Control: tags 870467 + pending Dear maintainer,
I've prepared an NMU for varnish (versioned as 5.0.0-7.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru varnish-5.0.0/debian/changelog varnish-5.0.0/debian/changelog --- varnish-5.0.0/debian/changelog 2017-03-02 18:16:05.000000000 +0100 +++ varnish-5.0.0/debian/changelog 2017-08-04 06:43:38.000000000 +0200 @@ -1,3 +1,13 @@ +varnish (5.0.0-7.1) unstable; urgency=high + + * Non-maintainer upload. + * Correctly handle bogusly large chunk sizes. + This fixes a denial of service attack vector where bogusly large chunk + sizes in requests could be used to force restarts of the Varnish server. + (Closes: #870467) + + -- Salvatore Bonaccorso <[email protected]> Fri, 04 Aug 2017 06:43:38 +0200 + varnish (5.0.0-7) unstable; urgency=medium * Remove reload from varnish.service (Closes: #749272) diff -Nru varnish-5.0.0/debian/patches/5.0-Correctly-handle-bogusly-large-chunk-sizes.patch varnish-5.0.0/debian/patches/5.0-Correctly-handle-bogusly-large-chunk-sizes.patch --- varnish-5.0.0/debian/patches/5.0-Correctly-handle-bogusly-large-chunk-sizes.patch 1970-01-01 01:00:00.000000000 +0100 +++ varnish-5.0.0/debian/patches/5.0-Correctly-handle-bogusly-large-chunk-sizes.patch 2017-08-04 06:43:38.000000000 +0200 @@ -0,0 +1,109 @@ +From e32377f0455ddf7a7836cc0d21d78906e9938119 Mon Sep 17 00:00:00 2001 +From: Martin Blix Grydeland <[email protected]> +Date: Thu, 27 Jul 2017 11:52:58 +0200 +Subject: [PATCH] Correctly handle bogusly large chunk sizes + +This fixes a denial of service attack vector where bogusly large chunk +sizes in requests could be used to force restarts of the Varnish +server. + +This is Varnish Security Vulnerability VSV00001 + +For more information visit: https://varnish-cache.org/security/VSV00001 + +Fixes: #2379 +--- + bin/varnishd/http1/cache_http1_vfp.c | 2 +- + bin/varnishtest/tests/f00001.vtc | 67 ++++++++++++++++++++++++++++++++++++ + 2 files changed, 68 insertions(+), 1 deletion(-) + create mode 100644 bin/varnishtest/tests/f00001.vtc + +diff --git a/bin/varnishd/http1/cache_http1_vfp.c b/bin/varnishd/http1/cache_http1_vfp.c +index b836cd3..ded1550 100644 +--- a/bin/varnishd/http1/cache_http1_vfp.c ++++ b/bin/varnishd/http1/cache_http1_vfp.c +@@ -155,7 +155,7 @@ v1f_pull_chunked(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, + if (q == NULL || *q != '\0') + return (VFP_Error(vc, "chunked header number syntax")); + cl = (ssize_t)cll; +- if((uintmax_t)cl != cll) ++ if (cl < 0 || (uintmax_t)cl != cll) + return (VFP_Error(vc, "bogusly large chunk size")); + + vfe->priv2 = cl; +diff --git a/bin/varnishtest/tests/f00001.vtc b/bin/varnishtest/tests/f00001.vtc +new file mode 100644 +index 0000000..46dbe94 +--- /dev/null ++++ b/bin/varnishtest/tests/f00001.vtc +@@ -0,0 +1,67 @@ ++varnishtest "Check that we handle bogusly large chunks correctly" ++ ++# Check that the bug has been fixed ++ ++server s1 { ++ rxreq ++ txresp ++ ++ accept ++ rxreq ++ txresp ++} -start ++ ++varnish v1 -vcl+backend { ++} -start ++ ++client c1 { ++ send "POST / HTTP/1.1\r\n" ++ send "Transfer-Encoding: chunked\r\n\r\n" ++ send "FFFFFFFFFFFFFFED\r\n" ++ send "0\r\n\r\n" ++ ++ rxresp ++ expect resp.status == 503 ++} -run ++ ++# Check that the published workaround does not cause harm ++ ++varnish v1 -cliok "param.set vcc_allow_inline_c true" ++ ++varnish v1 -vcl+backend { ++ sub exploit_workaround { ++ # This needs to be defined before your vcl_recv function ++ # Make sure that the runtime parameter vcc_allow_inline_c is set to true ++ if (req.http.transfer-encoding ~ "(?i)chunked") { ++ C{ ++ struct dummy_req { ++ unsigned magic; ++ int step; ++ int req_body_status; ++ }; ++ ((struct dummy_req *)ctx->req)->req_body_status = 5; ++ }C ++ ++ return (synth(503, "Bad request")); ++ } ++ } ++ ++ sub vcl_recv { ++ # Call this early in your vcl_recv function ++ call exploit_workaround; ++ } ++} ++ ++client c1 { ++ send "POST / HTTP/1.1\r\n" ++ send "Transfer-Encoding: chunked\r\n\r\n" ++ send "FFFFFFFFFFFFFFED\r\n0\r\n\r\n" ++ ++ expect_close ++} -run ++ ++client c1 { ++ txreq ++ rxresp ++ expect resp.status == 200 ++} -run +-- +2.1.4 + diff -Nru varnish-5.0.0/debian/patches/series varnish-5.0.0/debian/patches/series --- varnish-5.0.0/debian/patches/series 2017-03-02 18:16:05.000000000 +0100 +++ varnish-5.0.0/debian/patches/series 2017-08-04 06:43:38.000000000 +0200 @@ -1 +1,2 @@ 0001-Ensure-package-builds-reproducibly.patch +5.0-Correctly-handle-bogusly-large-chunk-sizes.patch

