diff -u lighttpd-1.4.19/debian/patches/00list lighttpd-1.4.19/debian/patches/00list --- lighttpd-1.4.19/debian/patches/00list +++ lighttpd-1.4.19/debian/patches/00list @@ -2,0 +3,2 @@ +93_CVE-2008-4298.dpatch +95_CVE-2008-4360.dpatch diff -u lighttpd-1.4.19/debian/changelog lighttpd-1.4.19/debian/changelog --- lighttpd-1.4.19/debian/changelog +++ lighttpd-1.4.19/debian/changelog @@ -1,3 +1,16 @@ +lighttpd (1.4.19-0ubuntu4) hardy-security; urgency=low + + * SECURITY UPDATE: (LP: #279490) + + debian/patches/93_CVE-2008-4298.dpatch + - Fix memory leak in request header handling + + debian/patches/95_CVE-2008-4360.dpatch + - Fix mod_userdir information disclosure + * References + + https://bugs.launchpad.net/bugs/cve/2008-4298 + + https://bugs.launchpad.net/bugs/cve/2008-4360 + + -- Marcin GibuĊ‚a Wed, 04 Mar 2009 13:42:05 +0100 + lighttpd (1.4.19-0ubuntu3) hardy; urgency=low * SECURITY UPDATE: (LP: #209627) only in patch2: unchanged: --- lighttpd-1.4.19.orig/debian/patches/93_CVE-2008-4298.dpatch +++ lighttpd-1.4.19/debian/patches/93_CVE-2008-4298.dpatch @@ -0,0 +1,58 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 93_CVE-2008-4298.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: CVE-2008-4298 security fix + +@DPATCH@ + +--- lighttpd-1.4.19-orig/src/request.c.orig ++++ lighttpd-1.4.19-patched/src/request.c +@@ -825,6 +825,7 @@ + "request-header:\n", + con->request.request); + } ++ array_insert_unique(con->request.headers, (data_unset *)ds); + return 0; + } + +@@ -874,6 +875,7 @@ + "request-header:\n", + con->request.request); + } ++ array_insert_unique(con->request.headers, (data_unset *)ds); + return 0; + } + } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Expect")))) { +@@ -911,6 +913,7 @@ + "request-header:\n", + con->request.request); + } ++ array_insert_unique(con->request.headers, (data_unset *)ds); + return 0; + } + } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("If-Modified-Since")))) { +@@ -936,6 +939,7 @@ + "request-header:\n", + con->request.request); + } ++ array_insert_unique(con->request.headers, (data_unset *)ds); + return 0; + } + } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("If-None-Match")))) { +@@ -953,6 +957,7 @@ + "request-header:\n", + con->request.request); + } ++ array_insert_unique(con->request.headers, (data_unset *)ds); + return 0; + } + } else if (cmp > 0 && 0 == (cmp = buffer_caseless_compare(CONST_BUF_LEN(ds->key), CONST_STR_LEN("Range")))) { +@@ -976,6 +981,7 @@ + "request-header:\n", + con->request.request); + } ++ array_insert_unique(con->request.headers, (data_unset *)ds); + return 0; + } + } only in patch2: unchanged: --- lighttpd-1.4.19.orig/debian/patches/94_CVE-2008-4359.dpatch +++ lighttpd-1.4.19/debian/patches/94_CVE-2008-4359.dpatch @@ -0,0 +1,130 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 94_CVE-2008-4359.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: CVE-2008-4359 security fix + +@DPATCH@ + +--- lighttpd-1.4.19-orig/src/mod_rewrite.c.orig ++++ lighttpd-1.4.19-patched/src/mod_rewrite.c +@@ -350,7 +350,11 @@ + + if (!p->conf.rewrite) return HANDLER_GO_ON; + +- buffer_copy_string_buffer(p->match_buf, con->request.uri); ++ buffer_copy_string_buffer(p->match_buf, con->uri.path); ++ if (con->uri.query->used > 0) { ++ buffer_append_string_len(p->match_buf, CONST_STR_LEN("?")); ++ buffer_append_string_buffer(p->match_buf, con->uri.query); ++ } + + for (i = 0; i < p->conf.rewrite->used; i++) { + pcre *match; +--- lighttpd-1.4.19-orig/src/response.c.orig ++++ lighttpd-1.4.19-patched/src/response.c +@@ -224,27 +224,6 @@ + } + + +- /** +- * +- * call plugins +- * +- * - based on the raw URL +- * +- */ +- +- switch(r = plugins_call_handle_uri_raw(srv, con)) { +- case HANDLER_GO_ON: +- break; +- case HANDLER_FINISHED: +- case HANDLER_COMEBACK: +- case HANDLER_WAIT_FOR_EVENT: +- case HANDLER_ERROR: +- return r; +- default: +- log_error_write(srv, __FILE__, __LINE__, "sd", "handle_uri_raw: unknown return value", r); +- break; +- } +- + /* build filename + * + * - decode url-encodings (e.g. %20 -> ' ') +@@ -252,7 +231,6 @@ + */ + + +- + if (con->request.http_method == HTTP_METHOD_OPTIONS && + con->uri.path_raw->ptr[0] == '*' && con->uri.path_raw->ptr[1] == '\0') { + /* OPTIONS * ... */ +@@ -268,6 +246,28 @@ + log_error_write(srv, __FILE__, __LINE__, "sb", "URI-path : ", con->uri.path); + } + ++ ++ /** ++ * ++ * call plugins ++ * ++ * - based on the raw URL ++ * ++ */ ++ ++ switch(r = plugins_call_handle_uri_raw(srv, con)) { ++ case HANDLER_GO_ON: ++ break; ++ case HANDLER_FINISHED: ++ case HANDLER_COMEBACK: ++ case HANDLER_WAIT_FOR_EVENT: ++ case HANDLER_ERROR: ++ return r; ++ default: ++ log_error_write(srv, __FILE__, __LINE__, "sd", "handle_uri_raw: unknown return value", r); ++ break; ++ } ++ + /** + * + * call plugins +--- lighttpd-1.4.19-orig/tests/mod-rewrite.t.orig ++++ lighttpd-1.4.19-patched/tests/mod-rewrite.t +@@ -8,7 +8,7 @@ + + use strict; + use IO::Socket; +-use Test::More tests => 5; ++use Test::More tests => 4; + use LightyTest; + + my $tf = LightyTest->new(); +@@ -44,5 +44,13 @@ + $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => 'bar&a=b' } ]; + ok($tf->handle_http($t) == 0, 'valid request'); + ++ $t->{REQUEST} = ( <{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => 'a=b' } ]; ++ ok($tf->handle_http($t) == 0, 'valid request with url encoded characters'); ++ + ok($tf->stop_proc == 0, "Stopping lighttpd"); + } +--- lighttpd-1.4.19-orig/src/mod_redirect.c.orig ++++ lighttpd-1.4.19-patched/src/mod_redirect.c +@@ -178,7 +178,11 @@ + + mod_redirect_patch_connection(srv, con, p); + +- buffer_copy_string_buffer(p->match_buf, con->request.uri); ++ buffer_copy_string_buffer(p->match_buf, con->uri.path); ++ if (con->uri.query->used > 0) { ++ buffer_append_string_len(p->match_buf, CONST_STR_LEN("?")); ++ buffer_append_string_buffer(p->match_buf, con->uri.query); ++ } + + for (i = 0; i < p->conf.redirect->used; i++) { + pcre *match; only in patch2: unchanged: --- lighttpd-1.4.19.orig/debian/patches/95_CVE-2008-4360.dpatch +++ lighttpd-1.4.19/debian/patches/95_CVE-2008-4360.dpatch @@ -0,0 +1,46 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 95_CVE-2008-4360.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: CVE-2008-4360 security fix + +@DPATCH@ + +--- lighttpd-1.4.19-orig/src/mod_userdir.c.orig ++++ lighttpd-1.4.19-patched/src/mod_userdir.c +@@ -262,6 +262,9 @@ + return HANDLER_GO_ON; + } + } ++ if (con->conf.force_lowercase_filenames) { ++ buffer_to_lower(p->username); ++ } + + buffer_copy_string_buffer(p->temp_path, p->conf.basepath); + BUFFER_APPEND_SLASH(p->temp_path); +@@ -284,8 +287,24 @@ + } + } + ++ /* the physical rel_path is basically the same as uri.path; ++ * but it is converted to lowercase in case of force_lowercase_filenames and some special handling ++ * for trailing '.', ' ' and '/' on windows ++ * we assume that no docroot/physical handler changed this ++ * (docroot should only set the docroot/server name, phyiscal should only change the phyiscal.path; ++ * the exception mod_secure_download doesn't work with userdir anyway) ++ */ + BUFFER_APPEND_SLASH(p->temp_path); +- buffer_append_string(p->temp_path, rel_url + 1); /* skip the / */ ++ /* if no second '/' is found, we assume that it was stripped from the uri.path for the special handling ++ * on windows. ++ * we do not care about the trailing slash here on windows, as we already ensured it is a directory ++ * ++ * TODO: what to do with trailing dots in usernames on windows? they may result in the same directory ++ * as a username without them. ++ */ ++ if (NULL != (rel_url = strchr(con->physical.rel_path->ptr + 2, '/'))) { ++ buffer_append_string(p->temp_path, rel_url + 1); /* skip the / */ ++ } + buffer_copy_string_buffer(con->physical.path, p->temp_path); + + buffer_reset(p->temp_path);