Hi On Thu, Nov 07, 2013 at 08:31:46PM +0100, Stig Sandbeck Mathisen wrote: > Salvatore Bonaccorso <car...@debian.org> writes: > > > Know you are already aware, opening bugreport to keep track of this > > issue. > > Thanks. > > > the following vulnerability was published for varnish. > > > > CVE-2013-4484[0]: > > | Varnish before 3.0.5 allows remote attackers to cause a denial of > > | service (child-process crash and temporary caching outage) via a GET > > | request with trailing whitespace characters and no URI. > > Just to add some information about this issue: > > Varnish is not vulnerable in its default configuration. > > To be vulnerable, varnish must be configured with "return(restart)" > inside the "vcl_error" sub. Example: > > sub vcl_error { > return(restart); > } > > A workaround for people with matching configurations: Ensure that > vcl_error does "return(deliver)" for status codes 400 and 413, before > any "return(restart)". Example: > > sub vcl_error { > if (obj.status == 400 || obj.status == 413) { > return(deliver); > } > }
Thanks for fixing this with the 3.0.5-1 upload. Could you please also prepare packages for squeeze-security and wheezy-security? I did already had a look at wheezy today, attached is proposed debdiff (but not yet tested apart the testsuite). Regards, Salvatore
diff -Nru varnish-3.0.2/debian/changelog varnish-3.0.2/debian/changelog --- varnish-3.0.2/debian/changelog 2012-05-01 16:22:42.000000000 +0200 +++ varnish-3.0.2/debian/changelog 2013-12-02 07:40:45.000000000 +0100 @@ -1,3 +1,13 @@ +varnish (3.0.2-2+deb7u1) wheezy-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Add CVE-2013-4484.patch patch. + CVE-2013-4484: A remote attacker can mount a denial of service + (child-process crash and temporary caching outage) via a GET request + with trailing whitespace characters and no URI. (Closes: #728989) + + -- Salvatore Bonaccorso <car...@debian.org> Mon, 02 Dec 2013 07:36:11 +0100 + varnish (3.0.2-2) unstable; urgency=low [ Knut Arne Bjørndal ] diff -Nru varnish-3.0.2/debian/patches/CVE-2013-4484.patch varnish-3.0.2/debian/patches/CVE-2013-4484.patch --- varnish-3.0.2/debian/patches/CVE-2013-4484.patch 1970-01-01 01:00:00.000000000 +0100 +++ varnish-3.0.2/debian/patches/CVE-2013-4484.patch 2013-12-02 07:40:45.000000000 +0100 @@ -0,0 +1,121 @@ +Description: Fix denial of service handling certain GET requests + CVE-2013-4484: A remote attacker can mount a denial of service + (child-process crash and temporary caching outage) via a GET request + with trailing whitespace characters and no URI. +Origin: backport, https://www.varnish-cache.org/trac/changeset/4bd5b7991bf602a6c46dd0d65fc04d4b8d9667a6?format=diff&new=4bd5b7991bf602a6c46dd0d65fc04d4b8d9667a6 +Bug: https://www.varnish-cache.org/trac/ticket/1367 +Bug-Debian: http://bugs.debian.org/728989 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1025127 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2013-12-01 + +--- a/bin/varnishd/cache_center.c ++++ b/bin/varnishd/cache_center.c +@@ -1453,9 +1453,12 @@ + static int + cnt_start(struct sess *sp) + { +- uint16_t done; ++ uint16_t err_code; + char *p; +- const char *r = "HTTP/1.1 100 Continue\r\n\r\n"; ++ const char *r_100 = "HTTP/1.1 100 Continue\r\n\r\n"; ++ const char *r_400 = "HTTP/1.1 400 Bad Request\r\n\r\n"; ++ const char *r_413 = "HTTP/1.1 413 Request Entity Too Large\r\n\r\n"; ++ const char *r_417 = "HTTP/1.1 417 Expectation Failed\r\n\r\n"; + + CHECK_OBJ_NOTNULL(sp, SESS_MAGIC); + AZ(sp->restarts); +@@ -1478,10 +1481,14 @@ + sp->wrk->vcl = NULL; + + http_Setup(sp->http, sp->ws); +- done = http_DissectRequest(sp); ++ err_code = http_DissectRequest(sp); + + /* If we could not even parse the request, just close */ +- if (done == 400) { ++ if (err_code == 400) ++ (void)write(sp->fd, r_400, strlen(r_400)); ++ else if (err_code == 413) ++ (void)write(sp->fd, r_413, strlen(r_413)); ++ if (err_code != 0) { + sp->step = STP_DONE; + vca_close_session(sp, "junk"); + return (0); +@@ -1493,12 +1500,6 @@ + /* Catch original request, before modification */ + HTTP_Copy(sp->http0, sp->http); + +- if (done != 0) { +- sp->err_code = done; +- sp->step = STP_ERROR; +- return (0); +- } +- + sp->doclose = http_DoConnection(sp->http); + + /* XXX: Handle TRACE & OPTIONS of Max-Forwards = 0 */ +@@ -1508,13 +1509,14 @@ + */ + if (http_GetHdr(sp->http, H_Expect, &p)) { + if (strcasecmp(p, "100-continue")) { +- sp->err_code = 417; +- sp->step = STP_ERROR; ++ (void)write(sp->fd, r_417, strlen(r_417)); ++ sp->step = STP_DONE; ++ vca_close_session(sp, "junk"); + return (0); + } + + /* XXX: Don't bother with write failures for now */ +- (void)write(sp->fd, r, strlen(r)); ++ (void)write(sp->fd, r_100, strlen(r_100)); + /* XXX: When we do ESI includes, this is not removed + * XXX: because we use http0 as our basis. Believed + * XXX: safe, but potentially confusing. +--- a/bin/varnishd/cache_http.c ++++ b/bin/varnishd/cache_http.c +@@ -601,7 +601,7 @@ + hp->hd[h2].e = p; + + if (!Tlen(hp->hd[h2])) +- return (413); ++ return (400); + + /* Skip SP */ + for (; vct_issp(*p); p++) { +--- /dev/null ++++ b/bin/varnishtest/tests/r01367.vtc +@@ -0,0 +1,30 @@ ++varnishtest "blank GET" ++ ++server s1 { ++ rxreq ++ txresp ++} -start ++ ++varnish v1 -vcl+backend { ++ sub vcl_error { ++ return (restart); ++ } ++} -start ++ ++client c1 { ++ send "GET \nHost: example.com\n\n" ++ rxresp ++ expect resp.status == 400 ++} -run ++ ++client c1 { ++ txreq -hdr "Expect: Santa-Claus" ++ rxresp ++ expect resp.status == 417 ++} -run ++ ++client c1 { ++ txreq ++ rxresp ++ expect resp.status == 200 ++} -run diff -Nru varnish-3.0.2/debian/patches/series varnish-3.0.2/debian/patches/series --- varnish-3.0.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ varnish-3.0.2/debian/patches/series 2013-12-02 07:40:45.000000000 +0100 @@ -0,0 +1 @@ +CVE-2013-4484.patch
signature.asc
Description: Digital signature