[Midnightbsd-cvs] mports: www/lighttpd: Patch CVE 2008-1531.
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Thu Sep 25 14:38:48 EDT 2008
Log Message:
-----------
Patch CVE 2008-1531.
Adjust plist for new files. Add bzip2 support as an option.
Modified Files:
--------------
mports/www/lighttpd:
Makefile (r1.5 -> r1.6)
pkg-plist (r1.1 -> r1.2)
mports/www/lighttpd/files:
lighttpd.sh.in (r1.1 -> r1.2)
Added Files:
-----------
mports/www/lighttpd:
pkg-message (r1.1)
mports/www/lighttpd/files:
patch-CVE-2008-1531 (r1.1)
patch-mod_proxy_ipv6_support (r1.1)
patch-src__mod_fastcgi.c (r1.1)
patch-src__network_freebsd_sendfile.c (r1.1)
-------------- next part --------------
--- /dev/null
+++ www/lighttpd/pkg-message
@@ -0,0 +1,8 @@
+lighttpd has been installed.
+
+Upon uninstallation, check /var/log for
+lighttpd.access.log and lighttpd.error.log
+
+The latter is useful in debugging. If the
+daemon will not start, be sure to check the
+log files.
Index: pkg-plist
===================================================================
RCS file: /home/cvs/mports/www/lighttpd/pkg-plist,v
retrieving revision 1.1
retrieving revision 1.2
diff -L www/lighttpd/pkg-plist -L www/lighttpd/pkg-plist -u -r1.1 -r1.2
--- www/lighttpd/pkg-plist
+++ www/lighttpd/pkg-plist
@@ -1,4 +1,4 @@
- at comment $FreeBSD: ports/www/lighttpd/pkg-plist,v 1.14 2006/09/26 09:07:17 clsung Exp $
+ at comment $MidnightBSD$
bin/spawn-fcgi
@unexec if cmp -s %D/etc/lighttpd.conf %D/etc/lighttpd.conf.sample; then rm -f %D/etc/lighttpd.conf; fi
etc/lighttpd.conf.sample
@@ -36,6 +36,9 @@
lib/lighttpd/mod_expire.a
lib/lighttpd/mod_expire.la
lib/lighttpd/mod_expire.so
+lib/lighttpd/mod_extforward.a
+lib/lighttpd/mod_extforward.la
+lib/lighttpd/mod_extforward.so
lib/lighttpd/mod_fastcgi.a
lib/lighttpd/mod_fastcgi.la
lib/lighttpd/mod_fastcgi.so
@@ -97,4 +100,6 @@
lib/lighttpd/mod_webdav.la
lib/lighttpd/mod_webdav.so
sbin/lighttpd
+sbin/lighttpd-angel
+ at exec touch /var/log/lighttpd.access.log /var/log/lighttpd.error.log; chown www:www /var/log/lighttpd.access.log /var/log/lighttpd.error.log
@dirrm lib/lighttpd
Index: Makefile
===================================================================
RCS file: /home/cvs/mports/www/lighttpd/Makefile,v
retrieving revision 1.5
retrieving revision 1.6
diff -L www/lighttpd/Makefile -L www/lighttpd/Makefile -u -r1.5 -r1.6
--- www/lighttpd/Makefile
+++ www/lighttpd/Makefile
@@ -8,12 +8,14 @@
PORTNAME= lighttpd
PORTVERSION= 1.4.19
+PORTREVISION= 1
CATEGORIES= www
MASTER_SITES= http://www.lighttpd.net/download/ \
http://mirrors.cat.pdx.edu/lighttpd/
MAINTAINER= ports at MidnightBSD.org
COMMENT= A secure, fast, compliant, and very flexible Web Server
+LICENSE= bsd3
LIB_DEPENDS= pcre.0:${PORTSDIR}/devel/pcre
@@ -21,7 +23,7 @@
GNU_CONFIGURE= yes
USE_GNOME= lthack
USE_RC_SUBR= lighttpd.sh
-CONFIGURE_ARGS= --libdir=${PREFIX}/lib/lighttpd --mandir=${PREFIX}/man
+CONFIGURE_ARGS= --libdir=${PREFIX}/lib/lighttpd
CONFIGURE_ENV+= CFLAGS="${CFLAGS}"
