diff -u lighttpd-1.4.18/debian/changelog lighttpd-1.4.18/debian/changelog --- lighttpd-1.4.18/debian/changelog +++ lighttpd-1.4.18/debian/changelog @@ -1,3 +1,17 @@ +lighttpd (1.4.18-1ubuntu1.3) gutsy-security; urgency=low + + * SECURITY UPDATE: (LP: #200987) + + debian/patches/91_CVE-2008-1270.dpatch + - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, + uses a default of $HOME, which might allow remote attackers to read arbitrary + files, as demonstrated by accessing the ~nobody directory. + * References + + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270 + + http://trac.lighttpd.net/trac/ticket/1587 + + http://trac.lighttpd.net/trac/changeset/2120 + + -- Emanuele Gentili Tue, 11 Mar 2008 14:37:58 +0100 + lighttpd (1.4.18-1ubuntu1.2) gutsy-security; urgency=low * SECURITY UPDATE: diff -u lighttpd-1.4.18/debian/patches/00list lighttpd-1.4.18/debian/patches/00list --- lighttpd-1.4.18/debian/patches/00list +++ lighttpd-1.4.18/debian/patches/00list @@ -5,0 +6 @@ +91_CVE-2008-1270.dpatch only in patch2: unchanged: --- lighttpd-1.4.18.orig/debian/patches/91_CVE-2008-1270.dpatch +++ lighttpd-1.4.18/debian/patches/91_CVE-2008-1270.dpatch @@ -0,0 +1,22 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 91_CVE-2008-1270.dpatch by Emanuele Gentili +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad lighttpd-1.4.18~/src/mod_userdir.c lighttpd-1.4.18/src/mod_userdir.c +--- lighttpd-1.4.18~/src/mod_userdir.c 2006-10-04 15:26:23.000000000 +0200 ++++ lighttpd-1.4.18/src/mod_userdir.c 2008-03-11 14:37:07.000000000 +0100 +@@ -170,6 +170,11 @@ + + mod_userdir_patch_connection(srv, con, p); + ++ /* enforce the userdir.path to be set in the config, ugly fix for #1587; ++ * should be replaced with a clean .enabled option in 1.5 ++ */ ++ if (p->conf.path->used == 0) return HANDLER_GO_ON; ++ + uri_len = con->uri.path->used - 1; + + /* /~user/foo.html -> /home/user/public_html/foo.html */