packages: lighttpd/lighttpd-branch.diff, lighttpd/lighttpd.spec - up to svn...
glen
glen at pld-linux.org
Tue Feb 2 12:56:29 CET 2010
Author: glen Date: Tue Feb 2 11:56:29 2010 GMT
Module: packages Tag: HEAD
---- Log message:
- up to svn -r2711, fixes CVE-2010-0295
- rel 5
---- Files affected:
packages/lighttpd:
lighttpd-branch.diff (1.66 -> 1.67) , lighttpd.spec (1.322 -> 1.323)
---- Diffs:
================================================================
Index: packages/lighttpd/lighttpd-branch.diff
diff -u packages/lighttpd/lighttpd-branch.diff:1.66 packages/lighttpd/lighttpd-branch.diff:1.67
--- packages/lighttpd/lighttpd-branch.diff:1.66 Sat Dec 12 15:41:24 2009
+++ packages/lighttpd/lighttpd-branch.diff Tue Feb 2 12:56:22 2010
@@ -1,9 +1,230 @@
-# Revision 2698
+# Revision 2711
+Index: src/mod_cgi.c
+===================================================================
+--- src/mod_cgi.c (.../tags/lighttpd-1.4.25)
++++ src/mod_cgi.c (.../branches/lighttpd-1.4.x)
+@@ -747,6 +747,8 @@
+ }
+
+ if (pipe(from_cgi_fds)) {
++ close(to_cgi_fds[0]);
++ close(to_cgi_fds[1]);
+ log_error_write(srv, __FILE__, __LINE__, "ss", "pipe failed:", strerror(errno));
+ return -1;
+ }
+@@ -1035,6 +1037,10 @@
+ case -1:
+ /* error */
+ log_error_write(srv, __FILE__, __LINE__, "ss", "fork failed:", strerror(errno));
++ close(from_cgi_fds[0]);
++ close(from_cgi_fds[1]);
++ close(to_cgi_fds[0]);
++ close(to_cgi_fds[1]);
+ return -1;
+ break;
+ default: {
+@@ -1181,6 +1187,7 @@
+ plugin_config *s = p->config_storage[0];
+
+ PATCH(cgi);
++ PATCH(execute_x_only);
+
+ /* skip the first, the global context */
+ for (i = 1; i < srv->config_context->used; i++) {
+Index: src/base.h
+===================================================================
+--- src/base.h (.../tags/lighttpd-1.4.25)
++++ src/base.h (.../branches/lighttpd-1.4.x)
+@@ -431,7 +431,6 @@
+
+ #ifdef USE_OPENSSL
+ SSL *ssl;
+- buffer *ssl_error_want_reuse_buffer;
+ # ifndef OPENSSL_NO_TLSEXT
+ buffer *tlsext_server_name;
+ # endif
+Index: src/mod_rewrite.c
+===================================================================
+--- src/mod_rewrite.c (.../tags/lighttpd-1.4.25)
++++ src/mod_rewrite.c (.../branches/lighttpd-1.4.x)
+@@ -394,7 +394,7 @@
+ buffer_reset(con->request.uri);
+
+ start = 0;
+- for (k = 0; k < pattern_len; k++) {
++ for (k = 0; k+1 < pattern_len; k++) {
+ if (pattern[k] == '$' || pattern[k] == '%') {
+ /* got one */
+
Index: src/connections.c
===================================================================
--- src/connections.c (.../tags/lighttpd-1.4.25)
+++ src/connections.c (.../branches/lighttpd-1.4.x)
-@@ -945,62 +945,50 @@
+@@ -192,40 +192,42 @@
+
+ static int connection_handle_read_ssl(server *srv, connection *con) {
+ #ifdef USE_OPENSSL
+- int r, ssl_err, len, count = 0;
++ int r, ssl_err, len, count = 0, read_offset, toread;
+ buffer *b = NULL;
+
+ if (!con->conf.is_ssl) return -1;
+
