lighttpd CVE-2022-22707

Thanks for taking the time to report this bug and helping to make Ubuntu better.
I've taken the time to triage some lighttpd CVEs and that should soon be reflected in the CVE web page.
I've downgraded the priority for that CVE specifically as it is 32-bit specific and hard to exploit according to upstream.

Since the package referred to in this bug is in universe, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Thnaks for getting back to this report. I actually read that page but didn't completely understand how the procedure exactly works for universe.

Would a debdiff to this issue be the proper way forward? I think I can do that.

What would be the preferred way:
* Bumping the version in jammy to kinetic?
* Add the attached patch to the quilt patchset?

I'd personally prefer the former but am not sure about the policy and that sounds more like something for backports than for security.

We (security team) prefer to patch the vulnerability instead of bumping versions, as this not only brings security fixes but bug fixes, new features and probably new dependencies that could eventually cause api/abi issues to users. So for the sake of stability we prefer to patch the vulnerability.

After you apply the patch, build it and test it, you can send us the generated debdiff.

I do notice that the patch you attached is a bit different from the one upstream actually applied, you might want to use upstreams in this case, just to keep consistency.

I pulled the patch from the Redmine ticket but it is possible that it was outdated, I'll test with the actual change https://github.com/lighttpd/lighttpd1.4/commit/8c62a890e23f5853b1a562b03fe3e1bccc6e7664.patch

I am unsubscribing ubuntu-security-sponsors from this bug for now as there is no appropriate debdiff to sponsor here. Please attach a complete debdiff for sponsoring, and resubscribe ubuntu-security-sponsors to continue with this issue. Thanks!

I was scanning my system for CVEs and found this one along with CVE-2022-41556. Both Ubuntu trackers https://ubuntu.com/security/CVE-2022-22707 and https://ubuntu.com/security/CVE-2022-41556 show a patch is needed. I attached my first ever debdiff. Feedback on format updates and next steps please.

I'm running my changes, and so far so good.
$ sudo apt list light\* --installed
Listing... Done
lighttpd-mod-deflate/now 1.4.63-1ubuntu4 amd64 [installed,local]
lighttpd-mod-openssl/now 1.4.63-1ubuntu4 amd64 [installed,local]
lighttpd/now 1.4.63-1ubuntu4 amd64 [installed,local]

Hello Jack, I've uploaded a new version of lighttpd with your changes to Ubuntu Security Proposed: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=lighttpd

Can you check if that's working properly? About the debdiff, I did some minor changes:
 - Renamed the patches to the format we use CVE-YYYY-XXXX.patch
 - Changed the text in the changelog to follow our pattern and add this LP number;
 - Changed the version from 4 to 3.1 (we only change the major number for development releases)

Are you going send the debdiffs for kinetic and focal? Just let me know because I'll do otherwise.

Thanks!

Hello Paulo,

I am running the built 3.1 version (jammy, AMD64) and everything seems to be fine. I have not gone digging for an exploit to those CVEs to test out, so I'm going to trust the upstream developers and simplicity of fixes.

Thank you for the pointers on debdiff syntax, I replicated the effort on 2 new ones for you for Focal and Kinetic. Note the other 2 revisions only have 1 of the CVEs, Focal is only CVE-2022-22707, and Kinetic is only CVE-2022-41556. Too old and too new respectively for the other CVE.

And Kinetic

Hello Jack,

I've uploaded the kinetic and focal versions to same PPA and they are building now. The only modification in the debdiff was to change the release string from UNRELEASED to (focal,kinectic)-security in order to be accepted in the security pocket. I forgot to tell you about this in the last message.

I'll run some tests later today and if everything goes fine, I'll publish those packages on Monday.

Thanks!

This bug was fixed in the package lighttpd - 1.4.65-2ubuntu1.1

---------------
lighttpd (1.4.65-2ubuntu1.1) kinetic-security; urgency=medium

  * SECURITY UPDATE: Resource leak
    - debian/patches/CVE-2022-41556.patch: Resource leak in gw_backend.c.
      (LP: #1994989)
    - CVE-2022-41556

 -- Jack Fewx <email address hidden> Thu, 16 Feb 2023 20:35:58 -0600

This bug was fixed in the package lighttpd - 1.4.55-1ubuntu1.20.04.2

---------------
lighttpd (1.4.55-1ubuntu1.20.04.2) focal-security; urgency=medium

  * SECURITY UPDATE: Out-of-bounds Write
    - debian/patches/CVE-2022-22707.patch: mod_extforward_Forwarded function
      of the mod_extforward plugin has a stack-based buffer overflow.
      (LP: #1994989)
    - CVE-2022-22707

 -- Jack Fewx <email address hidden> Thu, 16 Feb 2023 20:09:14 -0600

This bug was fixed in the package lighttpd - 1.4.63-1ubuntu3.1

---------------
lighttpd (1.4.63-1ubuntu3.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Out-of-bounds Write
    - debian/patches/CVE-2022-22707.patch: mod_extforward_Forwarded function
      of the mod_extforward plugin has a stack-based buffer overflow.
      (LP: #1994989)
    - CVE-2022-22707
  * SECURITY UPDATE: Resource leak
    - debian/patches/CVE-2022-41556.patch: Resource leak in gw_backend.c.
    - CVE-2022-41556

 -- Jack Fewx <email address hidden> Mon, 13 Feb 2023 21:33:26 -0600