On Sun, Jul 18, 2021 at 10:14:46AM +0200, Graham Inggs wrote: > Control: tags -1 + moreinfo > > Hi Stig > > Please attach a filtered debdiff to this bug. Something like: > > filterdiff -x '*/build-aux/*' -x '*/doc/html/*' > varnish-6.5.1-1--6.5.2-1.debdiff >filtered.debdiff > > Please also show the command that you end up using, so we can see > which parts were excluded.
Hello, I used the command filterdiff -x '*/build-aux/*' -x '*/doc/html/*' varnish-6.5.1-1--6.5.2-1.debdiff > varnish-6.5.1-1--6.5.2-1.filtered.debdiff Attached is the diff. Changes are the upstream bugfix, as well as two commits in the packaging repository: https://salsa.debian.org/varnish-team/varnish/-/commit/b38fddf5fb3a7acf5c88d6a0f9906cb0967f16bb (lint: debian/*.install, paths should not begin with /) https://salsa.debian.org/varnish-team/varnish/-/commit/46da54a751ae85afae8403fbf8ca360f322c349c (Declare compliance with Debian Policy 4.5.0)
diff -Nru varnish-6.5.1/Makefile.in varnish-6.5.2/Makefile.in --- varnish-6.5.1/Makefile.in 2020-09-25 11:44:45.000000000 +0200 +++ varnish-6.5.2/Makefile.in 2021-07-02 13:57:15.000000000 +0200 @@ -207,7 +207,8 @@ $(top_srcdir)/build-aux/ltmain.sh \ $(top_srcdir)/build-aux/missing ChangeLog INSTALL \ build-aux/compile build-aux/config.guess build-aux/config.sub \ - build-aux/install-sh build-aux/ltmain.sh build-aux/missing + build-aux/depcomp build-aux/install-sh build-aux/ltmain.sh \ + build-aux/missing build-aux/ylwrap DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) distdir = $(PACKAGE)-$(VERSION) top_distdir = $(distdir) diff -Nru varnish-6.5.1/bin/varnishd/http2/cache_http2.h varnish-6.5.2/bin/varnishd/http2/cache_http2.h --- varnish-6.5.1/bin/varnishd/http2/cache_http2.h 2020-09-25 11:14:30.000000000 +0200 +++ varnish-6.5.2/bin/varnishd/http2/cache_http2.h 2021-07-02 13:57:09.000000000 +0200 @@ -134,6 +134,8 @@ /* Where to wake this stream up */ struct worker *wrk; + ssize_t reqbody_bytes; + VTAILQ_ENTRY(h2_req) tx_list; h2_error error; }; diff -Nru varnish-6.5.1/bin/varnishd/http2/cache_http2_proto.c varnish-6.5.2/bin/varnishd/http2/cache_http2_proto.c --- varnish-6.5.1/bin/varnishd/http2/cache_http2_proto.c 2020-09-25 11:14:30.000000000 +0200 +++ varnish-6.5.2/bin/varnishd/http2/cache_http2_proto.c 2021-07-02 13:57:09.000000000 +0200 @@ -554,6 +554,7 @@ struct req *req, struct h2_req *r2) { h2_error h2e; + ssize_t cl; ASSERT_RXTHR(h2); assert(r2->state == H2_S_OPEN); @@ -574,16 +575,24 @@ // XXX: Have I mentioned H/2 Is hodge-podge ? http_CollectHdrSep(req->http, H_Cookie, "; "); // rfc7540,l,3114,3120 + cl = http_GetContentLength(req->http); + assert(cl >= -2); + if (cl == -2) { + VSLb(h2->vsl, SLT_Debug, "Non-parseable Content-Length"); + return (H2SE_PROTOCOL_ERROR); + } + if (req->req_body_status == NULL) { - if (!http_GetHdr(req->http, H_Content_Length, NULL)) + if (cl == -1) req->req_body_status = BS_EOF; else req->req_body_status = BS_LENGTH; + req->htc->content_length = cl; } else { /* A HEADER frame contained END_STREAM */ assert (req->req_body_status == BS_NONE); r2->state = H2_S_CLOS_REM; - if (http_GetContentLength(req->http) > 0) + if (cl > 0) return (H2CE_PROTOCOL_ERROR); //rfc7540,l,1838,1840 } @@ -737,6 +746,7 @@ int w1 = 0, w2 = 0; char buf[4]; unsigned wi; + ssize_t