main/lighttpd: various sec fixes (CVE-2013-4508,CVE-2013-4559,CVE-2013-4560)

ref #2350
fixes #2354

1 files changed, 33 insertions, 0 deletions

diff --git a/main/lighttpd/CVE-2013-4559.patch b/main/lighttpd/CVE-2013-4559.patch
new file mode 100644
index 0000000000..e277f2a71d
--- /dev/null
+++ b/main/lighttpd/CVE-2013-4559.patch
@@ -0,0 +1,33 @@
+Index: lighttpd-1.4.x/src/server.c
+===================================================================
+--- lighttpd-1.4.x/src/server.c	(revision 2922)
++++ lighttpd-1.4.x/src/server.c	(revision 2923)
+@@ -820,8 +820,14 @@
+ 		 * to /etc/group
+ 		 * */
+ 		if (NULL != grp) {
+-			setgid(grp->gr_gid);
+-			setgroups(0, NULL);
++			if (-1 == setgid(grp->gr_gid)) {
++				log_error_write(srv, __FILE__, __LINE__, "ss", "setgid failed: ", strerror(errno));
++				return -1;
++			}
++			if (-1 == setgroups(0, NULL)) {
++				log_error_write(srv, __FILE__, __LINE__, "ss", "setgroups failed: ", strerror(errno));
++				return -1;
++			}
+ 			if (srv->srvconf.username->used) {
+ 				initgroups(srv->srvconf.username->ptr, grp->gr_gid);
+ 			}
+@@ -844,7 +850,10 @@
+ #ifdef HAVE_PWD_H
+ 		/* drop root privs */
+ 		if (NULL != pwd) {
+-			setuid(pwd->pw_uid);
++			if (-1 == setuid(pwd->pw_uid)) {
++				log_error_write(srv, __FILE__, __LINE__, "ss", "setuid failed: ", strerror(errno));
++				return -1;
++			}
+ 		}
+ #endif
+ #if defined(HAVE_SYS_PRCTL_H) && defined(PR_SET_DUMPABLE)