Ubuntu
lighttpd package

Update karmic package to >=1.4.26 or apply patch

Bug #554927 reported by Jesper Staun Hansen
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
lighttpd (Ubuntu)
Fix Released
Undecided
Unassigned
Karmic
Won't Fix
Undecided
Unassigned

Bug Description

Binary package hint: lighttpd

Lighttpd 1.4.26 fixes a DoS bug.
From SA:

 slow request dos/oom attack
=============================

 Description
-------------

If you send the request data very slow (e.g. sleep 0.01 after each byte),
lighttpd will easily use all available memory and die (especially for parallel
requests), allowing a DoS within minutes.

The problem is that is doesn't append to previous buffer but allocates a new
buffer for each read; this means that for every received block (which could be
only one byte) lighttpd may use either 4k or 16k.

In lighttpd 1.4.x this problem is not too bad, as the allocated buffer is just
as big as the content available to be read (if the system supports FIONREAD);
but even with ssl (or if the system doesn't support FIONREAD), lighttpd 1.4.x
will allocate 4k or 16k buffers for each read.

Lighttpd 1.5 (our old development branch) always allocates 16k buffers for a
read.

Our solution is to append to the previous buffer if it is still in the raw-in
queue (while waiting for a request header), and to pack the buffers if they
get moved to the next queue (for the request body).

In order to append to the previous buffer in lighttpd 1.4.x we ignored a
SSL_read requirement: we don't pass the same buffer in the next call after
SSL_ERROR_WANT_*; there is no good reason for this, and it has worked in 1.5
for a long time now.

Please note that lighttpd 1.x always trusts the backend: it will always try to
read from the backend (cgi,fastcgi,scgi,proxy,...) as fast as possible, so
backends sending large files will lead to high memory usage in lighttpd.

http://redmine.lighttpd.net/issues/2147

Thanks to Li Ming who reported the issue.

 Affected versions
-------------------

all versions before 1.4.26 / svn revision 2710

 Fixed in
----------

1.4.x: http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2710
1.5: http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2711

 Solutions or Workaround
-------------------------

There is no workaround.
Apply lighttpd-1.4.x_fix_slow_request_dos.patch
or lighttpd-1.5_fix_slow_request_dos.patch

This bug is tracked as CVE-2010-0295.

Tags: patch

CVE References

Revision history for this message
Jesper Staun Hansen (jesper-staun-hansen-deactivatedaccount) wrote :
Lorenzo De Liso (blackz)
tags: added: patch
Andrew Starr-Bochicchio (andrewsomething)
security vulnerability: no → yes
Revision history for this message
Andrew Starr-Bochicchio (andrewsomething) wrote :

Marking Fix Released as this is fixed in Lucid, but opening a Karmic task if someone wants to pursue a security update.

Changed in lighttpd (Ubuntu):
status: New → Fix Released
Changed in lighttpd (Ubuntu Karmic):
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. karmic has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against karmic is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in lighttpd (Ubuntu Karmic):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.