[pkg-lighttpd] r317 - in lighttpd/trunk/debian: . patches

madcoder at alioth.debian.org madcoder at alioth.debian.org
Sun Apr 13 10:19:15 UTC 2008 

Author: madcoder
Date: 2008-04-13 10:19:15 +0000 (Sun, 13 Apr 2008)
New Revision: 317

Added:
   lighttpd/trunk/debian/patches/ssl-connection-errors.patch
Modified:
   lighttpd/trunk/debian/changelog
   lighttpd/trunk/debian/patches/series
Log:
Add patches/ssl-connection-errors.patch for CVE-2008-1531


Modified: lighttpd/trunk/debian/changelog
===================================================================
--- lighttpd/trunk/debian/changelog	2008-04-13 10:15:51 UTC (rev 316)
+++ lighttpd/trunk/debian/changelog	2008-04-13 10:19:15 UTC (rev 317)
@@ -1,3 +1,10 @@
+lighttpd (1.4.19-2) UNRELEASED; urgency=low
+
+  * Add patches/ssl-connection-errors.patch for CVE-2008-1531
+    (Closes: 475438).
+
+ -- Pierre Habouzit <madcoder at debian.org>  Thu, 20 Mar 2008 00:53:45 +0100
+
 lighttpd (1.4.19-1~bpo40+1) etch-backports; urgency=low
 
   * Rebuild for etch-backports.

Modified: lighttpd/trunk/debian/patches/series
===================================================================
--- lighttpd/trunk/debian/patches/series	2008-04-13 10:15:51 UTC (rev 316)
+++ lighttpd/trunk/debian/patches/series	2008-04-13 10:19:15 UTC (rev 317)
@@ -2,3 +2,4 @@
 ldap_leak_bugfix.patch
 ldap_build_filter_fix.patch
 ldap-deprecated.patch
+ssl-connection-errors.patch

Added: lighttpd/trunk/debian/patches/ssl-connection-errors.patch
===================================================================
--- lighttpd/trunk/debian/patches/ssl-connection-errors.patch	                        (rev 0)
+++ lighttpd/trunk/debian/patches/ssl-connection-errors.patch	2008-04-13 10:19:15 UTC (rev 317)
@@ -0,0 +1,100 @@
+diff -r ade3eead0e8d -r 82c24356bcd0 NEWS
+--- a/NEWS	Fri Mar 28 16:30:14 2008 +0100
++++ b/NEWS	Fri Mar 28 17:45:28 2008 +0100
+@@ -8,6 +8,7 @@
+   * added support for If-Range: <date> (#1346)
+   * added support for matching $HTTP["scheme"] in configs
+   * fixed initgroups() called after chroot (#1384)
++  * Fix #285 again: read error after SSL_shutdown (thx marton.illes at balabit.com) and clear the error queue before some other calls
+   * fixed case-sensitive check for Auth-Method (#1456)
+   * execute fcgi app without /bin/sh if used as argument to spawn-fcgi (#1428)
+   * fixed a bug that made /-prefixed extensions being handled also when
+diff -r ade3eead0e8d -r 82c24356bcd0 src/connections.c
+--- a/src/connections.c	Fri Mar 28 16:30:14 2008 +0100
++++ b/src/connections.c	Fri Mar 28 17:45:28 2008 +0100
+@@ -199,6 +199,7 @@
+ 
+ 	/* don't resize the buffer if we were in SSL_ERROR_WANT_* */
+ 
++	ERR_clear_error();
+ 	do {
+ 		if (!con->ssl_error_want_reuse_buffer) {
+ 			b = buffer_init();
+@@ -1668,21 +1669,51 @@
+ 			}
+ #ifdef USE_OPENSSL
+ 			if (srv_sock->is_ssl) {
+-				int ret;
++				int ret, ssl_r;
++				unsigned long err;
++				ERR_clear_error();
+ 				switch ((ret = SSL_shutdown(con->ssl))) {
+ 				case 1:
+ 					/* ok */
+ 					break;
+ 				case 0:
+-					SSL_shutdown(con->ssl);
+-					break;
++					ERR_clear_error();
++					if (-1 != (ret = SSL_shutdown(con->ssl))) break;
++
++					// fall through
+ 				default:
+-					log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:",
+-							SSL_get_error(con->ssl, ret),
+-							ERR_error_string(ERR_get_error(), NULL));
+-					return -1;
++
++					switch ((ssl_r = SSL_get_error(con->ssl, ret))) {
++					case SSL_ERROR_WANT_WRITE:
++					case SSL_ERROR_WANT_READ:
++						break;
++					case SSL_ERROR_SYSCALL:
++						/* perhaps we have error waiting in our error-queue */
++						if (0 != (err = ERR_get_error())) {
++							do {
++								log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
++										ssl_r, ret,
++										ERR_error_string(err, NULL));
++							} while((err = ERR_get_error()));
++						} else {
++							log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):",
++									ssl_r, r, errno,
++									strerror(errno));
++						}
++	
++						break;
++					default:
++						while((err = ERR_get_error())) {
++							log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
++									ssl_r, ret,
++									ERR_error_string(err, NULL));
++						}
++	
++						break;
++					}
+ 				}
+ 			}
++			ERR_clear_error();
+ #endif
+ 
+ 			switch(con->mode) {
+diff -r ade3eead0e8d -r 82c24356bcd0 src/network_openssl.c
+--- a/src/network_openssl.c	Fri Mar 28 16:30:14 2008 +0100
++++ b/src/network_openssl.c	Fri Mar 28 17:45:28 2008 +0100
+@@ -85,6 +85,7 @@
+ 			 *
+ 			 */
+ 
++			ERR_clear_error();
+ 			if ((r = SSL_write(ssl, offset, toSend)) <= 0) {
+ 				unsigned long err;
+ 
+@@ -187,6 +188,7 @@
+ 
+ 				close(ifd);
+ 
++				ERR_clear_error();
+ 				if ((r = SSL_write(ssl, s, toSend)) <= 0) {
+ 					unsigned long err;
+

More information about the pkg-lighttpd-maintainers mailing list