CONFIGURE_TARGET= --build=${MACHINE_ARCH}-portbld-freebsd6.0
@@ -30,11 +32,12 @@
MAN1= lighttpd.1 spawn-fcgi.1
-OPTIONS= OPENSSL "Enable SSL support" on \
- OPENLDAP "Enable LDAP support" off \
- MYSQL "Enable MYSQL support" off \
- IPV6 "Enable IPV6 support" on \
- CML "Enable Cache Meta Language support" off
+OPTIONS= BZIP2 "Enable Bzip2 support" off \
+ CML "Enable Cache Meta Language support" off \
+ IPV6 "Enable IPV6 support" on \
+ MYSQL "Enable MYSQL support" off \
+ OPENSSL "Enable SSL support" on \
+ OPENLDAP "Enable LDAP support" off
.include <bsd.port.pre.mk>
@@ -48,6 +51,10 @@
--with-openssl-libs=${OPENSSLLIB}
.endif
+.if defined(WITH_BZIP2)
+CONFIGURE_ARGS+= --with-bzip2
+.endif
+
.if defined(WITH_OPENLDAP)
USE_OPENLDAP= yes
CONFIGURE_ARGS+= --with-ldap
--- /dev/null
+++ www/lighttpd/files/patch-mod_proxy_ipv6_support
@@ -0,0 +1,57 @@
+#
+# http://trac.lighttpd.net/trac/ticket/1537
+#
+--- src/mod_proxy.c 2007-08-18 03:17:00.000000000 +0500
++++ src/mod_proxy.c 2008-01-27 20:32:05.514825062 +0400
+@@ -356,6 +356,7 @@
+ static int proxy_establish_connection(server *srv, handler_ctx *hctx) {
+ struct sockaddr *proxy_addr;
+ struct sockaddr_in proxy_addr_in;
++ struct sockaddr_in6 proxy_addr_in6;
+ socklen_t servlen;
+
+ plugin_data *p = hctx->plugin_data;
+@@ -364,12 +365,20 @@
+
+ memset(&proxy_addr, 0, sizeof(proxy_addr));
+
+- proxy_addr_in.sin_family = AF_INET;
+- proxy_addr_in.sin_addr.s_addr = inet_addr(host->host->ptr);
+- proxy_addr_in.sin_port = htons(host->port);
+- servlen = sizeof(proxy_addr_in);
++ if (strstr(host->host->ptr,":")) {
++ proxy_addr_in6.sin6_family = AF_INET6;
++ inet_pton(AF_INET6,host->host->ptr,(char *)&proxy_addr_in6.sin6_addr);
++ proxy_addr_in6.sin6_port = htons(host->port);
++ servlen = sizeof(proxy_addr_in6);
++ proxy_addr = (struct sockaddr *) &proxy_addr_in6;
++ } else {
++ proxy_addr_in.sin_family = AF_INET;
++ proxy_addr_in.sin_addr.s_addr = inet_addr(host->host->ptr);
++ proxy_addr_in.sin_port = htons(host->port);
++ servlen = sizeof(proxy_addr_in);
++ proxy_addr = (struct sockaddr *) &proxy_addr_in;
++ }
+
+- proxy_addr = (struct sockaddr *) &proxy_addr_in;
+
+ if (-1 == connect(proxy_fd, proxy_addr, servlen)) {
+ if (errno == EINPROGRESS || errno == EALREADY) {
+@@ -740,9 +749,16 @@
+
+ switch(hctx->state) {
+ case PROXY_STATE_INIT:
+- if (-1 == (hctx->fd = socket(AF_INET, SOCK_STREAM, 0))) {
++ if (strstr(host->host->ptr,":")) {
++ if (-1 == (hctx->fd = socket(AF_INET6, SOCK_STREAM, 0))) {
++ log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed: ", strerror(errno));
++ return HANDLER_ERROR;
++ }
++ } else {
++ if (-1 == (hctx->fd = socket(AF_INET, SOCK_STREAM, 0))) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "socket failed: ", strerror(errno));
+ return HANDLER_ERROR;
++ }
+ }
+ hctx->fde_ndx = -1;
+
--- /dev/null
+++ www/lighttpd/files/patch-src__network_freebsd_sendfile.c
@@ -0,0 +1,47 @@
+#
+# Respect EAGAIN and retry sendfile() instead close connection.