+- /* don't resize the buffer if we were in SSL_ERROR_WANT_* */
+-
+ ERR_clear_error();
+ do {
+- if (!con->ssl_error_want_reuse_buffer) {
+- b = buffer_init();
+- buffer_prepare_copy(b, SSL_pending(con->ssl) + (16 * 1024)); /* the pending bytes + 16kb */
++ if (NULL != con->read_queue->last) {
++ b = con->read_queue->last->mem;
++ }
+
++ if (NULL == b || b->size - b->used < 1024) {
++ b = chunkqueue_get_append_buffer(con->read_queue);
++ len = SSL_pending(con->ssl);
++ if (len < 4*1024) len = 4*1024; /* always alloc >= 4k buffer */
++ buffer_prepare_copy(b, len + 1);
++
+ /* overwrite everything with 0 */
+ memset(b->ptr, 0, b->size);
+- } else {
+- b = con->ssl_error_want_reuse_buffer;
+ }
+
+- len = SSL_read(con->ssl, b->ptr, b->size - 1);
+- con->ssl_error_want_reuse_buffer = NULL; /* reuse it only once */
++ read_offset = (b->used > 0) ? b->used - 1 : 0;
++ toread = b->size - 1 - read_offset;
+
++ len = SSL_read(con->ssl, b->ptr + read_offset, toread);
++
+ if (len > 0) {
+- b->used = len;
++ if (b->used > 0) b->used--;
++ b->used += len;
+ b->ptr[b->used++] = '\0';
+
+- /* we move the buffer to the chunk-queue, no need to free it */
++ con->bytes_read += len;
+
+- chunkqueue_append_buffer_weak(con->read_queue, b);
+ count += len;
+- con->bytes_read += len;
+- b = NULL;
+ }
+- } while (len > 0 && count < MAX_READ_LIMIT);
++ } while (len == toread && count < MAX_READ_LIMIT);
+
+
+ if (len < 0) {
+@@ -234,11 +236,11 @@
+ case SSL_ERROR_WANT_READ:
+ case SSL_ERROR_WANT_WRITE:
+ con->is_readable = 0;
+- con->ssl_error_want_reuse_buffer = b;
+
+- b = NULL;
++ /* the manual says we have to call SSL_read with the same arguments next time.
++ * we ignore this restriction; no one has complained about it in 1.5 yet, so it probably works anyway.
++ */
+
+- /* we have to steal the buffer from the queue-queue */
+ return 0;
+ case SSL_ERROR_SYSCALL:
+ /**
+@@ -297,16 +299,11 @@
+
+ connection_set_state(srv, con, CON_STATE_ERROR);
+
+- buffer_free(b);
+-
+ return -1;
+ } else if (len == 0) {
+ con->is_readable = 0;
+ /* the other end close the connection -> KEEP-ALIVE */
+
+- /* pipelining */
+- buffer_free(b);
+-
+ return -2;
+ }
+
+@@ -321,26 +318,41 @@
+ static int connection_handle_read(server *srv, connection *con) {
+ int len;
+ buffer *b;
+- int toread;
++ int toread, read_offset;
+
+ if (con->conf.is_ssl) {
+ return connection_handle_read_ssl(srv, con);
+ }
+
++ b = (NULL != con->read_queue->last) ? con->read_queue->last->mem : NULL;
++
++ /* default size for chunks is 4kb; only use bigger chunks if FIONREAD tells
++ * us more than 4kb is available
++ * if FIONREAD doesn't signal a big chunk we fill the previous buffer
++ * if it has >= 1kb free
++ */
+ #if defined(__WIN32)
+- b = chunkqueue_get_append_buffer(con->read_queue);
+- buffer_prepare_copy(b, 4 * 1024);
+- len = recv(con->fd, b->ptr, b->size - 1, 0);
+-#else
+- if (ioctl(con->fd, FIONREAD, &toread) || toread == 0) {
