Salvatore Bonaccorso <[email protected]> writes: > Thanks for fixing this with the 3.0.5-1 upload. Could you please also > prepare packages for squeeze-security and wheezy-security? I did > already had a look at wheezy today, attached is proposed debdiff (but > not yet tested apart the testsuite).
I've prepared: * varnish_2.1.3-8+deb6u1 for squeeze-security * varnish_3.0.2-2+deb7u1 for wheezy-security Debdiffs attached:
diff -Nru varnish-3.0.2/debian/changelog varnish-3.0.2/debian/changelog --- varnish-3.0.2/debian/changelog 2012-05-01 16:22:42.000000000 +0200 +++ varnish-3.0.2/debian/changelog 2013-12-09 00:48:01.000000000 +0100 @@ -1,3 +1,11 @@ +varnish (3.0.2-2+deb7u1) wheezy-security; urgency=high + + * Import upstream security patch. + A malformed request could in some configurations lead to Varnish + crashing. CVE-2013-4484 (Closes: #728989) + + -- Stig Sandbeck Mathisen <[email protected]> Sun, 08 Dec 2013 23:36:59 +0100 + varnish (3.0.2-2) unstable; urgency=low [ Knut Arne Bjørndal ] diff -Nru varnish-3.0.2/debian/patches/0001-Make-up-our-mind-Any-req.-we-receive-from-the-client.patch varnish-3.0.2/debian/patches/0001-Make-up-our-mind-Any-req.-we-receive-from-the-client.patch --- varnish-3.0.2/debian/patches/0001-Make-up-our-mind-Any-req.-we-receive-from-the-client.patch 1970-01-01 01:00:00.000000000 +0100 +++ varnish-3.0.2/debian/patches/0001-Make-up-our-mind-Any-req.-we-receive-from-the-client.patch 2013-12-09 00:48:30.000000000 +0100 @@ -0,0 +1,133 @@ +From 6de534b7096879890ac152537c87551fda204944 Mon Sep 17 00:00:00 2001 +From: Martin Blix Grydeland <[email protected]> +Date: Wed, 30 Oct 2013 13:48:20 +0100 +Subject: [PATCH] Make up our mind: Any req.* we receive from the client with + fundamental trouble gets failed back without VCL involvement. + +Fixes #1367 +--- + bin/varnishd/cache_center.c | 28 +++++++++++++++------------- + bin/varnishd/cache_http.c | 2 +- + bin/varnishtest/tests/r01367.vtc | 30 ++++++++++++++++++++++++++++++ + 3 files changed, 46 insertions(+), 14 deletions(-) + create mode 100644 bin/varnishtest/tests/r01367.vtc + +diff --git a/bin/varnishd/cache_center.c b/bin/varnishd/cache_center.c +index 4d94d88..190aeaf 100644 +--- a/bin/varnishd/cache_center.c ++++ b/bin/varnishd/cache_center.c +@@ -1453,9 +1453,12 @@ DOT start -> recv [style=bold,color=green] + static int + cnt_start(struct sess *sp) + { +- uint16_t done; ++ uint16_t err_code; + char *p; +- const char *r = "HTTP/1.1 100 Continue\r\n\r\n"; ++ const char *r_100 = "HTTP/1.1 100 Continue\r\n\r\n"; ++ const char *r_400 = "HTTP/1.1 400 Bad Request\r\n\r\n"; ++ const char *r_413 = "HTTP/1.1 413 Request Entity Too Large\r\n\r\n"; ++ const char *r_417 = "HTTP/1.1 417 Expectation Failed\r\n\r\n"; + + CHECK_OBJ_NOTNULL(sp, SESS_MAGIC); + AZ(sp->restarts); +@@ -1478,10 +1481,14 @@ cnt_start(struct sess *sp) + sp->wrk->vcl = NULL; + + http_Setup(sp->http, sp->ws); +- done = http_DissectRequest(sp); ++ err_code = http_DissectRequest(sp); + + /* If we could not even parse the request, just close */ +- if (done == 400) { ++ if (err_code == 400) ++ (void)write(sp->fd, r_400, strlen(r_400)); ++ else if (err_code == 413) ++ (void)write(sp->fd, r_413, strlen(r_413)); ++ if (err_code != 0) { + sp->step = STP_DONE; + vca_close_session(sp, "junk"); + return (0); +@@ -1493,12 +1500,6 @@ cnt_start(struct sess *sp) + /* Catch original request, before modification */ + HTTP_Copy(sp->http0, sp->http); + +- if (done != 0) { +- sp->err_code = done; +- sp->step = STP_ERROR; +- return (0); +- } +- + sp->doclose = http_DoConnection(sp->http); + + /* XXX: Handle TRACE & OPTIONS of Max-Forwards = 0 */ +@@ -1508,13 +1509,14 @@ cnt_start(struct sess *sp) + */ + if (http_GetHdr(sp->http, H_Expect, &p)) { + if (strcasecmp(p, "100-continue")) { +- sp->err_code = 417; +- sp->step = STP_ERROR; ++ (void)write(sp->fd, r_417, strlen(r_417)); ++ sp->step = STP_DONE; ++ vca_close_session(sp, "junk"); + return (0); + } + + /* XXX: Don't bother with write failures for now */ +- (void)write(sp->fd, r, strlen(r)); ++ (void)write(sp->fd, r_100, strlen(r_100)); + /* XXX: When we do ESI includes, this is not removed + * XXX: because we use http0 as our basis. Believed + * XXX: safe, but potentially confusing. +diff --git a/bin/varnishd/cache_http.c b/bin/varnishd/cache_http.c +index 844e71b..b96fb22 100644 +--- a/bin/varnishd/cache_http.c ++++ b/bin/varnishd/cache_http.c +@@ -601,7 +601,7 @@ http_splitline(struct worker *w, int fd, struct http *hp, + hp->hd[h2].e = p; + + if (!Tlen(hp->hd[h2])) +- return (413); ++ return (400); + + /* Skip SP */ + for (; vct_issp(*p); p++) { +diff --git a/bin/varnishtest/tests/r01367.vtc b/bin/varnishtest/tests/r01367.vtc +new file mode 100644 +index 0000000..e1de20a +--- /dev/null ++++ b/bin/varnishtest/tests/r01367.vtc +@@ -0,0 +1,30 @@ ++varnishtest "blank GET" ++ ++server s1 { ++ rxreq ++ txresp ++} -start ++ ++varnish v1 -vcl+backend { ++ sub vcl_error { ++ return (restart); ++ } ++} -start ++ ++client c1 { ++ send "GET \nHost: example.com\n\n" ++ rxresp ++ expect resp.status == 400 ++} -run ++ ++client c1 { ++ txreq -hdr "Expect: Santa-Claus" ++ rxresp ++ expect resp.status == 417 ++} -run ++ ++client c1 { ++ txreq ++ rxresp ++ expect resp.status == 200 ++} -run +-- +1.8.4.rc3 + diff -Nru varnish-3.0.2/debian/patches/series varnish-3.0.2/debian/patches/series --- varnish-3.0.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ varnish-3.0.2/debian/patches/series 2013-12-09 00:48:30.000000000 +0100 @@ -0,0 +1,2 @@ +# debian/source/git-patches exported from git by quilt-patches-deb-export-hook +0001-Make-up-our-mind-Any-req.-we-receive-from-the-client.patch diff -Nru varnish-3.0.2/debian/source/git-patches varnish-3.0.2/debian/source/git-patches --- varnish-3.0.2/debian/source/git-patches 1970-01-01 01:00:00.000000000 +0100 +++ varnish-3.0.2/debian/source/git-patches 2013-12-09 00:48:01.000000000 +0100 @@ -0,0 +1,4 @@ +# Security patch for varnish 3.0.2 cherry-picked from 3.0.5 +# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=728989 + +upstream/3.0.2...patches/3.0.2-CVE-2013-4484
