[kirkstone,05/31] lighttpd: fix CVE-2022-41556

Message ID	bf0b120d082dd058e3e56f1704a65129c0fdcafa.1667530733.git.steve@sakoman.com
State	Accepted, archived
Commit	88e1917dbf1e1bce5713c88d97adceb28ac0da05
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.216.47, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 05/31] lighttpd: fix CVE-2022-41556 Date: Thu, 3 Nov 2022 17:00:40 -1000 Message-Id: <bf0b120d082dd058e3e56f1704a65129c0fdcafa.1667530733.git.steve@sakoman.com> In-Reply-To: <cover.1667530733.git.steve@sakoman.com> References: <cover.1667530733.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,01/31] openssl: export necessary env vars in SDK \| expand [kirkstone,01/31] openssl: export necessary env vars in SDK [kirkstone,02/31] openssl: Fix SSL_CERT_FILE to match ca-certs location [kirkstone,03/31] openssl: CVE-2022-3358 Using a Custom Cipher with NID_undef may lead to NULL encr… [kirkstone,04/31] openssl: Upgrade 3.0.5 -> 3.0.7 [kirkstone,05/31] lighttpd: fix CVE-2022-41556 [kirkstone,06/31] tiff: fix CVE-2022-2953 [kirkstone,07/31] expat: backport the fix for CVE-2022-43680 [kirkstone,08/31] wayland: fix CVE-2021-3782 [kirkstone,09/31] cve-update-db-native: add timeout to urlopen() calls [kirkstone,10/31] vim: Upgrade 9.0.0598 -> 9.0.0614 [kirkstone,11/31] vim: upgrade 9.0.0614 -> 9.0.0820 [kirkstone,12/31] ifupdown: upgrade 0.8.37 -> 0.8.39 [kirkstone,13/31] scripts/oe-check-sstate: cleanup [kirkstone,14/31] scripts/oe-check-sstate: force build to run for all targets, specifically populat… [kirkstone,15/31] psplash: add psplash-default in rdepends [kirkstone,16/31] opkg-utils: use a git clone, not a dynamic snapshot [kirkstone,17/31] insane.bbclass: Allow hashlib version that only accepts on parameter [kirkstone,18/31] oe/packagemanager/rpm: don't leak file objects [kirkstone,19/31] u-boot: Remove duplicate inherit of cml1 [kirkstone,20/31] bluez5: add dbus to RDEPENDS [kirkstone,21/31] glib-2.0: fix rare GFileInfo test case failure [kirkstone,22/31] gnutls: Unified package names to lower-case [kirkstone,23/31] meson: make wrapper options sub-command specific [kirkstone,24/31] buildtools-tarball: export certificates to python and curl [kirkstone,25/31] qemu-native: Add PACKAGECONFIG option for jack [kirkstone,26/31] runqemu: Do not perturb script environment [kirkstone,27/31] runqemu: Fix gl-es argument from causing other arguments to be ignored [kirkstone,28/31] overlayfs: Allow not used mount points [kirkstone,29/31] cmake-native: Fix host tool contamination (Bug: 14951) [kirkstone,30/31] ltp: backport clock_gettime04 fix from upstream [kirkstone,31/31] perf: Depend on native setuptools3

Message ID

bf0b120d082dd058e3e56f1704a65129c0fdcafa.1667530733.git.steve@sakoman.com

State

Accepted, archived

Commit

88e1917dbf1e1bce5713c88d97adceb28ac0da05

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 05/31] lighttpd: fix CVE-2022-41556
Date: Thu,  3 Nov 2022 17:00:40 -1000
Message-Id: 
 <bf0b120d082dd058e3e56f1704a65129c0fdcafa.1667530733.git.steve@sakoman.com>
In-Reply-To: <cover.1667530733.git.steve@sakoman.com>
References: <cover.1667530733.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,01/31] openssl: export necessary env vars in SDK | expand

Commit Message

Steve Sakoman Nov. 4, 2022, 3 a.m. UTC

From: Ross Burton <ross.burton@arm.com>

Backport the fix from upstream to fix this CVE.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 59f69125fb00dc8fd335f32fe6898e7a480141e4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../lighttpd/lighttpd/CVE-2022-41556.patch    | 31 +++++++++++++++++++
 .../lighttpd/lighttpd_1.4.66.bb               |  1 +
 2 files changed, 32 insertions(+)
 create mode 100644 meta/recipes-extended/lighttpd/lighttpd/CVE-2022-41556.patch

diff --git a/meta/recipes-extended/lighttpd/lighttpd/CVE-2022-41556.patch b/meta/recipes-extended/lighttpd/lighttpd/CVE-2022-41556.patch
new file mode 100644
index 0000000000..284a5a3ea9
--- /dev/null
+++ b/meta/recipes-extended/lighttpd/lighttpd/CVE-2022-41556.patch
@@ -0,0 +1,31 @@ 
+CVE: CVE-2022-41556
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From b18de6f9264f914f7bf493abd3b6059343548e50 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Sun, 11 Sep 2022 22:31:34 -0400
+Subject: [PATCH] [core] handle RDHUP when collecting chunked body
+
+handle RDHUP as soon as RDHUP detected when collecting HTTP/1.1 chunked
+request body (and when not streaming request body to backend)
+
+x-ref:
+  https://github.com/lighttpd/lighttpd1.4/pull/115
+---
+ src/gw_backend.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/gw_backend.c b/src/gw_backend.c
+index df9d8217..5db56287 100644
+--- a/src/gw_backend.c
++++ b/src/gw_backend.c
+@@ -2228,7 +2228,7 @@ handler_t gw_handle_subrequest(request_st * const r, void *p_d) {
+                  *  and module is flagged to stream request body to backend) */
+                 return (r->conf.stream_request_body & FDEVENT_STREAM_REQUEST)
+                   ? http_response_reqbody_read_error(r, 411)
+-                  : HANDLER_WAIT_FOR_EVENT;
++                  : (rc == HANDLER_GO_ON) ? HANDLER_WAIT_FOR_EVENT : rc;
+             }
+ 
+             if (hctx->wb_reqlen < -1 && r->reqbody_length >= 0) {
diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.66.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.66.bb
index 801162867c..78978105b2 100644
--- a/meta/recipes-extended/lighttpd/lighttpd_1.4.66.bb
+++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.66.bb
@@ -14,6 +14,7 @@  RRECOMMENDS:${PN} = "lighttpd-module-access \
                      lighttpd-module-accesslog"
 
 SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.xz \
+           file://CVE-2022-41556.patch \
            file://index.html.lighttpd \
            file://lighttpd.conf \
            file://lighttpd \

[kirkstone,05/31] lighttpd: fix CVE-2022-41556

Commit Message

Patch