cl; CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC); ASSERT_RXTHR(h2); @@ -755,6 +765,23 @@ Lck_Unlock(&h2->sess->mtx); return (h2->error ? h2->error : r2->error); } + + r2->reqbody_bytes += h2->rxf_len; + if (h2->rxf_flags & H2FF_DATA_END_STREAM) + r2->state = H2_S_CLOS_REM; + cl = r2->req->htc->content_length; + if (cl >= 0 && (r2->reqbody_bytes > cl || + (r2->state >= H2_S_CLOS_REM && r2->reqbody_bytes != cl))) { + VSLb(h2->vsl, SLT_Debug, + "H2: stream %u: Received data and Content-Length" + " mismatch", h2->rxf_stream); + r2->error = H2SE_PROTOCOL_ERROR; // rfc7540,l,3150,3163 + if (r2->cond) + AZ(pthread_cond_signal(r2->cond)); + Lck_Unlock(&h2->sess->mtx); + return (H2SE_PROTOCOL_ERROR); + } + AZ(h2->mailcall); h2->mailcall = r2; h2->req0->r_window -= h2->rxf_len; @@ -773,6 +800,8 @@ r2->r_window += wi; w2 = 1; } + + Lck_Unlock(&h2->sess->mtx); if (w1 || w2) { @@ -795,7 +824,7 @@ struct h2_req *r2; struct h2_sess *h2; unsigned l; - enum vfp_status retval = VFP_OK; + enum vfp_status retval; CHECK_OBJ_NOTNULL(vc, VFP_CTX_MAGIC); CHECK_OBJ_NOTNULL(vfe, VFP_ENTRY_MAGIC); @@ -808,7 +837,6 @@ *lp = 0; Lck_Lock(&h2->sess->mtx); - assert (r2->state == H2_S_OPEN); r2->cond = &vc->wrk->cond; while (h2->mailcall != r2 && h2->error == 0 && r2->error == 0) AZ(Lck_CondWait(r2->cond, &h2->sess->mtx, 0)); @@ -831,12 +859,10 @@ Lck_Unlock(&h2->sess->mtx); return (VFP_OK); } - if (h2->rxf_len == 0) { - if (h2->rxf_flags & H2FF_DATA_END_STREAM) { - retval = VFP_END; - r2->state = H2_S_CLOS_REM; - } - } + if (h2->rxf_len == 0 && r2->state >= H2_S_CLOS_REM) + retval = VFP_END; + else + retval = VFP_OK; h2->mailcall = NULL; AZ(pthread_cond_signal(h2->cond)); } diff -Nru varnish-6.5.1/bin/varnishtest/tests/f00007.vtc varnish-6.5.2/bin/varnishtest/tests/f00007.vtc --- varnish-6.5.1/bin/varnishtest/tests/f00007.vtc 1970-01-01 01:00:00.000000000 +0100 +++ varnish-6.5.2/bin/varnishtest/tests/f00007.vtc 2021-07-02 13:57:09.000000000 +0200 @@ -0,0 +1,82 @@ +varnishtest "H/2 content length smuggling attack" + +server s1 { + rxreqhdrs + expect_close +} -start + +server s2 { + rxreqhdrs + expect_close +} -start + +server s3 { + rxreq + expect_close +} -start + +server s4 { + rxreq + expect req.body == "A" + txresp +} -start + +varnish v1 -vcl+backend { + import vtc; + sub vcl_backend_fetch { + if (bereq.url == "/1") { + set bereq.backend = s1; + } else if (bereq.url == "/2") { + set bereq.backend = s2; + } else if (bereq.url == "/3") { + set bereq.backend = s3; + } else { + set bereq.backend = s4; + } + } +} -start + +varnish v1 -cliok "param.set feature +http2" +varnish v1 -cliok "param.set debug +syncvsl" + +client c1 { + stream 1 { + txreq -req POST -url /1 -hdr "content-length" "1" -nostrend + txdata -data "AGET /FAIL HTTP/1.1\r\n\r\n" + rxrst + expect rst.err == PROTOCOL_ERROR + } -run +} -run + +client c2 { + stream 1 { + txreq -req POST -url /2 -hdr "content-length" "1" -nostrend + txdata -data "AGET /FAIL HTTP/1.1\r\n\r\n" -nostrend + txdata + rxrst + expect rst.err == PROTOCOL_ERROR + } -run +} -run + +client c3 { + stream 1 { + txreq -req POST -url /3 -hdr "content-length" "1" -nostrend + txdata -data "A" -nostrend + txdata -data "GET /FAIL HTTP/1.1\r\n\r\n" + rxwinup + rxrst + expect rst.err == PROTOCOL_ERROR + } -run +} -run + +client c4 { + stream 1 { + txreq -req POST -url /4 -hdr "content-length" "1" -nostrend + txdata -data "A" -nostrend + txdata + rxwinup + rxwinup + rxresp + expect resp.status == 200 + } -run +} -run diff -Nru varnish-6.5.1/configure varnish-6.5.2/configure --- varnish-6.5.1/configure 2020-09-25 11:44:44.000000000 +0200 +++ varnish-6.5.2/configure 2021-07-02 13:57:34.000000000 +0200 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Id. # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for Varnish 6.5.1. +# Generated by GNU Autoconf 2.69 for Varnish 6.5.2. # # Report bugs to <varnish-...@varnish-cache.org>. # @@ -594,8 +594,8 @@ # Identity of this package. PACKAGE_NAME='Varnish' PACKAGE_TARNAME='varnish' -PACKAGE_VERSION='6.5.1' -PACKAGE_STRING='Varnish 6.5.1' +PACKAGE_VERSION='6.5.2' +PACKAGE_STRING='Varnish 6.5.2' PACKAGE_BUGREPORT='varnish-...@varnish-cache.org' PACKAGE_URL='' @@ -1433,7 +1433,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Varnish 6.5.1 to adapt to many kinds of systems. +\`configure' configures Varnish 6.5.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1505,7 +1505,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Varnish 6.5.1:";; + short | recursive ) echo "Configuration of Varnish 6.5.2:";; esac cat <<\_ACEOF @@ -1672,7 +1672,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Varnish configure 6.5.1 +Varnish configure 6.5.2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2147,7 +2147,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Varnish $as_me 6.5.1, which was +It was created by Varnish $as_me 6.5.2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4532,7 +4532,7 @@ # Define the identity of the package. PACKAGE='varnish' - VERSION='6.5.1' + VERSION='6.5.2' cat >>confdefs.h <<_ACEOF @@ -24939,7 +24939,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Varnish $as_me 6.5.1, which was +This file was extended by Varnish $as_me 6.5.2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -25005,7 +25005,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -Varnish config.status 6.5.1 +Varnish config.status 6.5.2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru varnish-6.5.1/configure.ac varnish-6.5.2/configure.ac --- varnish-6.5.1/configure.ac 2020-09-25 11:14:30.000000000 +0200 +++ varnish-6.5.2/configure.ac 2021-07-02 13:57:09.000000000 +0200 @@ -2,7 +2,7 @@ AC_COPYRIGHT([Copyright (c) 2006 Verdens Gang AS Copyright (c) 2006-2020 Varnish Software]) AC_REVISION([$Id$]) -AC_INIT([Varnish], [6.5.1], [varnish-...@varnish-cache.org]) +AC_INIT([Varnish], [6.5.2], [varnish-...@varnish-cache.org]) AC_CONFIG_SRCDIR(include/miniobj.h) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_MACRO_DIR([m4]) diff -Nru varnish-6.5.1/debian/changelog varnish-6.5.2/debian/changelog --- varnish-6.5.1/debian/changelog 2020-09-29 23:21:31.000000000 +0200 +++ varnish-6.5.2/debian/changelog 2021-07-14 21:46:38.000000000 +0200 @@ -1,3 +1,10 @@ +varnish (6.5.2-1) unstable; urgency=medium + + * New upstream release. + (Closes: #991040, VSV00007, CVE-2021-36740) + + -- Stig Sandbeck Mathisen <s...