From d8d0da602f7ab06b37be787d6580db7da78dca1d Mon Sep 17 00:00:00 2001
From: mayp <mayanping@ncti-gba.cn>
Date: Mon, 19 Sep 2022 19:22:31 +0800
Subject: [PATCH]  Changes to be committed: 	new file:  
 CVE-2022-37797.patch 	modified:   lighttpd.spec

---
 CVE-2022-37797.patch | 29 +++++++++++++++++++++++++++++
 lighttpd.spec        |  7 ++++++-
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2022-37797.patch

diff --git a/CVE-2022-37797.patch b/CVE-2022-37797.patch
new file mode 100644
index 0000000..976d267
--- /dev/null
+++ b/CVE-2022-37797.patch
@@ -0,0 +1,29 @@
+From 726748093336e9c1d0e7b70d7180b2aa8196061b Mon Sep 17 00:00:00 2001
+From: mayp <mayanping@ncti-gba.cn>
+Date: Mon, 19 Sep 2022 19:01:08 +0800
+Subject: [PATCH] [mod_wstunnel] fix crash with bad hybivers (fixes #3165) modified:
+ src/mod_wstunnel.c
+
+---
+ src/mod_wstunnel.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/mod_wstunnel.c b/src/mod_wstunnel.c
+index 6d17d4d..97b89f0 100644
+--- a/src/mod_wstunnel.c
++++ b/src/mod_wstunnel.c
+@@ -483,7 +483,10 @@ static handler_t wstunnel_handler_setup (request_st * const r, plugin_data * con
+     hctx->errh = r->conf.errh;/*(for mod_wstunnel-specific DEBUG_* macros)*/
+     hctx->conf = p->conf; /*(copies struct)*/
+     hybivers = wstunnel_check_request(r, hctx);
+-    if (hybivers < 0) return HANDLER_FINISHED;
++    if (hybivers < 0) {
++        r->handler_module = NULL;
++        return HANDLER_FINISHED;
++    }
+     hctx->hybivers = hybivers;
+     if (0 == hybivers) {
+         DEBUG_LOG_INFO("WebSocket Version = %s", "hybi-00");
+-- 
+2.33.0
+
diff --git a/lighttpd.spec b/lighttpd.spec
index bcce14a..ebe6cc6 100644
--- a/lighttpd.spec
+++ b/lighttpd.spec
@@ -20,7 +20,7 @@
 Summary:             Lightning fast webserver with light system requirements
 Name:                lighttpd
 Version:             1.4.63
-Release:             4
+Release:             5
 License:             BSD-3-Clause and OML and GPLv3 and GPLv2
 URL:                 https://github.com/lighttpd/lighttpd1.4
 Source0:             https://github.com/lighttpd/lighttpd1.4/archive/lighttpd-1.4.63.tar.gz
@@ -32,6 +32,7 @@ Patch0:              lighttpd-1.4.62-defaultconf.patch
 Patch1:              5a257fab511225bbfa56b4f1a8b2bb7085f96478.patch
 Patch2:              492773a20f8a1deb1c94e25d40023970dd9608a1.patch
 Patch3:              CVE-2022-22707.patch
+Patch4:              CVE-2022-37797.patch
 Requires:            %{name}-filesystem
 %if %{with systemd}
 Requires(post):      systemd
@@ -112,6 +113,7 @@ for the directories.
 %patch1 -p1 -b .setrlimit
 %patch2 -p1 -b .fixtrace
 %patch3 -p1
+%patch4 -p1
 
 %build
 autoreconf -if
@@ -258,6 +260,9 @@ fi
 %attr(0700, lighttpd, lighttpd) %dir %{webroot}/
 
 %changelog
+* Mon Sep 19 2022 mayp <mayanping@ncti-gba.cn> - 1.4.63-5
+- Fix CVE-2022-37797 
+
 * Thu Aug 18 2022 caodongxia <caodongxia@h-partners.com> - 1.4.63-4
 - Disable fam support as gamin is deprecated
 
-- 
Gitee