StarlingX

[Debian] CVE: CVE-2022-37797: lighttpd : null pointer dereference

Bug #1997327 reported by Yue Tao on 2022-11-22

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Medium	Zhixiong Chi

Bug Description

CVE-2022-37797: https://nvd.nist.gov/vuln/detail/CVE-2022-37797
In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.

Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2022-37797 fixed 7.5 N L N N H

References:
https://security-tracker.debian.org/tracker/CVE-2022-37797

Found during November 2022 CVE scan using vulscan

Tags:

CVE References

2022-37797

Yue Tao (wrytao) on 2022-11-22

Changed in starlingx:
importance:	Undecided → Medium
assignee:	nobody → Zhixiong Chi (zhixiongchi)
status:	New → Triaged
information type:	Public → Public Security
tags:	added: stx.8.0 stx.security

Zhixiong Chi (zhixiongchi) on 2022-11-23

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-11-23: Fix proposed to integ (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/integ/+/865430

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-11-24: Fix merged to integ (master)

Reviewed: https://review.opendev.org/c/starlingx/integ/+/865430
Committed: https://opendev.org/starlingx/integ/commit/cf4c478e66f90a74cfae913a0c80c3a8af3d1b31
Submitter: "Zuul (22348)"
Branch: master

commit cf4c478e66f90a74cfae913a0c80c3a8af3d1b31
Author: Zhixiong Chi <email address hidden>
Date: Tue Nov 22 23:14:53 2022 -0800

Debian: lighttpd: fix CVE-2022-37797

Backport the source patch from the upstream
https://salsa.debian.org/debian/lighttpd/-/blob/buster-security/debian/patches/CVE-2022-37797.patch

Refer to:
https://security-tracker.debian.org/tracker/DLA-3133-1

    Test Plan:
    Pass: build-pkgs -c -p lighttpd
    Pass: build-pkgs -a
    Pass: build-image
    Pass: Debian AIO jenkins installation
    Pass: Successfully host-unlock
    Pass: Execute the steps from https://redmine.lighttpd.net/issues/3165
          without the Segmentation fault.

Closes-Bug: 1997327

Signed-off-by: Zhixiong Chi <email address hidden>
Change-Id: Idbcd0937524278f304eb09956e2def71951c4ff4

Changed in starlingx:
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

auto-redmine.lighttpd.net #3165 Edit

Bug watches keep track of this bug in other bug trackers.