@debian.org> Wed, 14 Jul 2021 21:46:38 +0200 + varnish (6.5.1-1) unstable; urgency=medium * New upstream release. diff -Nru varnish-6.5.1/debian/control varnish-6.5.2/debian/control --- varnish-6.5.1/debian/control 2020-09-29 23:21:31.000000000 +0200 +++ varnish-6.5.2/debian/control 2021-07-14 21:46:38.000000000 +0200 @@ -18,7 +18,7 @@ pkg-config, python3-sphinx, xsltproc -Standards-Version: 4.4.1 +Standards-Version: 4.5.0 Vcs-Browser: https://salsa.debian.org/varnish-team/varnish Vcs-Git: https://salsa.debian.org/varnish-team/varnish.git Homepage: https://www.varnish-cache.org/ diff -Nru varnish-6.5.1/debian/libvarnishapi-dev.install varnish-6.5.2/debian/libvarnishapi-dev.install --- varnish-6.5.1/debian/libvarnishapi-dev.install 2020-09-29 23:21:31.000000000 +0200 +++ varnish-6.5.2/debian/libvarnishapi-dev.install 2021-07-14 21:46:38.000000000 +0200 @@ -2,5 +2,5 @@ usr/share/aclocal usr/share/varnish/vsctool.py usr/share/varnish/vmodtool.py -/usr/lib/*/libvarnishapi.so -/usr/lib/*/pkgconfig/*.pc +usr/lib/*/libvarnishapi.so +usr/lib/*/pkgconfig/*.pc diff -Nru varnish-6.5.1/debian/libvarnishapi2.install varnish-6.5.2/debian/libvarnishapi2.install --- varnish-6.5.1/debian/libvarnishapi2.install 2020-09-29 23:21:31.000000000 +0200 +++ varnish-6.5.2/debian/libvarnishapi2.install 2021-07-14 21:46:38.000000000 +0200 @@ -1 +1 @@ -/usr/lib/*/lib*.so.* +usr/lib/*/lib*.so.* diff -Nru varnish-6.5.1/debian/varnish.install varnish-6.5.2/debian/varnish.install --- varnish-6.5.1/debian/varnish.install 2020-09-29 23:21:31.000000000 +0200 +++ varnish-6.5.2/debian/varnish.install 2021-07-14 21:46:38.000000000 +0200 @@ -1,7 +1,7 @@ etc/varnish/default.vcl usr/bin/* usr/sbin/* -/usr/lib/*/varnish +usr/lib/*/varnish usr/share/man usr/share/varnish/vcl debian/*.service lib/systemd/system/ diff -Nru varnish-6.5.1/doc/changes.html varnish-6.5.2/doc/changes.html --- varnish-6.5.1/doc/changes.html 2020-09-25 11:47:47.000000000 +0200 +++ varnish-6.5.2/doc/changes.html 2021-07-02 14:01:33.000000000 +0200 @@ -385,6 +385,12 @@ individual releases. These documents are updated as part of the release process.</p> </div> +<div class="section" id="varnish-cache-6-5-2-2021-07-13"> +<h1>Varnish Cache 6.5.2 (2021-07-13)</h1> +<ul class="simple"> +<li>Fix an HTTP/2.0 request smuggling vulnerability. (<a class="reference external" href="https://varnish-cache.org/security/VSV00007.html">VSV00007</a>)</li> +</ul> +</div> <div class="section" id="varnish-cache-6-5-1-2020-09-25"> <h1>Varnish Cache 6.5.1 (2020-09-25)</h1> <ul class="simple"> diff -Nru varnish-6.5.1/doc/changes.rst varnish-6.5.2/doc/changes.rst --- varnish-6.5.1/doc/changes.rst 2020-09-25 11:14:30.000000000 +0200 +++ varnish-6.5.2/doc/changes.rst 2021-07-02 13:57:09.000000000 +0200 @@ -27,6 +27,14 @@ release process. ================================ +Varnish Cache 6.5.2 (2021-07-13) +================================ + +* Fix an HTTP/2.0 request smuggling vulnerability. (VSV00007_) + +.. _VSV00007: https://varnish-cache.org/security/VSV00007.html + +================================ Varnish Cache 6.5.1 (2020-09-25) ================================ diff -Nru varnish-6.5.1/doc/sphinx/conf.py varnish-6.5.2/doc/sphinx/conf.py --- varnish-6.5.1/doc/sphinx/conf.py 2020-09-25 11:45:01.000000000 +0200 +++ varnish-6.5.2/doc/sphinx/conf.py 2021-07-02 13:57:46.000000000 +0200 @@ -45,9 +45,9 @@ # built documents. # # The short X.Y