~ubuntu-branches/ubuntu/hardy/lighttpd/hardy-security

Viewing changes to debian/patches/92_CVE-2008-1531.dpatch

Committer: Bazaar Package Importer
Author(s): Emanuele Gentili
Date: 2008-04-06 00:09:12 UTC
Revision ID: james.westby@ubuntu.com-20080406000912-8fch5qc1ahziv5zi

Tags: 1.4.19-0ubuntu3

https://launchpad.net/bugs/209627

* SECURITY UPDATE: (LP: #209627)
+ debian/patches/92_CVE-2008-1531.dpatch
  - lighttpd 1.4.19 and earlier allows remote attackers to cause a denial
    of service (active SSL connection loss) by triggering an SSL error,
    such as disconnecting before a download has finished, which causes
    all active SSL connections to be lost.
* References
+ http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1531
+ http://trac.lighttpd.net/trac/changeset/2136
+ http://trac.lighttpd.net/trac/changeset/2139

files added:
debian/patches/92_CVE-2008-1531.dpatch

files modified:
debian/changelog

debian/patches/00list

Show diffs side-by-side

added added

removed removed

debian/patches/92_CVE-2008-1531.dpatch

#! /bin/sh /usr/share/dpatch/dpatch-run

## 92_CVE-2008-1531.dpatch by Emanuele Gentili <emgent@emanuele-gentili.com>

## All lines beginning with `## DP:' are a description of the patch.

## DP: No description.

@DPATCH@

diff -urNad lighttpd-1.4.19~/src/connections.c lighttpd-1.4.19/src/connections.c

--- lighttpd-1.4.19~/src/connections.c 2008-02-28 00:41:35.000000000 +0100

+++ lighttpd-1.4.19/src/connections.c 2008-04-06 00:07:21.000000000 +0200

@@ -199,6 +199,7 @@

/* don't resize the buffer if we were in SSL_ERROR_WANT_* */

+ ERR_clear_error();

do {

if (!con->ssl_error_want_reuse_buffer) {

b = buffer_init();

@@ -1668,21 +1669,52 @@

}

#ifdef USE_OPENSSL

if (srv_sock->is_ssl) {

- int ret;

+ int ret, ssl_r;

+ unsigned long err;

+ ERR_clear_error();

switch ((ret = SSL_shutdown(con->ssl))) {

case 1:

/* ok */

break;

case 0:

- SSL_shutdown(con->ssl);

- break;

+ ERR_clear_error();

+ if (-1 != (ret = SSL_shutdown(con->ssl))) break;

+ // fall through

default:

- log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:",

- SSL_get_error(con->ssl, ret),

- ERR_error_string(ERR_get_error(), NULL));

- return -1;

+ switch ((ssl_r = SSL_get_error(con->ssl, ret))) {

+ case SSL_ERROR_WANT_WRITE:

+ case SSL_ERROR_WANT_READ:

+ break;

+ case SSL_ERROR_SYSCALL:

+ /* perhaps we have error waiting in our error-queue */

+ if (0 != (err = ERR_get_error())) {

+ do {

+ log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",

+ ssl_r, ret,

+ ERR_error_string(err, NULL));

+ } while((err = ERR_get_error()));

+ } else {

+ log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):",

+ ssl_r, r, errno,

+ strerror(errno));

+ }

+ break;

+ default:

+ while((err = ERR_get_error())) {

+ log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",

+ ssl_r, ret,

+ ERR_error_string(err, NULL));

+ }

+ break;

+ }

}

+ ERR_clear_error();

#endif

switch(con->mode) {

diff -urNad lighttpd-1.4.19~/src/network_openssl.c lighttpd-1.4.19/src/network_openssl.c

--- lighttpd-1.4.19~/src/network_openssl.c 2008-02-26 17:20:26.000000000 +0100

+++ lighttpd-1.4.19/src/network_openssl.c 2008-04-06 00:02:26.000000000 +0200

@@ -85,6 +85,7 @@

+ ERR_clear_error();

if ((r = SSL_write(ssl, offset, toSend)) <= 0) {

unsigned long err;

@@ -187,6 +188,7 @@

close(ifd);

+ ERR_clear_error();

if ((r = SSL_write(ssl, s, toSend)) <= 0) {

unsigned long err;

Older »