++ if (NULL == b || b->size - b->used < 1024) {
+ b = chunkqueue_get_append_buffer(con->read_queue);
+ buffer_prepare_copy(b, 4 * 1024);
++ }
++
++ read_offset = (b->used == 0) ? 0 : b->used - 1;
++ len = recv(con->fd, b->ptr + read_offset, b->size - 1 - read_offset, 0);
++#else
++ if (ioctl(con->fd, FIONREAD, &toread) || toread == 0 || toread <= 4*1024) {
++ if (NULL == b || b->size - b->used < 1024) {
++ b = chunkqueue_get_append_buffer(con->read_queue);
++ buffer_prepare_copy(b, 4 * 1024);
++ }
+ } else {
+ if (toread > MAX_READ_LIMIT) toread = MAX_READ_LIMIT;
+ b = chunkqueue_get_append_buffer(con->read_queue);
+ buffer_prepare_copy(b, toread + 1);
+ }
+- len = read(con->fd, b->ptr, b->size - 1);
++
++ read_offset = (b->used == 0) ? 0 : b->used - 1;
++ len = read(con->fd, b->ptr + read_offset, b->size - 1 - read_offset);
+ #endif
+
+ if (len < 0) {
+@@ -374,7 +386,8 @@
+ con->is_readable = 0;
+ }
+
+- b->used = len;
++ if (b->used > 0) b->used--;
++ b->used += len;
+ b->ptr[b->used++] = '\0';
+
+ con->bytes_read += len;
+@@ -850,13 +863,6 @@
+ /* The cond_cache gets reset in response.c */
+ /* config_cond_cache_reset(srv, con); */
+
+-#ifdef USE_OPENSSL
+- if (con->ssl_error_want_reuse_buffer) {
+- buffer_free(con->ssl_error_want_reuse_buffer);
+- con->ssl_error_want_reuse_buffer = NULL;
+- }
+-#endif
+-
+ con->header_len = 0;
+ con->in_error_handler = 0;
+
+@@ -945,62 +951,50 @@
last_chunk = NULL;
last_offset = 0;
@@ -91,6 +312,161 @@
/* found */
if (last_chunk) {
+@@ -1140,8 +1134,15 @@
+ } else {
+ buffer *b;
+
+- b = chunkqueue_get_append_buffer(dst_cq);
+- buffer_copy_string_len(b, c->mem->ptr + c->offset, toRead);
++ if (dst_cq->last &&
++ dst_cq->last->type == MEM_CHUNK) {
++ b = dst_cq->last->mem;
++ } else {
++ b = chunkqueue_get_append_buffer(dst_cq);
++ /* prepare buffer size for remaining POST data; is < 64kb */
++ buffer_prepare_copy(b, con->request.content_length - dst_cq->bytes_in + 1);
++ }
++ buffer_append_string_len(b, c->mem->ptr + c->offset, toRead);
+ }
+
+ c->offset += toRead;
+Index: src/chunk.c
+===================================================================
+--- src/chunk.c (.../tags/lighttpd-1.4.25)
++++ src/chunk.c (.../branches/lighttpd-1.4.x)
+@@ -197,8 +197,6 @@
+ int chunkqueue_append_buffer_weak(chunkqueue *cq, buffer *mem) {
+ chunk *c;
+
+- if (mem->used == 0) return 0;
+-
+ c = chunkqueue_get_unused_chunk(cq);
+ c->type = MEM_CHUNK;
+ c->offset = 0;
+Index: src/mod_proxy.c
+===================================================================
+--- src/mod_proxy.c (.../tags/lighttpd-1.4.25)
++++ src/mod_proxy.c (.../branches/lighttpd-1.4.x)
+@@ -1047,12 +1047,33 @@
+ *
+ */
+
+- proxy_connection_close(srv, hctx);
+- joblist_append(srv, con);
++ if (hctx->host) {
++ hctx->host->is_disabled = 1;
++ hctx->host->disable_ts = srv->cur_ts;
++ log_error_write(srv, __FILE__, __LINE__, "sbdd", "proxy-server disabled:",
++ hctx->host->host,
