From 9feb620369acc6e9d7cceb6c6a71f709b6004d00 Mon Sep 17 00:00:00 2001 From: Christian Hoffmann Date: Mon, 1 Feb 2010 23:47:55 +0000 Subject: revision bump with fix for CVE-2010-0295, straight to stable on amd64 (Portage version: 2.1.7.16/cvs/Linux x86_64, RepoMan options: --force) --- www-servers/lighttpd/ChangeLog | 8 +- .../lighttpd/files/1.4.25-fix-CVE-2010-0295.patch | 211 ++++++++++++++++++++ www-servers/lighttpd/lighttpd-1.4.25-r1.ebuild | 213 +++++++++++++++++++++ 3 files changed, 431 insertions(+), 1 deletion(-) create mode 100644 www-servers/lighttpd/files/1.4.25-fix-CVE-2010-0295.patch create mode 100644 www-servers/lighttpd/lighttpd-1.4.25-r1.ebuild (limited to 'www-servers') diff --git a/www-servers/lighttpd/ChangeLog b/www-servers/lighttpd/ChangeLog index ce0346362ceb..41b6359af4bd 100644 --- a/www-servers/lighttpd/ChangeLog +++ b/www-servers/lighttpd/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for www-servers/lighttpd # Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/ChangeLog,v 1.217 2010/02/01 19:53:41 maekke Exp $ +# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/ChangeLog,v 1.218 2010/02/01 23:47:54 hoffie Exp $ + +*lighttpd-1.4.25-r1 (01 Feb 2010) + + 01 Feb 2010; Christian Hoffmann + +lighttpd-1.4.25-r1.ebuild, +files/1.4.25-fix-CVE-2010-0295.patch: + revision bump with fix for CVE-2010-0295, straight to stable on amd64 01 Feb 2010; Markus Meier lighttpd-1.4.23.ebuild: arm stable, bug #286134 diff --git a/www-servers/lighttpd/files/1.4.25-fix-CVE-2010-0295.patch b/www-servers/lighttpd/files/1.4.25-fix-CVE-2010-0295.patch new file mode 100644 index 000000000000..fcac31887872 --- /dev/null +++ b/www-servers/lighttpd/files/1.4.25-fix-CVE-2010-0295.patch @@ -0,0 +1,211 @@ +Index: branches/lighttpd-1.4.x/src/base.h +=================================================================== +--- branches/lighttpd-1.4.x/src/base.h (revision 2709) ++++ branches/lighttpd-1.4.x/src/base.h (revision 2710) +@@ -431,7 +431,6 @@ + + #ifdef USE_OPENSSL + SSL *ssl; +- buffer *ssl_error_want_reuse_buffer; + # ifndef OPENSSL_NO_TLSEXT + buffer *tlsext_server_name; + # endif +Index: branches/lighttpd-1.4.x/src/connections.c +=================================================================== +--- branches/lighttpd-1.4.x/src/connections.c (revision 2709) ++++ branches/lighttpd-1.4.x/src/connections.c (revision 2710) +@@ -192,40 +192,42 @@ + + static int connection_handle_read_ssl(server *srv, connection *con) { + #ifdef USE_OPENSSL +- int r, ssl_err, len, count = 0; ++ int r, ssl_err, len, count = 0, read_offset, toread; + buffer *b = NULL; + + if (!con->conf.is_ssl) return -1; + +- /* don't resize the buffer if we were in SSL_ERROR_WANT_* */ +- + ERR_clear_error(); + do { +- if (!con->ssl_error_want_reuse_buffer) { +- b = buffer_init(); +- buffer_prepare_copy(b, SSL_pending(con->ssl) + (16 * 1024)); /* the pending bytes + 16kb */ ++ if (NULL != con->read_queue->last) { ++ b = con->read_queue->last->mem; ++ } + ++ if (NULL == b || b->size - b->used < 1024) { ++ b = chunkqueue_get_append_buffer(con->read_queue); ++ len = SSL_pending(con->ssl); ++ if (len < 4*1024) len = 4*1024; /* always alloc >= 4k buffer */ ++ buffer_prepare_copy(b, len + 1); ++ + /* overwrite everything with 0 */ + memset(b->ptr, 0, b->size); +- } else { +- b = con->ssl_error_want_reuse_buffer; + } + +- len = SSL_read(con->ssl, b->ptr, b->size - 1); +- con->ssl_error_want_reuse_buffer = NULL; /* reuse it only once */ ++ read_offset = (b->used > 0) ? b->used - 1 : 0; ++ toread = b->size - 1 - read_offset; + ++ len = SSL_read(con->ssl, b->ptr + read_offset, toread); ++ + if (len > 0) { +- b->used = len; ++ if (b->used > 0) b->used--; ++ b->used += len; + b->ptr[b->used++] = '\0'; + +- /* we move the buffer to the chunk-queue, no need to free it */ ++ con->bytes_read += len; + +- chunkqueue_append_buffer_weak(con->read_queue, b); + count += len; +- con->bytes_read += len; +- b = NULL; + } +- } while (len > 0 && count < MAX_READ_LIMIT); ++ } while (len == toread && count < MAX_READ_LIMIT); + + + if (len < 0) { +@@ -234,11 +236,11 @@ + case SSL_ERROR_WANT_READ: + case SSL_ERROR_WANT_WRITE: + con->is_readable = 0; +- con->ssl_error_want_reuse_buffer = b; + +- b = NULL; ++ /* the manual says we have to call SSL_read with the same arguments next time. ++ * we ignore this restriction; no one has complained about it in 1.5 yet, so it probably works anyway. ++ */ + +- /* we have to steal the buffer from the queue-queue */ + return 0; + case SSL_ERROR_SYSCALL: + /** +@@ -297,16 +299,11 @@ + + connection_set_state(srv, con, CON_STATE_ERROR); + +- buffer_free(b); +- + return -1; + } else if (len == 0) { + con->is_readable = 0; + /* the other end close the connection -> KEEP-ALIVE */ + +- /* pipelining */ +- buffer_free(b); +- + return -2; + } + +@@ -321,26 +318,41 @@ + static int connection_handle_read(server *srv, connection *con) { + int len; + buffer *b; +- int toread; ++ int toread, read_offset; + + if (con->conf.is_ssl) { + return connection_handle_read_ssl(srv, con); + } + ++ b = (NULL != con->read_queue->last) ? con->read_queue->last->mem : NULL; ++ ++ /* default size for chunks is 4kb; only use bigger chunks if FIONREAD tells ++ * us more than 4kb is available ++ * if FIONREAD doesn't signal a big chunk we fill the previous buffer ++ * if it has >= 1kb free ++ */ + #if defined(__WIN32) +- b = chunkqueue_get_append_buffer(con->read_queue); +- buffer_prepare_copy(b, 4 * 1024); +- len = recv(con->fd, b->ptr, b->size - 1, 0); +-#else +- if (ioctl(con->fd, FIONREAD, &toread) || toread == 0) { ++ if (NULL == b || b->size - b->used < 1024) { + b = chunkqueue_get_append_buffer(con->read_queue); + buffer_prepare_copy(b, 4 * 1024); ++ } ++ ++ read_offset = (b->used == 0) ? 0 : b->used - 1; ++ len = recv(con->fd, b->ptr + read_offset, b->size - 1 - read_offset, 0); ++#else ++ if (ioctl(con->fd, FIONREAD, &toread) || toread == 0 || toread <= 4*1024) { ++ if (NULL == b || b->size - b->used < 1024) { ++ b = chunkqueue_get_append_buffer(con->read_queue); ++ buffer_prepare_copy(b, 4 * 1024); ++ } + } else { + if (toread > MAX_READ_LIMIT) toread = MAX_READ_LIMIT; + b = chunkqueue_get_append_buffer(con->read_queue); + buffer_prepare_copy(b, toread + 1); + } +- len = read(con->fd, b->ptr, b->size - 1); ++ ++ read_offset = (b->used == 0) ? 0 : b->used - 1; ++ len = read(con->fd, b->ptr + read_offset, b->size - 1 - read_offset); + #endif + + if (len < 0) { +@@ -374,7 +386,8 @@ + con->is_readable = 0; + } + +- b->used = len; ++ if (b->used > 0) b->used--; ++ b->used += len; + b->ptr[b->used++] = '\0'; + + con->bytes_read += len; +@@ -850,13 +863,6 @@ + /* The cond_cache gets reset in response.c */ + /* config_cond_cache_reset(srv, con); */ + +-#ifdef USE_OPENSSL +- if (con->ssl_error_want_reuse_buffer) { +- buffer_free(con->ssl_error_want_reuse_buffer); +- con->ssl_error_want_reuse_buffer = NULL; +- } +-#endif +- + con->header_len = 0; + con->in_error_handler = 0; + +@@ -1128,8 +1134,15 @@ + } else { + buffer *b; + +- b = chunkqueue_get_append_buffer(dst_cq); +- buffer_copy_string_len(b, c->mem->ptr + c->offset, toRead); ++ if (dst_cq->last && ++ dst_cq->last->type == MEM_CHUNK) { ++ b = dst_cq->last->mem; ++ } else { ++ b = chunkqueue_get_append_buffer(dst_cq); ++ /* prepare buffer size for remaining POST data; is < 64kb */ ++ buffer_prepare_copy(b, con->request.content_length - dst_cq->bytes_in + 1); ++ } ++ buffer_append_string_len(b, c->mem->ptr + c->offset, toRead); + } + + c->offset += toRead; +Index: branches/lighttpd-1.4.x/src/chunk.c +=================================================================== +--- branches/lighttpd-1.4.x/src/chunk.c (revision 2709) ++++ branches/lighttpd-1.4.x/src/chunk.c (revision 2710) +@@ -197,8 +197,6 @@ + int chunkqueue_append_buffer_weak(chunkqueue *cq, buffer *mem) { + chunk *c; + +- if (mem->used == 0) return 0; +- + c = chunkqueue_get_unused_chunk(cq); + c->type = MEM_CHUNK; + c->offset = 0; diff --git a/www-servers/lighttpd/lighttpd-1.4.25-r1.ebuild b/www-servers/lighttpd/lighttpd-1.4.25-r1.ebuild new file mode 100644 index 000000000000..bcae5606b475 --- /dev/null +++ b/www-servers/lighttpd/lighttpd-1.4.25-r1.ebuild @@ -0,0 +1,213 @@ +# Copyright 1999-2010 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/lighttpd-1.4.25-r1.ebuild,v 1.1 2010/02/01 23:47:54 hoffie Exp $ + +EAPI="2" + +inherit eutils autotools depend.php + +DESCRIPTION="Lightweight high-performance web server" +HOMEPAGE="http://www.lighttpd.net/" +SRC_URI="http://download.lighttpd.net/lighttpd/releases-1.4.x/${P}.tar.bz2" + +LICENSE="BSD" +SLOT="0" +KEYWORDS="~alpha amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd" +IUSE="bzip2 doc fam fastcgi gdbm ipv6 ldap lua minimal memcache mysql pcre php rrdtool ssl test webdav xattr" + +RDEPEND=" + >=sys-libs/zlib-1.1 + bzip2? ( app-arch/bzip2 ) + fam? ( virtual/fam ) + gdbm? ( sys-libs/gdbm ) + ldap? ( >=net-nds/openldap-2.1.26 ) + lua? ( >=dev-lang/lua-5.1 ) + memcache? ( dev-libs/libmemcache ) + mysql? ( >=virtual/mysql-4.0 ) + pcre? ( >=dev-libs/libpcre-3.1 ) + php? ( virtual/httpd-php ) + rrdtool? ( net-analyzer/rrdtool ) + ssl? ( >=dev-libs/openssl-0.9.7 ) + webdav? ( + dev-libs/libxml2 + >=dev-db/sqlite-3 + sys-fs/e2fsprogs + ) + xattr? ( kernel_linux? ( sys-apps/attr ) )" + +DEPEND="${RDEPEND} + dev-util/pkgconfig + doc? ( dev-python/docutils ) + test? ( + virtual/perl-Test-Harness + dev-libs/fcgi + )" + +# update certain parts of lighttpd.conf based on conditionals +update_config() { + local config="/etc/lighttpd/lighttpd.conf" + + # enable php/mod_fastcgi settings + use php && \ + dosed 's|#.*\(include.*fastcgi.*$\)|\1|' ${config} + + # enable stat() caching + use fam && \ + dosed 's|#\(.*stat-cache.*$\)|\1|' ${config} +} + +# remove non-essential stuff (for USE=minimal) +remove_non_essential() { + local libdir="${D}/usr/$(get_libdir)/${PN}" + + # text docs + use doc || rm -fr "${D}"/usr/share/doc/${PF}/txt + + # non-essential modules + rm -f \ + ${libdir}/mod_{compress,evhost,expire,proxy,scgi,secdownload,simple_vhost,status,setenv,trigger*,usertrack}.* + + # allow users to keep some based on USE flags + use pcre || rm -f ${libdir}/mod_{ssi,re{direct,write}}.* + use webdav || rm -f ${libdir}/mod_webdav.* + use mysql || rm -f ${libdir}/mod_mysql_vhost.* + use lua || rm -f ${libdir}/mod_{cml,magnet}.* + use rrdtool || rm -f ${libdir}/mod_rrdtool.* + + if ! use fastcgi ; then + rm -f ${libdir}/mod_fastcgi.