Ubuntu
lighttpd package

DoS-vulnerability in lighttpd

Bug #107628 reported by Fridtjof Busse on 2007-04-19

260

	Status	Importance	Assigned to
lighttpd (Ubuntu)	Fix Released	Medium	Unassigned
Dapper	Fix Released	Undecided	Kees Cook
Edgy	Fix Released	Undecided	Kees Cook
Feisty	Invalid	Undecided	Unassigned

Bug Description

Binary package hint: lighttpd

I know it's universe, but it deserves to be fixed:
http://www.lighttpd.net/assets/2007/4/13/lighttpd_sa2007_01.txt
http://www.lighttpd.net/assets/2007/4/13/lighttpd_sa2007_02.txt
Both problems are fixed in 1.4.14, but since that version contains a regression, 1.4.15 is the best version to go with (or a backport).

Patches are here:
http://www.lighttpd.net/assets/2007/4/13/lighttpd-1.4.x_crlf_parsing_dos.patch
http://www.lighttpd.net/assets/2007/4/13/lighttpd-1.4.x_zero_mtime_crash.patch

Tags:

Related branches

lp:ubuntu/dapper-security/lighttpd

lp:ubuntu/edgy-security/lighttpd

CVE References

Revision history for this message

Kees Cook (kees) wrote on 2007-04-19:

Thanks for taking the time to report this bug and helping to make Ubuntu better. If someone can prepare (and test) the fixes and attach debdiffs that follow the [https://wiki.ubuntu.com/SecurityUpdateProcedures], I'd be more than happy to get them uploaded.

Changed in lighttpd:
importance:	Undecided → Medium
status:	Unconfirmed → Confirmed

Revision history for this message

Scott Kitterman (kitterman) wrote on 2007-04-19:

I'll take a stab at it.

Changed in lighttpd:
assignee:	nobody → kitterman
status:	Confirmed → In Progress

Revision history for this message

Scott Kitterman (kitterman) wrote on 2007-04-19:

The relevant patches are already in the Feisty version, so no issue there.

Revision history for this message

Scott Kitterman (kitterman) wrote on 2007-04-19:

For the initial reporter, what version of Ubuntu are you running? I'll prepare a package for that one first so you can test it.

Revision history for this message

Fridtjof Busse (fbusse-deactivatedaccount-deactivatedaccount) wrote on 2007-04-19:

Running feisty as of couple of minutes ago. The changelog on packages.ubuntu.com was outdated, thus I missed the fixed package. But I can test on edgy/dapper nonetheless, I have plenty of virtual machines around.

Revision history for this message

Scott Kitterman (kitterman) wrote on 2007-04-19:

OK. I can make i386 binaries or give you a source patch.

Revision history for this message

Scott Kitterman (kitterman) wrote on 2007-04-19:

This is going to take a while because the Ubuntu repositories are totally hammered by the Feisty release.

Revision history for this message

Scott Kitterman (kitterman) wrote on 2007-04-19:

Edgy fix debdiff Edit (1.6 KiB, text/plain)

Debdiff for Edgy for testing.

Revision history for this message

Scott Kitterman (kitterman) wrote on 2007-04-19:

Dapper fix debdiff Edit (1.0 KiB, text/plain)

Dapper debdiff for testing. Note that only one of the two isses was relevant to this version.

Revision history for this message

Scott Kitterman (kitterman) wrote on 2007-04-19:

#10

Dapper-proposed debdiff for testing. Note that only one of the two isses was relevant to this version.

Revision history for this message

Scott Kitterman (kitterman) wrote on 2007-04-19:

#11

Here are the source changes for all the supported releases. If you need me to build binaries for you (I can do -i386), let me know. Otherwise, please test these and then let us know how it goes.

Changed in lighttpd:
assignee:	kitterman → fbusse

Revision history for this message

Kees Cook (kees) wrote on 2007-04-19: Re: [Bug 107628] Re: DoS-vulnerability in lighttpd

#12

On Thu, Apr 19, 2007 at 06:48:33PM -0000, Scott Kitterman wrote:
> Debdiff for Edgy for testing.

Hi Scott,

Thanks very much for getting the patches extracted. The lighttpd
package, however, uses the "dpatch" patch system. Instead of applying
the fixes inline, please use "dpatch-edit-patch". For more details on
patching packages with different patch mechanisms, see pitti's excellent
write up:
https://wiki.ubuntu.com/MOTU/School/PatchingSources

--
Kees Cook

Revision history for this message

Fridtjof Busse (fbusse-deactivatedaccount-deactivatedaccount) wrote on 2007-04-21:

#13

Works and builds fine on dapper i386 (patch applied by hand).

Revision history for this message

Scott Kitterman (kitterman) wrote on 2007-04-24:

#14

Edgy fix with dpatch Edit (3.6 KiB, text/plain)

Updated patch for Edgy using the patch system. Pbuilt and verified in the pbuilder log that the patches were applied. I can probide i386 binaries for testing if requested.

Changed in lighttpd:
assignee:	fbusse → kitterman

Revision history for this message

Scott Kitterman (kitterman) wrote on 2007-04-24:

#15

Dapper-security fix with dpatch Edit (2.3 KiB, text/plain)

Dapper fix with dpatch. Version number is due to the .1 already in dapper proposed.