+# Remove empty lines and add two more cases to switch(errno)
+#
+--- src/network_freebsd_sendfile.c.orig 2007-09-22 19:55:26.000000000 -0300
++++ src/network_freebsd_sendfile.c 2007-09-22 19:43:28.000000000 -0300
+@@ -151,23 +151,23 @@
+ if (-1 == c->file.fd) {
+ if (-1 == (c->file.fd = open(c->file.name->ptr, O_RDONLY))) {
+ log_error_write(srv, __FILE__, __LINE__, "ss", "open failed: ", strerror(errno));
+-
+ return -1;
+ }
+-
+ #ifdef FD_CLOEXEC
+ fcntl(c->file.fd, F_SETFD, FD_CLOEXEC);
+ #endif
+ }
+
+- r = 0;
+-
++eagain:
+ /* FreeBSD sendfile() */
++ r = 0;
+ if (-1 == sendfile(c->file.fd, fd, offset, toSend, NULL, &r, 0)) {
+ switch(errno) {
+ case EAGAIN:
++ case EINTR:
+ break;
+ case ENOTCONN:
++ case ENOTSOCK:
+ return -2;
+ default:
+ log_error_write(srv, __FILE__, __LINE__, "ssd", "sendfile: ", strerror(errno), errno);
+@@ -190,12 +190,10 @@
+ if (offset >= sce->st.st_size) {
+ /* file shrinked, close the connection */
+ errno = oerrno;
+-
+ return -1;
+ }
+
+ errno = oerrno;
+- return -2;
+ }
+
+ c->offset += r;
--- /dev/null
+++ www/lighttpd/files/patch-src__mod_fastcgi.c
@@ -0,0 +1,18 @@
+#
+# http://trac.lighttpd.net/trac/changeset/2143
+#
+Index: /branches/lighttpd-1.4.x/src/mod_fastcgi.c
+===================================================================
+--- src/mod_fastcgi.c (revision 2119)
++++ src/mod_fastcgi.c (revision 2143)
+@@ -2545,5 +2545,8 @@
+
+ if (HANDLER_ERROR != stat_cache_get_entry(srv, con, ds->value, &sce)) {
+- data_string *dcls = data_string_init();
++ data_string *dcls;
++ if (NULL == (dcls = (data_string *)array_get_unused_element(con->response.headers, TYPE_STRING))) {
++ dcls = data_response_init();
++ }
+ /* found */
+ http_chunk_append_file(srv, con, ds->value, 0, sce->st.st_size);
+
Index: lighttpd.sh.in
===================================================================
RCS file: /home/cvs/mports/www/lighttpd/files/lighttpd.sh.in,v
retrieving revision 1.1
retrieving revision 1.2
diff -L www/lighttpd/files/lighttpd.sh.in -L www/lighttpd/files/lighttpd.sh.in -u -r1.1 -r1.2
--- www/lighttpd/files/lighttpd.sh.in
+++ www/lighttpd/files/lighttpd.sh.in
@@ -1,5 +1,6 @@
#!/bin/sh
#
+# $MidnightBSD$
# $FreeBSD: ports/www/lighttpd/files/lighttpd.sh.in,v 1.3 2006/02/06 12:19:17 mnag Exp $
#
# PROVIDE: lighttpd
--- /dev/null
+++ www/lighttpd/files/patch-CVE-2008-1531
@@ -0,0 +1,119 @@
+Index: src/connections.c
+===================================================================
+--- src/connections.c (revision 2103)
++++ src/connections.c (revision 2136)
+@@ -200,4 +200,5 @@
+ /* don't resize the buffer if we were in SSL_ERROR_WANT_* */
+
++ ERR_clear_error();
+ do {
+ if (!con->ssl_error_want_reuse_buffer) {
+@@ -1670,4 +1671,5 @@
+ if (srv_sock->is_ssl) {
