[pkg-lighttpd] Bug#474951: Bug#474951: Is a fix for etch planned?

Tue Apr 15 08:48:21 UTC 2008

On Tue, Apr 15, 2008 at 07:34:12AM +0000, Martin Schulze wrote:
> Philipp Kern wrote:
> > On Tue, Apr 15, 2008 at 08:39:03AM +0200, Pierre Habouzit wrote:
> > >   Dear security team, you broke lighttpd badly with your last upload,
> > > because you use a broken patch to fix the last CVE on it. Please update
> > > the patch, using e.g. the one in the unstable version instead.  You've
> > > broken lighttpd for almost 10 days, it's quite unacceptable to have a
> > > lighttpd in _stable_ in that state.
> > > 
> > >   Dear SRM team: would an upload to s-p-u be accepted if the security
> > > team still doesn't react ?
> > 
> > As the current lighttpd distributed through security is utterly broken
> > if you have SSL activated, of course I would accept an update through
> > s-p-u.  But I would be deeply disappointed about this is handled, too.
> 
> Since it's broken on security.debian.org, it should be fixed there
> and passed through to s-p-u.
> 
> Pierre, could you send the relevant patch to the security team for 
> safety?

  The proper patch to use is attached (it should supersede the one that
the security upload used before). It also has to be converted to dpatch
as stable uses dpatch whereas unstable uses quilt.

Cheers,
-- 
·O·  Pierre Habouzit
··O                                                madcoder at debian.org
OOO                                                http://www.madism.org
-------------- next part --------------
diff -r ade3eead0e8d -r 82c24356bcd0 NEWS

--- a/NEWS	Fri Mar 28 16:30:14 2008 +0100
+++ b/NEWS	Fri Mar 28 17:45:28 2008 +0100
@@ -8,6 +8,7 @@
   * added support for If-Range: <date> (#1346)
   * added support for matching $HTTP["scheme"] in configs
   * fixed initgroups() called after chroot (#1384)
+  * Fix #285 again: read error after SSL_shutdown (thx marton.illes at balabit.com) and clear the error queue before some other calls
   * fixed case-sensitive check for Auth-Method (#1456)
   * execute fcgi app without /bin/sh if used as argument to spawn-fcgi (#1428)
   * fixed a bug that made /-prefixed extensions being handled also when
diff -r ade3eead0e8d -r 82c24356bcd0 src/connections.c
--- a/src/connections.c	Fri Mar 28 16:30:14 2008 +0100
+++ b/src/connections.c	Fri Mar 28 17:45:28 2008 +0100
@@ -199,6 +199,7 @@
 
 	/* don't resize the buffer if we were in SSL_ERROR_WANT_* */
 
+	ERR_clear_error();
 	do {
 		if (!con->ssl_error_want_reuse_buffer) {
 			b = buffer_init();
@@ -1668,21 +1669,51 @@
 			}
 #ifdef USE_OPENSSL
 			if (srv_sock->is_ssl) {
-				int ret;
+				int ret, ssl_r;
+				unsigned long err;
+				ERR_clear_error();
 				switch ((ret = SSL_shutdown(con->ssl))) {
 				case 1:
 					/* ok */
 					break;
 				case 0:
-					SSL_shutdown(con->ssl);
-					break;
+					ERR_clear_error();
+					if (-1 != (ret = SSL_shutdown(con->ssl))) break;
+
+					// fall through
 				default:
-					log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:",
-							SSL_get_error(con->ssl, ret),
-							ERR_error_string(ERR_get_error(), NULL));
-					return -1;
+
+					switch ((ssl_r = SSL_get_error(con->ssl, ret))) {
+					case SSL_ERROR_WANT_WRITE:
+					case SSL_ERROR_WANT_READ:
+						break;
+					case SSL_ERROR_SYSCALL:
+						/* perhaps we have error waiting in our error-queue */
+						if (0 != (err = ERR_get_error())) {
+							do {
+								log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
+										ssl_r, ret,
+										ERR_error_string(err, NULL));
+							} while((err = ERR_get_error()));
+						} else {
+							log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):",
+									ssl_r, r, errno,
+									strerror(errno));
+						}
+	
+						break;
+					default:
+						while((err = ERR_get_error())) {
+							log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
+									ssl_r, ret,
+									ERR_error_string(err, NULL));
+						}
+	
+						break;
+					}
 				}
 			}
+			ERR_clear_error();
 #endif
 
 			switch(con->mode) {
diff -r ade3eead0e8d -r 82c24356bcd0 src/network_openssl.c
--- a/src/network_openssl.c	Fri Mar 28 16:30:14 2008 +0100
+++ b/src/network_openssl.c	Fri Mar 28 17:45:28 2008 +0100
@@ -85,6 +85,7 @@
 			 *
 			 */
 
+			ERR_clear_error();
 			if ((r = SSL_write(ssl, offset, toSend)) <= 0) {
 				unsigned long err;
 
@@ -187,6 +188,7 @@
 
 				close(ifd);
 
+				ERR_clear_error();
 				if ((r = SSL_write(ssl, s, toSend)) <= 0) {
 					unsigned long err;
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-lighttpd-maintainers/attachments/20080415/2ae5bd68/attachment.pgp 