diff -Nru varnish-2.1.3/debian/changelog varnish-2.1.3/debian/changelog --- varnish-2.1.3/debian/changelog 2013-12-09 00:40:13.000000000 +0100 +++ varnish-2.1.3/debian/changelog 2013-12-09 01:19:57.000000000 +0100 @@ -1,3 +1,12 @@ +varnish (2.1.3-8+deb6u1) squeeze-security; urgency=high + + [ Salvatore Bonaccorso ] + * Backport upstream security patch. + A malformed request could in some configurations lead to Varnish + crashing. CVE-2013-4484 (Closes: #728989) + + -- Stig Sandbeck Mathisen <[email protected]> Mon, 09 Dec 2013 01:19:45 +0100 + varnish (2.1.3-8) unstable; urgency=high * Fix random secret creation on non-Linux kernels (Closes: #596373) diff -Nru varnish-2.1.3/debian/patches/debian-changes-2.1.3-8 varnish-2.1.3/debian/patches/debian-changes-2.1.3-8 --- varnish-2.1.3/debian/patches/debian-changes-2.1.3-8 2013-12-09 00:42:11.000000000 +0100 +++ varnish-2.1.3/debian/patches/debian-changes-2.1.3-8 1970-01-01 01:00:00.000000000 +0100 @@ -1,206 +0,0 @@ -Description: Upstream changes introduced in version 2.1.3-8 - This patch has been created by dpkg-source during the package build. - Here's the last changelog entry, hopefully it gives details on why - those changes were made: - . - varnish (2.1.3-8) unstable; urgency=high - . - * Fix random secret creation on non-Linux kernels (Closes: #596373) - * Urgency "high" due to FTBFS RC bug during squeeze freeze - . - The person named in the Author field signed this changelog entry. -Author: Stig Sandbeck Mathisen <[email protected]> -Bug-Debian: http://bugs.debian.org/596373 - ---- -The information above should follow the Patch Tagging Guidelines, please -checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here -are templates for supplementary fields that you might want to add: - -Origin: <vendor|upstream|other>, <url of original patch> -Bug: <url in upstream bugtracker> -Bug-Debian: http://bugs.debian.org/<bugnumber> -Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> -Forwarded: <no|not-needed|url proving that it has been forwarded> -Reviewed-By: <name and email of someone who approved the patch> -Last-Update: <YYYY-MM-DD> - ---- varnish-2.1.3.orig/bin/varnishd/cache_center.c -+++ varnish-2.1.3/bin/varnishd/cache_center.c -@@ -1096,9 +1096,11 @@ DOT start -> recv [style=bold,color=gree - static int - cnt_start(struct sess *sp) - { -- int done; -+ uint16_t err_code; - char *p; -- const char *r = "HTTP/1.1 100 Continue\r\n\r\n"; -+ const char *r_100 = "HTTP/1.1 100 Continue\r\n\r\n"; -+ const char *r_400 = "HTTP/1.1 400 Bad Request\r\n\r\n"; -+ const char *r_417 = "HTTP/1.1 417 Expectation Failed\r\n\r\n"; - - CHECK_OBJ_NOTNULL(sp, SESS_MAGIC); - AZ(sp->restarts); -@@ -1121,10 +1123,12 @@ cnt_start(struct sess *sp) - sp->wrk->vcl = NULL; - - http_Setup(sp->http, sp->ws); -- done = http_DissectRequest(sp); -+ err_code = http_DissectRequest(sp); - - /* If we could not even parse the request, just close */ -- if (done < 0) { -+ if (err_code == 400) -+ (void)write(sp->fd, r_400, strlen(r_400)); -+ if (err_code != 0) { - sp->step = STP_DONE; - vca_close_session(sp, "junk"); - return (0); -@@ -1136,12 +1140,6 @@ cnt_start(struct sess *sp) - /* Catch original request, before modification */ - HTTP_Copy(sp->http0, sp->http); - -- if (done != 0) { -- sp->err_code = done; -- sp->step = STP_ERROR; -- return (0); -- } -- - sp->doclose = http_DoConnection(sp->http); - - /* XXX: Handle TRACE & OPTIONS of Max-Forwards = 0 */ -@@ -1151,13 +1149,14 @@ cnt_start(struct sess *sp) - */ - if (http_GetHdr(sp->http, H_Expect, &p)) { - if (strcasecmp(p, "100-continue")) { -- sp->err_code = 417; -- sp->step = STP_ERROR; -+ (void)write(sp->fd, r_417, strlen(r_417)); -+ sp->step = STP_DONE; -+ vca_close_session(sp, "junk"); - return (0); - } - - /* XXX: Don't bother with write failures for now */ -- (void)write(sp->fd, r, strlen(r)); -+ (void)write(sp->fd, r_100, strlen(r_100)); - /* XXX: When we do ESI includes, this is not removed - * XXX: because we use http0 as our basis. Believed - * XXX: safe, but potentially confusing. ---- varnish-2.1.3.orig/bin/varnishtest/tests/v00014.vtc -+++ varnish-2.1.3/bin/varnishtest/tests/v00014.vtc -@@ -2,6 +2,7 @@ - - test "Check req.backend.healthy" - -+# probe will hit this to check healthiness - server s1 { - rxreq - expect req.url == "/" -@@ -16,8 +17,8 @@ varnish v1 -vcl { - .max_connections = 1; - .probe = { - .url = "/"; -- .timeout = 1s; -- .interval = 1s; -+ .timeout = 0.1s; -+ .interval = 0.1s; - .window = 3; - .threshold = 2; - .initial = 0; -@@ -33,25 +34,33 @@ varnish v1 -vcl { - } - } -start - -+# probe runs every 0.1s and needs 2 (threshold) out of the latest 3 (window) to -+# be successful. Make sure this does *not* happen: the first probe would be -+# successful (s1 was started and finished), but let the next one or two to fail -+# (and hence making the backend unhealthy) by idling. -+server s1 -wait -+delay 0.3 -+ -+# verify that backend is unhealthy as expected - client c1 { - txreq - rxresp - expect resp.status == 500 - } -run - --server s1 { -- rxreq -- expect req.url == "/" -- txresp -body "slash" --} -start -+# now let three consecutive probe checks to succeed by starting them and -+# waiting for them to finish. This will lead varnish to believe that the -+# backend is healthly. (note that s1 ports are reused) -+server s1 -repeat 3 -start -wait - --server s1 { -+# do an actual check with a healthy backend, expecting to get a 200 back -+server s2 { - rxreq - expect req.url == "/foo" - txresp -body "foobar" - } -start - --client c1 { -+client c2 { - txreq -url "/foo" - rxresp - expect resp.status == 200 ---- /dev/null -+++ varnish-2.1.3/bin/varnishtest/tests/r01367.vtc -@@ -0,0 +1,30 @@ -+varnishtest "blank GET" -+ -+server s1 { -+ rxreq -+ txresp -+} -start -+ -+varnish v1 -vcl+backend { -+ sub vcl_error { -+ return (restart); -+ } -+} -start -+ -+client c1 { -+ send "GET \nHost: example.com\n\n" -+ rxresp -+ expect resp.status == 400 -+} -run -+ -+client c1 { -+ txreq -hdr "Expect: Santa-Claus" -+ rxresp -+ expect resp.status == 417 -+} -run -+ -+client c1 { -+ txreq -+ rxresp -+ expect resp.status == 200 -+} -run ---- varnish-2.1.3.orig/doc/changes-2.1.0-2.1.1.xml -+++ varnish-2.1.3/doc/changes-2.1.0-2.1.1.xml -@@ -86,7 +86,7 @@ - - <change type="enh"> - <para><code>varnishsizes</code>, which is -- like <code>varnishhost</code>, but for the length of objects, -+ like <code>varnishhist</code>, but for the length of objects, - has been added..</para> - </change> - </subsystem> ---- varnish-2.1.3.orig/doc/changes-2.1.1.html -+++ varnish-2.1.3/doc/changes-2.1.1.html -@@ -74,7 +74,7 @@ - <ul> - <li> - <p><span class="code">varnishsizes</span>, which is -- like <span class="code">varnishhost</span>, but for the length of objects, -+ like <span class="code">varnishhist</span>, but for the length of objects, - has been added..