++ hctx->host->port,
++ hctx->fd);
+
+- con->http_status = 503;
+- con->mode = DIRECT;
++ /* disable this server */
++ hctx->host->is_disabled = 1;
++ hctx->host->disable_ts = srv->cur_ts;
+
++ proxy_connection_close(srv, hctx);
++
++ /* reset the enviroment and restart the sub-request */
++ buffer_reset(con->physical.path);
++ con->mode = DIRECT;
++
++ joblist_append(srv, con);
++ } else {
++ proxy_connection_close(srv, hctx);
++ joblist_append(srv, con);
++
++ con->mode = DIRECT;
++ con->http_status = 503;
++ }
++
+ return HANDLER_FINISHED;
+ }
+
+Index: src/mod_redirect.c
+===================================================================
+--- src/mod_redirect.c (.../tags/lighttpd-1.4.25)
++++ src/mod_redirect.c (.../branches/lighttpd-1.4.x)
+@@ -210,7 +210,7 @@
+ buffer_reset(p->location);
+
+ start = 0;
+- for (k = 0; k < pattern_len; k++) {
++ for (k = 0; k + 1 < pattern_len; k++) {
+ if (pattern[k] == '$' || pattern[k] == '%') {
+ /* got one */
+
+Index: src/mod_fastcgi.c
+===================================================================
+--- src/mod_fastcgi.c (.../tags/lighttpd-1.4.25)
++++ src/mod_fastcgi.c (.../branches/lighttpd-1.4.x)
+@@ -2307,6 +2307,9 @@
+ filename = pos;
+ if (NULL == (range = strchr(pos, ' '))) {
+ /* missing range */
++ if (p->conf.debug) {
++ log_error_write(srv, __FILE__, __LINE__, "ss", "Couldn't find range after filename:", filename);
++ }
+ return 1;
+ }
+ buffer_copy_string_len(srv->tmp_buf, filename, range - filename);
+@@ -2338,14 +2341,24 @@
+ char *rpos = NULL;
+ errno = 0;
+ begin_range = strtoll(range, &rpos, 10);
+- if (errno != 0 || begin_range < 0 || rpos == range) return 1;
+- if ('-' != *rpos++) return 1;
++ if (errno != 0 || begin_range < 0 || rpos == range) goto range_failed;
++ if ('-' != *rpos++) goto range_failed;
+ if (rpos != pos) {
+ range = rpos;
+ end_range = strtoll(range, &rpos, 10);
+- if (errno != 0 || end_range < 0 || rpos == range) return 1;
++ if (errno != 0 || end_range < 0 || rpos == range) goto range_failed;
+ }
+- if (rpos != pos) return 1;
++ if (rpos != pos) goto range_failed;
++
++ goto range_success;
++
++range_failed:
++ if (p->conf.debug) {
++ log_error_write(srv, __FILE__, __LINE__, "ss", "Couldn't decode range after filename:", filename);
++ }
++ return 1;
++
++range_success: ;
+ }
+
+ /* no parameters accepted */
+Index: src/mod_accesslog.c
+===================================================================
+--- src/mod_accesslog.c (.../tags/lighttpd-1.4.25)
++++ src/mod_accesslog.c (.../branches/lighttpd-1.4.x)
+@@ -788,6 +788,13 @@
+ buffer_append_string_len(b, CONST_STR_LEN("-"));
+ }
+ break;
++ case FORMAT_ENV:
++ if (NULL != (ds = (data_string *)array_get_element(con->environment, p->conf.parsed_format->ptr[j]->string->ptr))) {
++ accesslog_append_escaped(b, ds->value);
++ } else {
++ buffer_append_string_len(b, CONST_STR_LEN("-"));
++ }
++ break;
+ case FORMAT_FILENAME:
