Ubuntu
lighttpd package

CVE-2008-1270 when mod_userdir is loaded but not configured, the server's whole disk becomes remotely readable

Feisty (7.04)
Bug #200987

Bug #200987 reported by Emanuele Gentili on 2008-03-11

264

	Status	Importance	Assigned to
lighttpd (Ubuntu)	Fix Released	Medium	Emanuele Gentili
Dapper	Fix Released	Medium	Emanuele Gentili
Edgy	Fix Released	Medium	Emanuele Gentili
Feisty	Fix Released	Medium	Emanuele Gentili
Gutsy	Fix Released	Medium	Emanuele Gentili
Hardy	Fix Released	Medium	Emanuele Gentili

Bug Description

mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory.

http://trac.lighttpd.net/trac/ticket/1587
http://trac.lighttpd.net/trac/changeset/2120

Related branches

lp://staging/ubuntu/karmic/lighttpd

lp://staging/ubuntu/dapper-security/lighttpd

lp://staging/ubuntu/edgy-security/lighttpd

lp://staging/ubuntu/feisty-security/lighttpd

lp://staging/ubuntu/gutsy-updates/lighttpd

CVE References

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-11:

hardy_lighttpd_1.4.18-1ubuntu6.debdiff Edit (2.0 KiB, text/plain)

Stephan Rügamer (sruegamer) on 2008-03-11

Changed in lighttpd:
status:	New → Confirmed
status:	New → Confirmed
status:	New → Confirmed
status:	New → Confirmed
status:	New → Confirmed

Emanuele Gentili (emgent) on 2008-03-11

Changed in lighttpd:
assignee:	nobody → emgent
importance:	Undecided → Medium
status:	Confirmed → In Progress

Emanuele Gentili (emgent) on 2008-03-11

Changed in lighttpd:
assignee:	nobody → emgent
importance:	Undecided → Medium
status:	Confirmed → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-03-11:

This bug was fixed in the package lighttpd - 1.4.18-1ubuntu6

---------------
lighttpd (1.4.18-1ubuntu6) hardy; urgency=low

  * SECURITY UPDATE: (LP: #200987)
   + debian/patches/91_CVE-2008-1270.dpatch
    - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
      uses a default of $HOME, which might allow remote attackers to read arbitrary
      files, as demonstrated by accessing the ~nobody directory.
  * References
   + CVE-2008-1270
   + http://trac.lighttpd.net/trac/ticket/1587
   + http://trac.lighttpd.net/trac/changeset/2120

-- Emanuele Gentili <email address hidden> Tue, 11 Mar 2008 14:16:48 +0100

Changed in lighttpd:
status:	In Progress → Fix Released

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-11:

gutsy_lighttpd_1.4.18-1ubuntu1.3.debdiff Edit (2.0 KiB, text/plain)

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-11:

feisty_lighttpd_1.4.13-9ubuntu4.5.debdiff Edit (2.0 KiB, text/plain)

Changed in lighttpd:
assignee:	nobody → emgent
importance:	Undecided → Medium
status:	Confirmed → In Progress

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-11:

edgy_lighttpd_1.4.13~r1370-1ubuntu1.6.debdiff Edit (2.1 KiB, text/plain)

Changed in lighttpd:
assignee:	nobody → emgent
importance:	Undecided → Medium
status:	Confirmed → In Progress

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-11:

dapper_lighttpd_1.4.11-3ubuntu3.8.debdiff Edit (2.0 KiB, text/plain)

Changed in lighttpd:
assignee:	nobody → emgent
importance:	Undecided → Medium
status:	Confirmed → In Progress

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-11:

adding CVE-2008-0983

lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access.

Changed in lighttpd:
status:	Fix Released → In Progress

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-11: Re: CVE-2008-0983 - CVE-2008-1270

hardy not vulnerable to CVE-2008-0983

Changed in lighttpd:
status:	In Progress → Fix Released

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-11:

CVE-2008-0983 fixed in all Ubuntu version by 90_maxfds_crash_fix.dpatch, plese procede to upload attached debdiff.

Jamie Strandboge (jdstrand) on 2008-03-11

Changed in lighttpd:
status:	In Progress → Fix Committed
status:	In Progress → Fix Committed
status:	In Progress → Fix Committed
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-03-11:

#10

This bug was fixed in the package lighttpd - 1.4.18-1ubuntu1.3

---------------
lighttpd (1.4.18-1ubuntu1.3) gutsy-security; urgency=low

  * SECURITY UPDATE: (LP: #200987)
   + debian/patches/91_CVE-2008-1270.dpatch
    - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
      uses a default of $HOME, which might allow remote attackers to read arbitrary
      files, as demonstrated by accessing the ~nobody directory.
  * References
   + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
   + http://trac.lighttpd.net/trac/ticket/1587
   + http://trac.lighttpd.net/trac/changeset/2120

-- Emanuele Gentili <email address hidden> Tue, 11 Mar 2008 14:37:58 +0100

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-03-11:

#11

This bug was fixed in the package lighttpd - 1.4.13-9ubuntu4.5

---------------
lighttpd (1.4.13-9ubuntu4.5) feisty-security; urgency=low

  * SECURITY UPDATE: (LP: #200987)
   + debian/patches/91_CVE-2008-1270.dpatch
    - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
      uses a default of $HOME, which might allow remote attackers to read arbitrary
      files, as demonstrated by accessing the ~nobody directory.
  * References
   + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
   + http://trac.lighttpd.net/trac/ticket/1587
   + http://trac.lighttpd.net/trac/changeset/2120

-- Emanuele Gentili <email address hidden> Tue, 11 Mar 2008 14:51:11 +0100

Changed in lighttpd:
status:	Fix Committed → Fix Released
status:	Fix Committed → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-03-14:

#12

lighttpd (1.4.13~r1370-1ubuntu1.6) edgy-security; urgency=low

  * SECURITY UPDATE: (LP: #200987)
   + debian/patches/91_CVE-2008-1270.dpatch
    - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
      uses a default of $HOME, which might allow remote attackers to read arbitrary
      files, as demonstrated by accessing the ~nobody directory.
  * References
   + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
   + http://trac.lighttpd.net/trac/ticket/1587
   + http://trac.lighttpd.net/trac/changeset/2120

-- Emanuele Gentili <email address hidden> Tue, 11 Mar 2008 14:58:14 +0100

Changed in lighttpd:
status:	Fix Committed → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-03-14:

#13

lighttpd (1.4.11-3ubuntu3.8) dapper-security; urgency=low

  * SECURITY UPDATE: (LP: #200987)
   + debian/patches/91_CVE-2008-1270.dpatch
    - mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set,
      uses a default of $HOME, which might allow remote attackers to read arbitrary
      files, as demonstrated by accessing the ~nobody directory.
  * References
   + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1270
   + http://trac.lighttpd.net/trac/ticket/1587
   + http://trac.lighttpd.net/trac/changeset/2120