* + fi +} + +pkg_setup() { + if ! use pcre ; then + ewarn "It is highly recommended that you build ${PN}" + ewarn "with perl regular expressions support via USE=pcre." + ewarn "Otherwise you lose support for some core options such" + ewarn "as conditionals and modules such as mod_re{write,direct}" + ewarn "and mod_ssi." + ebeep 5 + fi + + use php && require_php_with_use cgi + + enewgroup lighttpd + enewuser lighttpd -1 -1 /var/www/localhost/htdocs lighttpd +} + +src_prepare() { + epatch "${FILESDIR}"/1.4.25-fix-unknown-AM_SILENT_RULES.patch + epatch "${FILESDIR}"/1.4.25-fix-CVE-2010-0295.patch + # dev-python/docutils installs rst2html.py not rst2html + sed -i -e 's|\(rst2html\)|\1.py|g' doc/Makefile.am || \ + die "sed doc/Makefile.am failed" + + eautoreconf +} + +src_configure() { + econf --libdir=/usr/$(get_libdir)/${PN} \ + --enable-lfs \ + $(use_enable ipv6) \ + $(use_with bzip2) \ + $(use_with fam) \ + $(use_with gdbm) \ + $(use_with lua) \ + $(use_with ldap) \ + $(use_with memcache) \ + $(use_with mysql) \ + $(use_with pcre) \ + $(use_with ssl openssl) \ + $(use_with webdav webdav-props) \ + $(use_with webdav webdav-locks) \ + $(use_with xattr attr) +} + +src_compile() { + emake || die "emake failed" + + if use doc ; then + einfo "Building HTML documentation" + cd doc + emake html || die "failed to build HTML documentation" + fi +} + +src_test() { + if [[ ${EUID} -eq 0 ]]; then + default_src_test + else + ewarn "test skipped, please re-run as root if you wish to test ${PN}" + fi +} + +src_install() { + make DESTDIR="${D}" install || die "make install failed" + + # init script stuff + newinitd "${FILESDIR}"/lighttpd.initd lighttpd || die + newconfd "${FILESDIR}"/lighttpd.confd lighttpd || die + use fam && has_version app-admin/fam && \ + sed -i 's/after famd/need famd/g' "${D}"/etc/init.d/lighttpd + + # configs + insinto /etc/lighttpd + doins "${FILESDIR}"/conf/lighttpd.conf + doins "${FILESDIR}"/conf/mime-types.conf + doins "${FILESDIR}"/conf/mod_cgi.conf + doins "${FILESDIR}"/conf/mod_fastcgi.conf + # Secure directory for fastcgi sockets + keepdir /var/run/lighttpd/ + fperms 0750 /var/run/lighttpd/ + fowners lighttpd:lighttpd /var/run/lighttpd/ + + # update lighttpd.conf directives based on conditionals + update_config + + # docs + dodoc AUTHORS README NEWS doc/*.sh + newdoc doc/lighttpd.conf lighttpd.conf.distrib + + use doc && dohtml -r doc/* + + docinto txt + dodoc doc/*.txt + + # logrotate + insinto /etc/logrotate.d + newins "${FILESDIR}"/lighttpd.logrotate lighttpd || die + + keepdir /var/l{ib,og}/lighttpd /var/www/localhost/htdocs + fowners lighttpd:lighttpd /var/l{ib,og}/lighttpd + fperms 0750 /var/l{ib,og}/lighttpd + + #spawn-fcgi may optionally be installed via www-servers/spawn-fcgi + rm -f "${D}"/usr/bin/spawn-fcgi "${D}"/usr/share/man/man1/spawn-fcgi.* + + use minimal && remove_non_essential +} + +pkg_postinst () { + echo + if [[ -f ${ROOT}etc/conf.d/spawn-fcgi.conf ]] ; then + einfo "spawn-fcgi is now provided by www-servers/spawn-fcgi." + einfo "spawn-fcgi's init script configuration is now located" + einfo "at /etc/conf.d/spawn-fcgi." + echo + fi + + if [[ -f ${ROOT}etc/lighttpd.conf ]] ; then + ewarn "Gentoo has a customized configuration," + ewarn "which is now located in /etc/lighttpd. Please migrate your" + ewarn "existing configuration." + ebeep 5 + fi + + if use fastcgi; then + ewarn "As of lighttpd-1.4.22, spawn-fcgi is provided by the separate" + ewarn "www-servers/spawn-fcgi package. Please install it manually, if" + ewarn "you use spawn-fcgi." + ewarn "It features a new, more featurefull init script - please migrate" + ewarn "your configuration!" + fi +} -- cgit v1.2.3-65-gdbad