Ema has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/391538 )
Change subject: 4.1.8-1wm2: fix VSV00002 ...................................................................... 4.1.8-1wm2: fix VSV00002 Avoid buffer read overflow on vcl_error and -sfile (VSV00002, CVE-2017-8807). Change-Id: Ibb4ed766d11ac366603eb74d6a86a584e5c306f6 --- M debian/changelog A debian/patches/0006-vsv00002-4.1.patch M debian/patches/series 3 files changed, 41 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/debs/varnish4 refs/changes/38/391538/1 diff --git a/debian/changelog b/debian/changelog index c7a289f..9448e3e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +varnish (4.1.8-1wm2) jessie-wikimedia; urgency=medium + + * Avoid buffer read overflow on vcl_error and -sfile + (VSV00002, CVE-2017-8807) + + -- Emanuele Rocca <[email protected]> Wed, 15 Nov 2017 12:24:09 +0100 + varnish (4.1.8-1wm1) jessie-wikimedia; urgency=medium * New upstream release diff --git a/debian/patches/0006-vsv00002-4.1.patch b/debian/patches/0006-vsv00002-4.1.patch new file mode 100644 index 0000000..650787c --- /dev/null +++ b/debian/patches/0006-vsv00002-4.1.patch @@ -0,0 +1,33 @@ +From 19a73184c6470a54f843c7c226c641a0b4ac2e8e Mon Sep 17 00:00:00 2001 +From: Martin Blix Grydeland <[email protected]> +Date: Mon, 18 Sep 2017 16:04:53 +0200 +Subject: [PATCH] Avoid buffer read overflow on vcl_error and -sfile + +The file stevedore may return a buffer larger than asked for when +requesting storage. Due to lack of check for this condition, the code +to copy the synthetic error memory buffer from vcl_error would overrun +the buffer. + +Patch by @shamger + +Fixes: #2429 +--- + bin/varnishd/cache/cache_fetch.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/bin/varnishd/cache/cache_fetch.c b/bin/varnishd/cache/cache_fetch.c +index d36377c..70f953f 100644 +--- a/bin/varnishd/cache/cache_fetch.c ++++ b/bin/varnishd/cache/cache_fetch.c +@@ -873,6 +873,8 @@ vbf_stp_error(struct worker *wrk, struct busyobj *bo) + l = ll; + if (VFP_GetStorage(bo->vfc, &l, &ptr) != VFP_OK) + break; ++ if (l > ll) ++ l = ll; + memcpy(ptr, VSB_data(synth_body) + o, l); + VBO_extend(bo, l); + ll -= l; +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series index 3deaf68..d0d9770 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ 0003-vsm-perms.patch 0004-storage-file-off-t.patch 0005-stats-shortlived.patch +0006-vsv00002-4.1.patch -- To view, visit https://gerrit.wikimedia.org/r/391538 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ibb4ed766d11ac366603eb74d6a86a584e5c306f6 Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/varnish4 Gerrit-Branch: debian-wmf-4.1 Gerrit-Owner: Ema <[email protected]> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