</p> - </li> - </ul> diff -Nru varnish-2.1.3/debian/patches/debian-changes-2.1.3-8+deb6u1 varnish-2.1.3/debian/patches/debian-changes-2.1.3-8+deb6u1 --- varnish-2.1.3/debian/patches/debian-changes-2.1.3-8+deb6u1 1970-01-01 01:00:00.000000000 +0100 +++ varnish-2.1.3/debian/patches/debian-changes-2.1.3-8+deb6u1 2013-12-09 01:20:46.000000000 +0100 @@ -0,0 +1,208 @@ +Description: Upstream changes introduced in version 2.1.3-8+deb6u1 + This patch has been created by dpkg-source during the package build. + Here's the last changelog entry, hopefully it gives details on why + those changes were made: + . + varnish (2.1.3-8+deb6u1) squeeze-security; urgency=high + . + [ Salvatore Bonaccorso ] + * Backport upstream security patch. + A malformed request could in some configurations lead to Varnish + crashing. CVE-2013-4484 (Closes: #728989) + . + The person named in the Author field signed this changelog entry. +Author: Stig Sandbeck Mathisen <[email protected]> +Bug-Debian: http://bugs.debian.org/728989 + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: <vendor|upstream|other>, <url of original patch> +Bug: <url in upstream bugtracker> +Bug-Debian: http://bugs.debian.org/<bugnumber> +Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> +Forwarded: <no|not-needed|url proving that it has been forwarded> +Reviewed-By: <name and email of someone who approved the patch> +Last-Update: <YYYY-MM-DD> + +--- varnish-2.1.3.orig/bin/varnishd/cache_center.c ++++ varnish-2.1.3/bin/varnishd/cache_center.c +@@ -1096,9 +1096,11 @@ DOT start -> recv [style=bold,color=gree + static int + cnt_start(struct sess *sp) + { +- int done; ++ uint16_t err_code; + char *p; +- const char *r = "HTTP/1.1 100 Continue\r\n\r\n"; ++ const char *r_100 = "HTTP/1.1 100 Continue\r\n\r\n"; ++ const char *r_400 = "HTTP/1.1 400 Bad Request\r\n\r\n"; ++ const char *r_417 = "HTTP/1.1 417 Expectation Failed\r\n\r\n"; + + CHECK_OBJ_NOTNULL(sp, SESS_MAGIC); + AZ(sp->restarts); +@@ -1121,10 +1123,12 @@ cnt_start(struct sess *sp) + sp->wrk->vcl = NULL; + + http_Setup(sp->http, sp->ws); +- done = http_DissectRequest(sp); ++ err_code = http_DissectRequest(sp); + + /* If we could not even parse the request, just close */ +- if (done < 0) { ++ if (err_code == 400) ++ (void)write(sp->fd, r_400, strlen(r_400)); ++ if (err_code != 0) { + sp->step = STP_DONE; + vca_close_session(sp, "junk"); + return (0); +@@ -1136,12 +1140,6 @@ cnt_start(struct sess *sp) + /* Catch original request, before modification */ + HTTP_Copy(sp->http0, sp->http); + +- if (done != 0) { +- sp->err_code = done; +- sp->step = STP_ERROR; +- return (0); +- } +- + sp->doclose = http_DoConnection(sp->http); + + /* XXX: Handle TRACE & OPTIONS of Max-Forwards = 0 */ +@@ -1151,13 +1149,14 @@ cnt_start(struct sess *sp) + */ + if (http_GetHdr(sp->http, H_Expect, &p)) { + if (strcasecmp(p, "100-continue")) { +- sp->err_code = 417; +- sp->step = STP_ERROR; ++ (void)write(sp->fd, r_417, strlen(r_417)); ++ sp->step = STP_DONE; ++ vca_close_session(sp, "junk"); + return (0); + } + + /* XXX: Don't bother with write failures for now */ +- (void)write(sp->fd, r, strlen(r)); ++ (void)write(sp->fd, r_100, strlen(r_100)); + /* XXX: When we do ESI includes, this is not removed + * XXX: because we use http0 as our