+ if (con->physical.path->used > 1) {
+ buffer_append_string_buffer(b, con->physical.path);
+@@ -864,7 +871,6 @@
+ { 'A', FORMAT_LOCAL_ADDR },
+ { 'C', FORMAT_COOKIE },
+ { 'D', FORMAT_TIME_USED_MS },
+- { 'e', FORMAT_ENV },
+ */
+
+ break;
Index: tests/request.t
===================================================================
--- tests/request.t (.../tags/lighttpd-1.4.25)
@@ -384,13 +760,21 @@
===================================================================
--- NEWS (.../tags/lighttpd-1.4.25)
+++ NEWS (.../branches/lighttpd-1.4.x)
-@@ -3,7 +3,10 @@
+@@ -3,7 +3,18 @@
NEWS
====
-- 1.4.25 -
+- 1.4.26 -
-+ *
++ * Fix request parser to handle packets with splitted \r\n\r\n (fixes #2105)
++ * Remove dependency on automake >= 1.11 with m4_ifdef check
++ * mod_accesslog: support %e (fixes #2113, thx presbrey)
++ * Fix mod_cgi cgi.execute-x-only option in global block
++ * mod_fastcgi: x-sendfile2 parse error debugging
++ * Fix mod_proxy dead host detection if connect() fails
++ * Fix fd leaks in mod_cgi (fds not closed on pipe/fork failures, found by Rodrigo, fixes #2158, #2159)
++ * Fix segfault with broken rewrite/redirect patterns (fixes #2140, found by crypt)
++ * Append to previous buffer in con read (fixes #2147, found by liming, CVE-2010-0295)
+
+- 1.4.25 - 2009-11-21
* mod_magnet: fix pairs() for normal tables and strings (fixes #1307)
================================================================
Index: packages/lighttpd/lighttpd.spec
diff -u packages/lighttpd/lighttpd.spec:1.322 packages/lighttpd/lighttpd.spec:1.323
--- packages/lighttpd/lighttpd.spec:1.322 Mon Jan 4 12:18:08 2010
+++ packages/lighttpd/lighttpd.spec Tue Feb 2 12:56:22 2010
@@ -24,7 +24,7 @@
Summary(pl.UTF-8): Szybki i lekki serwer HTTP
Name: lighttpd
Version: 1.4.25
-Release: 4
+Release: 5
License: BSD
Group: Networking/Daemons/HTTP
Source0: http://download.lighttpd.net/lighttpd/releases-1.4.x/%{name}-%{version}.tar.bz2
@@ -85,7 +85,7 @@
Source135: %{name}-mod_extforward.conf
Source136: %{name}-mod_h264_streaming.conf
Source137: %{name}-mod_cgi_php.conf
-#Patch100: %{name}-branch.diff
+Patch100: %{name}-branch.diff
Patch0: %{name}-use_bin_sh.patch
Patch1: %{name}-mod_evasive-status_code.patch
Patch2: %{name}-mod_h264_streaming.patch
@@ -812,7 +812,7 @@
%prep
%setup -q
-#%patch100 -p0
+%patch100 -p0
%patch4 -p0
%patch0 -p1
%patch1 -p1
@@ -1306,6 +1306,10 @@
All persons listed below can be reached at <cvs_login>@pld-linux.org
$Log$
+Revision 1.323 2010/02/02 11:56:22 glen
+- up to svn -r2711, fixes CVE-2010-0295
+- rel 5
+
Revision 1.322 2010/01/04 11:18:08 glen
- release 4
================================================================
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/lighttpd/lighttpd-branch.diff?r1=1.66&r2=1.67&f=u
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/lighttpd/lighttpd.spec?r1=1.322&r2=1.323&f=u
More information about the pld-cvs-commit
mailing list