Revision history for this message

Scott Kitterman (kitterman) wrote on 2007-04-24:

#16

Fix for dapper-proposed Edit (2.4 KiB, text/plain)

Dapper-proposed fix with dpatch attached.

Revision history for this message

Scott Kitterman (kitterman) wrote on 2007-04-24:

#17

Also subscribing MOTU SRU because the fix impacts dapper-proposed.

Changed in lighttpd:
assignee:	kitterman → nobody
status:	In Progress → Confirmed

Revision history for this message

Kees Cook (kees) wrote on 2007-04-24:

#18

Show state in Feisty (fixed already), Edgy, and Dapper. Also linking to CVE.

Changed in lighttpd:
status:	Unconfirmed → Rejected
assignee:	nobody → keescook
status:	Unconfirmed → Fix Committed
assignee:	nobody → keescook
status:	Unconfirmed → Fix Committed

Revision history for this message

Daniel T Chen (crimsun) wrote on 2007-04-25:

#19

+1 for new dapper-proposed.

Revision history for this message

William Grant (wgrant) wrote on 2007-04-25: Security fix uploaded to dapper-proposed

#20

I've uploaded the security fix for 1.4.11-3ubuntu3.1 to dapper-proposed.

Revision history for this message

Martin Pitt (pitti) wrote on 2007-04-26:

#21

Updated packages released to -security. Thank you!

Changed in lighttpd:
status:	Fix Committed → Fix Released

Revision history for this message

Martin Pitt (pitti) wrote on 2007-04-26:

#22

Package released to dapper-security. Thank you!

Changed in lighttpd:
status:	Fix Committed → Fix Released

Revision history for this message

Martin Pitt (pitti) wrote on 2007-05-02:

#23

Just for the record, I rejected the dapper-proposed upload because the fix is already in -security.

Revision history for this message

Scott Kitterman (kitterman) wrote on 2007-05-02: Re: [Bug 107628] Re: DoS-vulnerability in lighttpd

#24

Then that leaves us with a higher version numbered package in
dapper-proposed that is unpatched. If that SRU ever gets released we'll
re-introduce the vulnerability.

Revision history for this message

Martin Pitt (pitti) wrote on 2007-05-03:

#25

Scott, I don't understand -- If the -proposed package has the same vulnerability fix, then it doesn't matter. If it fixes something different, then it should not be treated in this bug report.

Revision history for this message

Daniel T Chen (crimsun) wrote on 2007-05-03:

#26

Martin, Scott's debdiff for a new dapper-proposed source upload contains the fix in the dapper-security upload. The current dapper-proposed source does /not/ contain this fix.

Revision history for this message

Scott Kitterman (kitterman) wrote on 2007-05-03:

#27

The problem is that when this was reported, there was an updated for Dapper sitting in dapper-proposed:

https://launchpad.net/ubuntu/dapper/+source/lighttpd

That update:

https://launchpad.net/ubuntu/dapper/+source/lighttpd/1.4.11-3ubuntu3.1

has been sitting in dapper-proposed since last November and lacks the fix for this issue. So the existing -proposed package has the vulnerability. The upload you rejected was meant to replace it by fixing the vulnerability.

As it stands right now, should 1.4.11-3ubuntu3.1 ever finish SRU testing and be released, it would re-introduce this vulnerability. The intent of the 1.4.11-3ubuntu3.2 upload was to ensure (in advance) that this would not happen.

Sorry I wasn't clear before (hope I am now).

Revision history for this message

Martin Pitt (pitti) wrote on 2007-05-04:

#28

Hi Scott,

Scott Kitterman [2007-05-03 11:52 -0000]:
> That update:
>
> https://launchpad.net/ubuntu/dapper/+source/lighttpd/1.4.11-3ubuntu3.1
>
> has been sitting in dapper-proposed since last November and lacks the
> fix for this issue. So the existing -proposed package has the
> vulnerability. The upload you rejected was meant to replace it by
> fixing the vulnerability.

Ah, I'm terribly sorry. Can you please upload it again then?

Thanks,

Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org

Revision history for this message

Scott Kitterman (kitterman) wrote on 2007-05-04:

#29

I've attached the dapper-proposed debdiff with the maintainer change removed to be uploaded again.

Marco Rodrigues (gothicx) on 2007-05-04

Changed in lighttpd:
status:	Confirmed → Fix Released

Scott Kitterman (kitterman) on 2007-05-04

Changed in lighttpd:
status:	Fix Released → Confirmed

Revision history for this message

Scott Kitterman (kitterman) wrote on 2007-05-04:

#30

Updated patch for dapper-proposed Edit (1.5 KiB, text/plain)

This time with the mention of the maintainer change removed from the changelog....

Revision history for this message

Scott Kitterman (kitterman) wrote on 2007-05-11:

#31

dapper-proposed update uploaded.

Scott Kitterman (kitterman) on 2007-05-31

Changed in lighttpd:
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulighttpd package

DoS-vulnerability in lighttpd

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
lighttpd package