+ int ret;
++ ERR_clear_error();
+ switch ((ret = SSL_shutdown(con->ssl))) {
+ case 1:
+@@ -1675,6 +1677,8 @@
+ break;
+ case 0:
+- SSL_shutdown(con->ssl);
+- break;
++ ERR_clear_error();
++ if ((ret = SSL_shutdown(con->ssl)) == 1) break;
++
++ // fall through
+ default:
+ log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:",
+Index: src/network_openssl.c
+===================================================================
+--- src/network_openssl.c (revision 2084)
++++ src/network_openssl.c (revision 2136)
+@@ -86,4 +86,5 @@
+ */
+
++ ERR_clear_error();
+ if ((r = SSL_write(ssl, offset, toSend)) <= 0) {
+ unsigned long err;
+@@ -188,4 +189,5 @@
+ close(ifd);
+
++ ERR_clear_error();
+ if ((r = SSL_write(ssl, s, toSend)) <= 0) {
+ unsigned long err;
+Index: src/connections.c
+===================================================================
+--- src/connections.c (revision 2136)
++++ src/connections.c (revision 2139)
+@@ -1670,5 +1670,6 @@
+ #ifdef USE_OPENSSL
+ if (srv_sock->is_ssl) {
+- int ret;
++ int ret, ssl_r;
++ unsigned long err;
+ ERR_clear_error();
+ switch ((ret = SSL_shutdown(con->ssl))) {
+@@ -1678,14 +1679,40 @@
+ case 0:
+ ERR_clear_error();
+- if ((ret = SSL_shutdown(con->ssl)) == 1) break;
++ if (-1 != (ret = SSL_shutdown(con->ssl))) break;
+
+ // fall through
+ default:
+- log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:",
+- SSL_get_error(con->ssl, ret),
+- ERR_error_string(ERR_get_error(), NULL));
+- return -1;
++
++ switch ((ssl_r = SSL_get_error(con->ssl, ret))) {
++ case SSL_ERROR_WANT_WRITE:
++ case SSL_ERROR_WANT_READ:
++ break;
++ case SSL_ERROR_SYSCALL:
++ /* perhaps we have error waiting in our error-queue */
++ if (0 != (err = ERR_get_error())) {
++ do {
++ log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
++ ssl_r, ret,
++ ERR_error_string(err, NULL));
++ } while((err = ERR_get_error()));
++ } else {
++ log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):",
++ ssl_r, r, errno,
++ strerror(errno));
++ }
++
++ break;
++ default:
++ while((err = ERR_get_error())) {
++ log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
++ ssl_r, ret,
++ ERR_error_string(err, NULL));
++ }
++
++ break;
++ }
+ }
+ }
++ ERR_clear_error();
+ #endif
+
+Index: src/connections.c
+===================================================================
+--- src/connections.c (revision 2139)
++++ src/connections.c (revision 2144)
+@@ -1681,5 +1681,5 @@
+ if (-1 != (ret = SSL_shutdown(con->ssl))) break;
+
+- // fall through
++ /* fall through */
+ default:
+
+@@ -1698,5 +1698,5 @@
+ } else {
+ log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):",
+- ssl_r, r, errno,
++ ssl_r, ret, errno,
+ strerror(errno));
+ }
More information about the Midnightbsd-cvs
mailing list