basis. Believed + * XXX: safe, but potentially confusing. +--- varnish-2.1.3.orig/bin/varnishtest/tests/v00014.vtc ++++ varnish-2.1.3/bin/varnishtest/tests/v00014.vtc +@@ -2,6 +2,7 @@ + + test "Check req.backend.healthy" + ++# probe will hit this to check healthiness + server s1 { + rxreq + expect req.url == "/" +@@ -16,8 +17,8 @@ varnish v1 -vcl { + .max_connections = 1; + .probe = { + .url = "/"; +- .timeout = 1s; +- .interval = 1s; ++ .timeout = 0.1s; ++ .interval = 0.1s; + .window = 3; + .threshold = 2; + .initial = 0; +@@ -33,25 +34,33 @@ varnish v1 -vcl { + } + } -start + ++# probe runs every 0.1s and needs 2 (threshold) out of the latest 3 (window) to ++# be successful. Make sure this does *not* happen: the first probe would be ++# successful (s1 was started and finished), but let the next one or two to fail ++# (and hence making the backend unhealthy) by idling. ++server s1 -wait ++delay 0.3 ++ ++# verify that backend is unhealthy as expected + client c1 { + txreq + rxresp + expect resp.status == 500 + } -run + +-server s1 { +- rxreq +- expect req.url == "/" +- txresp -body "slash" +-} -start ++# now let three consecutive probe checks to succeed by starting them and ++# waiting for them to finish. This will lead varnish to believe that the ++# backend is healthly. (note that s1 ports are reused) ++server s1 -repeat 3 -start -wait + +-server s1 { ++# do an actual check with a healthy backend, expecting to get a 200 back ++server s2 { + rxreq + expect req.url == "/foo" + txresp -body "foobar" + } -start + +-client c1 { ++client c2 { + txreq -url "/foo" + rxresp + expect resp.status == 200 +--- /dev/null ++++ varnish-2.1.3/bin/varnishtest/tests/r01367.vtc +@@ -0,0 +1,30 @@ ++test "blank GET" ++ ++server s1 { ++ rxreq ++ txresp ++} -start ++ ++varnish v1 -vcl+backend { ++ sub vcl_error { ++ return (restart); ++ } ++} -start ++ ++client c1 { ++ send "GET \nHost: example.com\n\n" ++ rxresp ++ expect resp.status == 400 ++} -run ++ ++client c1 { ++ txreq -hdr "Expect: Santa-Claus" ++ rxresp ++ expect resp.status == 417 ++} -run ++ ++client c1 { ++ txreq ++ rxresp ++ expect resp.status == 200 ++} -run +--- varnish-2.1.3.orig/doc/changes-2.1.0-2.1.1.xml ++++ varnish-2.1.3/doc/changes-2.1.0-2.1.1.xml +@@ -86,7 +86,7 @@ + + <change type="enh"> + <para><code>varnishsizes</code>, which is +- like <code>varnishhost</code>, but for the length of objects, ++ like <code>varnishhist</code>, but for the length of objects, + has been added..</para> + </change> + </subsystem> +--- varnish-2.1.3.orig/doc/changes-2.1.1.html ++++ varnish-2.1.3/doc/changes-2.1.1.html +@@ -74,7 +74,7 @@ + <ul> + <li> + <p><span class="code">varnishsizes</span>, which is +- like <span class="code">varnishhost</span>, but for the length of objects, ++ like <span class="code">varnishhist</span>, but for the length of objects, + has been added..</p> + </li> + </ul> diff -Nru varnish-2.1.3/debian/patches/series varnish-2.1.3/debian/patches/series --- varnish-2.1.3/debian/patches/series 2013-12-09 00:42:11.000000000 +0100 +++ varnish-2.1.3/debian/patches/series 2013-12-09 01:20:46.000000000 +0100 @@ -1 +1 @@ -debian-changes-2.1.3-8 +debian-changes-2.1.3-8+deb6u1
-- Stig Sandbeck Mathisen
signature.asc
Description: PGP signature
