_url + 1); /* skip the / */
++	/* if no second '/' is found, we assume that it was stripped from the uri.path for the special handling
++	 * on windows.
++	 * we do not care about the trailing slash here on windows, as we already ensured it is a directory
++	 *
++	 * TODO: what to do with trailing dots in usernames on windows? they may result in the same directory
++	 *       as a username without them.
++	 */
++	if (NULL != (rel_url = strchr(con->physical.rel_path->ptr + 2, '/'))) {
++		buffer_append_string(p->temp_path, rel_url + 1); /* skip the / */
++	}
+ 	buffer_copy_string_buffer(con->physical.path, p->temp_path);
+ 
+Index: NEWS
+===================================================================
+--- NEWS (revision 2281)
++++ NEWS (revision 2283)
+@@ -53,4 +53,5 @@
+   * fixed conditional patching of ldap filter (#1564)
+   * Match headers case insensitive in response (removing of X-{Sendfile,LIGHTTPD-*}, catching Date/Server)
++  * fixed bug with case-insensitive filenames in mod_userdir (#1589), spotted by "anders1"
+ 
+ - 1.4.19 - 2008-03-10
--- /dev/null
+++ www/lighttpd/files/patch-sa_2008_05
@@ -0,0 +1,91 @@
+#
+# http://www.lighttpd.net/security/lighttpd_sa_2008_05.txt
+#
+Index: src/mod_rewrite.c
+===================================================================
+--- src/mod_rewrite.c (revision 2148)
++++ src/mod_rewrite.c (revision 2278)
+@@ -351,5 +351,9 @@
+ 	if (!p->conf.rewrite) return HANDLER_GO_ON;
+ 
+-	buffer_copy_string_buffer(p->match_buf, con->request.uri);
++	buffer_copy_string_buffer(p->match_buf, con->uri.path);
++	if (con->uri.query->used > 0) {
++		buffer_append_string_len(p->match_buf, CONST_STR_LEN("?"));
++		buffer_append_string_buffer(p->match_buf, con->uri.query);
++	}
+ 
+ 	for (i = 0; i < p->conf.rewrite->used; i++) {
+Index: src/response.c
+===================================================================
+--- src/response.c (revision 2250)
++++ src/response.c (revision 2278)
+@@ -233,25 +233,4 @@
+ 
+ 
+-		/**
+-		 *
+-		 * call plugins
+-		 *
+-		 * - based on the raw URL
+-		 *
+-		 */
+-
+-		switch(r = plugins_call_handle_uri_raw(srv, con)) {
+-		case HANDLER_GO_ON:
+-			break;
+-		case HANDLER_FINISHED:
+-		case HANDLER_COMEBACK:
+-		case HANDLER_WAIT_FOR_EVENT:
+-		case HANDLER_ERROR:
+-			return r;
+-		default:
+-			log_error_write(srv, __FILE__, __LINE__, "sd", "handle_uri_raw: unknown return value", r);
+-			break;
+-		}
+-
+ 		/* build filename
+ 		 *
+@@ -259,5 +238,4 @@
+ 		 * - remove path-modifiers (e.g. /../)
+ 		 */
+-
+ 
+ 
+@@ -275,4 +253,26 @@
+ 			log_error_write(srv, __FILE__, __LINE__,  "s",  "-- sanatising URI");
+ 			log_error_write(srv, __FILE__, __LINE__,  "sb", "URI-path     : ", con->uri.path);
++		}
++
++
++		/**
++		 *
++		 * call plugins
++		 *
++		 * - based on the raw URL
++		 *
++		 */
++
++		switch(r = plugins_call_handle_uri_raw(srv, con)) {
++		case HANDLER_GO_ON:
++			break;
++		case HANDLER_FINISHED:
++		case HANDLER_COMEBACK:
++		case HANDLER_WAIT_FOR_EVENT:
++		case HANDLER_ERROR:
++			return r;
++		default:
++			log_error_write(srv, __FILE__, __LINE__, "sd", "handle_uri_raw: unknown return value", r);
++			break;
+ 		}
+ 
+Index: NEWS
+===================================================================
+--- NEWS (revision 2277)
++++ NEWS (revision 2278)
+@@ -50,4 +50,5 @@
+   * fixed dropping last character of evhost pattern (#161)
+   * print helpful error message on conditionals in global block (#1550)
++  * decode url before matching in mod_rewrite (#1720)
+ 
+ - 1.4.19 - 2008-03-10
--- /dev/null
+++ www/lighttpd/files/patch-sa_2008_07
@@ -0,0 +1,53 @@
+#
+# http://www.lighttpd.net/security/lighttpd_sa_2008_07.txt
+#
+Index: src/request.c
+===================================================================
+--- src/request.c (revision 1947)
++++ src/request.c (revision 2305)
+@@ -826,4 +826,5 @@
+ 												con->request.request);
+ 									}
++									array_insert_unique(con->request.headers, (data_unset *)ds);
+ 									return 0;
+ 								}
+@@ -875,4 +876,5 @@
+ 												con->request.request);
+ 									}
++									array_insert_unique(con->request.headers, (data_unset *)ds);
+ 									return 0;
+ 								}
+@@ -912,4 +914,5 @@
+ 												con->request.request);
+ 									}
++									array_insert_unique(con->request.headers, (data_unset *)ds);
+ 									return 0;
+ 								}
+@@ -937,4 +940,5 @@
+ 												con->request.request);
+ 									}
++									array_insert_unique(con->request.headers, (data_unset *)ds);
+ 									return 0;
+ 								}
+@@ -954,4 +958,5 @@
+ 												con->request.request);
+ 									}
++									array_insert_unique(con->request.headers, (data_unset *)ds);
+ 									return 0;
+ 								}
+@@ -977,4 +982,5 @@
+ 												con->request.request);
+ 									}
++									array_insert_unique(con->request.headers, (data_unset *)ds);
+ 									return 0;
+ 								}
+Index: NEWS
+===================================================================
+--- NEWS (revision 2304)
++++ NEWS (revision 2305)
+@@ -63,4 +63,5 @@
+   * workaround ldap connection leak if a ldap connection failed (restarting ldap)
+   * fix auth.backend.ldap.bind-dn/pw problems (only read from global context for temporary ldap reconnects, thx ruskie)
++  * fix memleak in request header parsing (#1774, thx qhy)
+ 
+ - 1.4.19 - 2008-03-10

More information about the Midnightbsd-cvs mailing list