- SECURITY FIX for CVE-2008-0983

( http://secunia.com/cve_reference/CVE-2008-0983/ ) - add a patch to fix issues with group permissions, provided by Antti Harri ( already accepted upstream ) ok naddy@ brad@ (MAINTAINER)
2008-03-02 10:04:22 +00:00 · 2008-03-02 10:04:22 +00:00 · d7498b80d4
commit d7498b80d4
parent 375747e383
4 changed files with 99 additions and 1 deletions
--- a/www/lighttpd/Makefile
+++ b/www/lighttpd/Makefile
@ -1,10 +1,11 @@
-# $OpenBSD: Makefile,v 1.47 2007/09/10 20:41:59 rui Exp $
+# $OpenBSD: Makefile,v 1.48 2008/03/02 10:04:22 jasper Exp $

 SHARED_ONLY=	Yes

 COMMENT=	secure, fast, compliant, and very flexible web-server

 DISTNAME=	lighttpd-1.4.18
+PKGNAME=	${DISTNAME}p0
 CATEGORIES=	www net
 MASTER_SITES=	${HOMEPAGE}/download/

--- a/www/lighttpd/patches/patch-src_fdevent_solaris_devpoll_c
+++ b/www/lighttpd/patches/patch-src_fdevent_solaris_devpoll_c
@ -0,0 +1,12 @@
+$OpenBSD: patch-src_fdevent_solaris_devpoll_c,v 1.1 2008/03/02 10:04:22 jasper Exp $
+--- src/fdevent_solaris_devpoll.c.orig	Fri Feb 29 15:51:27 2008
+++ src/fdevent_solaris_devpoll.c	Fri Feb 29 15:51:47 2008
+@@ -67,7 +67,7 @@ static int fdevent_solaris_devpoll_poll(fdevents *ev, 
+ 	int ret;
+ 
+ 	dopoll.dp_timeout = timeout_ms;
+-	dopoll.dp_nfds = ev->maxfds;
+	dopoll.dp_nfds = ev->maxfds - 1;
+ 	dopoll.dp_fds = ev->devpollfds;
+ 
+ 	ret = ioctl(ev->devpoll_fd, DP_POLL, &dopoll);
--- a/www/lighttpd/patches/patch-src_server_c
+++ b/www/lighttpd/patches/patch-src_server_c
@ -0,0 +1,49 @@
+$OpenBSD: patch-src_server_c,v 1.5 2008/03/02 10:04:22 jasper Exp $
+--- src/server.c.orig	Fri Feb 29 15:52:04 2008
+++ src/server.c	Fri Feb 29 18:59:11 2008
+@@ -697,9 +697,6 @@ int main (int argc, char **argv) {
+ 			}
+ 		}
+ 
+-		/* #372: solaris need some fds extra for devpoll */
+-		if (rlim.rlim_cur > 10) rlim.rlim_cur -= 10;
+-
+ 		if (srv->event_handler == FDEVENT_HANDLER_SELECT) {
+ 			srv->max_fds = rlim.rlim_cur < FD_SETSIZE - 200 ? rlim.rlim_cur : FD_SETSIZE - 200;
+ 		} else {
+@@ -759,6 +756,19 @@ int main (int argc, char **argv) {
+ 
+ 			return -1;
+ 		}
+
+#ifdef HAVE_PWD_H
+		/**
+		 * initgroups() has to be called before chroot()
+		 */
+		if (srv->srvconf.groupname->used) {
+			setgid(grp->gr_gid);
+			setgroups(0, NULL);
+			if (srv->srvconf.username->used) {
+				initgroups(srv->srvconf.username->ptr, grp->gr_gid);
+			}
+		}
+#endif
+ #ifdef HAVE_CHROOT
+ 		if (srv->srvconf.changeroot->used) {
+ 			tzset();
+@@ -775,15 +785,7 @@ int main (int argc, char **argv) {
+ #endif
+ #ifdef HAVE_PWD_H
+ 		/* drop root privs */
+-		if (srv->srvconf.groupname->used) {
+-			setgid(grp->gr_gid);
+-			setgroups(0, NULL);
+-		}
+-
+ 		if (srv->srvconf.username->used) {
+-			if (srv->srvconf.groupname->used) {
+-				initgroups(srv->srvconf.username->ptr, grp->gr_gid);
+-			}
+ 			setuid(pwd->pw_uid);
+ 		}
+ #endif
--- a/www/lighttpd/patches/patch-src_spawn-fcgi_c
+++ b/www/lighttpd/patches/patch-src_spawn-fcgi_c
@ -0,0 +1,36 @@
+$OpenBSD: patch-src_spawn-fcgi_c,v 1.1 2008/03/02 10:04:22 jasper Exp $
+--- src/spawn-fcgi.c.orig	Fri Feb 29 18:59:42 2008
+++ src/spawn-fcgi.c	Fri Feb 29 19:02:19 2008
+@@ -404,6 +404,18 @@ int main(int argc, char **argv) {
+ 			}
+ 		}
+ 
+		/*
+		 * Change group before chroot, when we have access
+		 * to /etc/group
+		 */
+		if (groupname) {
+			setgid(grp->gr_gid);
+			setgroups(0, NULL);
+			if (username) {
+				initgroups(username, grp->gr_gid);
+			}
+		}
+
+ 		if (changeroot) {
+ 			if (-1 == chroot(changeroot)) {
+ 				fprintf(stderr, "%s.%d: %s %s\n",
+@@ -420,13 +432,7 @@ int main(int argc, char **argv) {
+ 		}
+ 
+ 		/* drop root privs */
+-		if (groupname) {
+-			setgid(grp->gr_gid);
+-		}
+ 		if (username) {
+-			if (groupname) {
+-				initgroups(username, grp->gr_gid);
+-			}
+ 			setuid(pwd->pw_uid);
+ 		}
+ 	}