version. -version = '6.5.1' +version = '6.5.2' # The full version, including alpha/beta/rc tags. -release = '6.5.1' +release = '6.5.2' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. @@ -135,7 +135,7 @@ # The name for this set of Sphinx documents. If None, it defaults to # "<project> v<release> documentation". -html_title = "Varnish version 6.5.1 documentation" +html_title = "Varnish version 6.5.2 documentation" # A shorter title for the navigation bar. Default is the same as html_title. #html_short_title = None diff -Nru varnish-6.5.1/doc/sphinx/reference/mkfs.mse.rst~ varnish-6.5.2/doc/sphinx/reference/mkfs.mse.rst~ --- varnish-6.5.1/doc/sphinx/reference/mkfs.mse.rst~ 1970-01-01 01:00:00.000000000 +0100 +++ varnish-6.5.2/doc/sphinx/reference/mkfs.mse.rst~ 2018-10-02 16:48:42.000000000 +0200 @@ -0,0 +1,57 @@ +.. role:: ref(emphasis) + +.. _mkfs.mse(1): + +======== +mkfs.mse +======== + +------------------------------- +Massive Storage Engine mkfs.mse +------------------------------- + +:Manual section: 1 + +SYNOPSIS +======== + +mkfs.mse [-c <in.conf>] [-f] + +DESCRIPTION +=========== + +The `mkfs.mse` utility creates and initializes the data files and stores +for use with Massive Storage Engine. It reads the same configuration file +as would be pointed to when directing `varnishd` to use MSE for object +storage, and this utility needs to be run once before starting `varnishd` +with MSE for the first time. + +If a previous configuration exists and is initialized in the data files +and stores, `mkfs.mse` will give an error instead of overwriting the +existing data. If overwrite and clear of the data files is wanted, use the +`-f` force flag to override the error. This will clear the cache +completely, having an empty cache when `varnishd` is then started. + +OPTIONS +======= + +-c <in.conf> + + The configuration file to use. See `man mse-config` for details of the + configuration file. + +-f + + Use the force option. This overrides the error of previous existing + configuration. + +HISTORY +======= + +This manual page was written by Martin Blix Grydeland +<mar...@varnish-software.com>. + +COPYRIGHT +========= + +* Copyright (c) 2018 Varnish Software diff -Nru varnish-6.5.1/include/vcs_version.h varnish-6.5.2/include/vcs_version.h --- varnish-6.5.1/include/vcs_version.h 2020-09-25 11:46:08.000000000 +0200 +++ varnish-6.5.2/include/vcs_version.h 2021-07-02 13:59:57.000000000 +0200 @@ -1,8 +1,8 @@ -/* 1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64 */ +/* e7233b0ad2639043341819d19a8d2e418e94ce1b */ /* * NB: This file is machine generated, DO NOT EDIT! * * Edit and run include/generate.py instead. */ -#define VCS_Version "1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64" +#define VCS_Version "e7233b0ad2639043341819d19a8d2e418e94ce1b" diff -Nru varnish-6.5.1/include/vmod_abi.h varnish-6.5.2/include/vmod_abi.h --- varnish-6.5.1/include/vmod_abi.h 2020-09-25 11:46:08.000000000 +0200 +++ varnish-6.5.2/include/vmod_abi.h 2021-07-02 13:59:57.000000000 +0200 @@ -4,4 +4,4 @@ * Edit and run include/generate.py instead. */ -#define VMOD_ABI_Version "Varnish 6.5.1 1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64" +#define VMOD_ABI_Version "Varnish 6.5.2 e7233b0ad2639043341819d19a8d2e418e94ce1b"