[OE-core] [denzil 17/18] lighttpd: CVE-2012-5533
Mark Hatle
mark.hatle at windriver.com
Thu Feb 7 23:56:44 UTC 2013
From: Li Wang <li.wang at windriver.com>
[ CQID: WIND00392071 ]
fix DoS in Connection header value split.
http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt
http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch
Signed-off-by: Li Wang <li.wang at windriver.com>
Signed-off-by: Robert Yang <liezhi.yang at windriver.com>
Signed-off-by: Mark Hatle <mark.hatle at windriver.com>
---
.../lighttpd/files/lighttpd-CVE-2012-5533.patch | 120 +++++++++++++++++++++
meta/recipes-extended/lighttpd/lighttpd_1.4.30.bb | 3 +-
2 files changed, 122 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-extended/lighttpd/files/lighttpd-CVE-2012-5533.patch
diff --git a/meta/recipes-extended/lighttpd/files/lighttpd-CVE-2012-5533.patch b/meta/recipes-extended/lighttpd/files/lighttpd-CVE-2012-5533.patch
new file mode 100644
index 0000000..a9a35a6
--- /dev/null
+++ b/meta/recipes-extended/lighttpd/files/lighttpd-CVE-2012-5533.patch
@@ -0,0 +1,120 @@
+lighttpd: CVE-2012-5533
+
+fix DoS in Connection header value split.
+http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt
+http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch
+
+Signed-off-by: Li Wang <li.wang at windriver.com>
+---
+ src/request.c | 75 +++++++++++++++++++++++++++++----------------------------
+ 1 files changed, 38 insertions(+), 37 deletions(-)
+
+diff --git a/src/request.c b/src/request.c
+index e76a98f..46d636c 100644
+--- a/src/request.c
++++ b/src/request.c
+@@ -209,9 +209,11 @@ static int request_check_hostname(server *srv, connection *con, buffer *host) {
+ #endif
+
+ static int http_request_split_value(array *vals, buffer *b) {
+- char *s;
+ size_t i;
+ int state = 0;
++
++ const char *current;
++ const char *token_start = NULL, *token_end = NULL;
+ /*
+ * parse
+ *
+@@ -222,53 +224,52 @@ static int http_request_split_value(array *vals, buffer *b) {
+
+ if (b->used == 0) return 0;
+
+- s = b->ptr;
+-
+- for (i =0; i < b->used - 1; ) {
+- char *start = NULL, *end = NULL;
++ current = b->ptr;
++ for (i = 0; i < b->used; ++i, ++current) {
+ data_string *ds;
+
+ switch (state) {
+- case 0: /* ws */
+-
+- /* skip ws */
+- for (; (*s == ' ' || *s == '\t') && i < b->used - 1; i++, s++);
+-
+-
+- state = 1;
+- break;
+- case 1: /* value */
+- start = s;
+-
+- for (; *s != ',' && i < b->used - 1; i++, s++);
+- if (start == s) break; /* empty fields are skipped */
+- end = s - 1;
+-
+- for (; end > start && (*end == ' ' || *end == '\t'); end--);
+- if (start == end) break; /* empty fields are skipped */
+-
+- if (NULL == (ds = (data_string *)array_get_unused_element(vals, TYPE_STRING))) {
+- ds = data_string_init();
++ case 0: /* find start of a token */
++ switch (*current) {
++ case ' ':
++ case '\t': /* skip white space */
++ case ',': /* skip empty token */
++ break;
++ case '\0': /* end of string */
++ return 0;
++ default:
++ /* found real data, switch to state 1 to find the end of the token */
++ token_start = token_end = current;
++ state = 1;
++ break;
+ }
++ break;
++ case 1: /* find end of token and last non white space character */
++ switch (*current) {
++ case ' ':
++ case '\t':
++ /* space - don't update token_end */
++ break;
++ case ',':
++ case '\0': /* end of string also marks the end of a token */
++ if (NULL == (ds = (data_string *)array_get_unused_element(vals, TYPE_STRING))) {
++ ds = data_string_init();
++ }
+
+- buffer_copy_string_len(ds->value, start, end-start+1);
+- array_insert_unique(vals, (data_unset *)ds);
++ buffer_copy_string_len(ds->value, token_start, token_end-token_start+1);
++ array_insert_unique(vals, (data_unset *)ds);
+
+- if (*s == ',') {
+ state = 0;
+- i++;
+- s++;
+- } else {
+- /* end of string */
+-
+- state = 2;
++ break;
++ default:
++ /* no white space, update token_end to include current character */
++ token_end = current;
++ break;
+ }
+ break;
+- default:
+- i++;
+- break;
+ }
+ }
++
+ return 0;
+ }
+
+--
+1.7.0.5
+
diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.30.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.30.bb
index c4008af..b86fd4a 100644
--- a/meta/recipes-extended/lighttpd/lighttpd_1.4.30.bb
+++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.30.bb
@@ -16,13 +16,14 @@ RDEPENDS_${PN} += " \
lighttpd-module-staticfile \
"
-PR = "r1"
+PR = "r2"
SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.bz2 \
file://index.html.lighttpd \
file://lighttpd.conf \
file://lighttpd \
file://lighttpd-fixing-invalid-read-in-valgrind.patch \
+ file://lighttpd-CVE-2012-5533.patch \
"
SRC_URI[md5sum] = "63f9df52dcae0ab5689a95c99c54e48a"
--
1.8.1.2.545.g2f19ada
More information about the Openembedded-core
mailing list