lighttpd CVE-2022-22707

Bug #1994989 reported by Malte S. Stretz
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lighttpd (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

While debugging some odd and probably extforward related logging issue on one of my machines I stumbled upon CVE-2022-22707 which affects the lighttpd version in jammy (and focal; bionic is fine). It is untriaged
according to https://ubuntu.com/security/CVE-2022-22707

Since the version in kinetic is fixed it should probably just be backported to jammy.

There is also a simple patch attached to https://redmine.lighttpd.net/issues/3134 which I attached here.

CVE References

Revision history for this message
Malte S. Stretz (mss) wrote :
information type: Private Security → Public Security
description: updated
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better.
I've taken the time to triage some lighttpd CVEs and that should soon be reflected in the CVE web page.
I've downgraded the priority for that CVE specifically as it is 32-bit specific and hard to exploit according to upstream.

Since the package referred to in this bug is in universe, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in lighttpd (Ubuntu):
status: New → Confirmed
Revision history for this message
Malte S. Stretz (mss) wrote (last edit ):

Thnaks for getting back to this report. I actually read that page but didn't completely understand how the procedure exactly works for universe.

Would a debdiff to this issue be the proper way forward? I think I can do that.

What would be the preferred way:
* Bumping the version in jammy to kinetic?
* Add the attached patch to the quilt patchset?

I'd personally prefer the former but am not sure about the policy and that sounds more like something for backports than for security.

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

We (security team) prefer to patch the vulnerability instead of bumping versions, as this not only brings security fixes but bug fixes, new features and probably new dependencies that could eventually cause api/abi issues to users. So for the sake of stability we prefer to patch the vulnerability.

After you apply the patch, build it and test it, you can send us the generated debdiff.

I do notice that the patch you attached is a bit different from the one upstream actually applied, you might want to use upstreams in this case, just to keep consistency.

Revision history for this message
Malte S. Stretz (mss) wrote :

I pulled the patch from the Redmine ticket but it is possible that it was outdated, I'll test with the actual change https://github.com/lighttpd/lighttpd1.4/commit/8c62a890e23f5853b1a562b03fe3e1bccc6e7664.patch

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers