Hi, On Mon, Dec 02, 2013 at 09:52:01PM +0100, Stig Sandbeck Mathisen wrote: > Salvatore Bonaccorso <car...@debian.org> writes: > > > Thanks for fixing this with the 3.0.5-1 upload. Could you please also > > prepare packages for squeeze-security and wheezy-security? I did > > already had a look at wheezy today, attached is proposed debdiff (but > > not yet tested apart the testsuite). > > Thanks for the debdiff. I'll take a look at it.
Thanks. > Do you, by any chance, have this as a git commit available somewhere? Yes, sure. Attaching a format-patch from my local copy. Regards, Salvatore
From 2bc2e7ef91d31d45e6a516225864fb1d49a0b0c5 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso <car...@debian.org> Date: Sun, 1 Dec 2013 23:18:34 +0100 Subject: [PATCH] Add CVE-2013-4484.patch patch CVE-2013-4484: A remote attacker can mount a denial of service (child-process crash and temporary caching outage) via a GET request with trailing whitespace characters and no URI. Closes: #728989 --- debian/patches/CVE-2013-4484.patch | 121 +++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 122 insertions(+) create mode 100644 debian/patches/CVE-2013-4484.patch create mode 100644 debian/patches/series diff --git a/debian/patches/CVE-2013-4484.patch b/debian/patches/CVE-2013-4484.patch new file mode 100644 index 0000000..a20fe2f --- /dev/null +++ b/debian/patches/CVE-2013-4484.patch @@ -0,0 +1,121 @@ +Description: Fix denial of service handling certain GET requests + CVE-2013-4484: A remote attacker can mount a denial of service + (child-process crash and temporary caching outage) via a GET request + with trailing whitespace characters and no URI. +Origin: backport, https://www.varnish-cache.org/trac/changeset/4bd5b7991bf602a6c46dd0d65fc04d4b8d9667a6?format=diff&new=4bd5b7991bf602a6c46dd0d65fc04d4b8d9667a6 +Bug: https://www.varnish-cache.org/trac/ticket/1367 +Bug-Debian: http://bugs.debian.org/728989 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1025127 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2013-12-01 + +--- a/bin/varnishd/cache_center.c ++++ b/bin/varnishd/cache_center.c +@@ -1453,9 +1453,12 @@ + static int + cnt_start(struct sess *sp) + { +- uint16_t done; ++ uint16_t err_code; + char *p; +- const char *r = "HTTP/1.1 100 Continue\r\n\r\n"; ++ const char *r_100 = "HTTP/1.1 100 Continue\r\n\r\n"; ++ const char *r_400 = "HTTP/1.1 400 Bad Request\r\n\r\n"; ++ const char *r_413 = "HTTP/1.1 413 Request Entity Too Large\r\n\r\n"; ++ const char *r_417 = "HTTP/1.1 417 Expectation Failed\r\n\r\n"; + + CHECK_OBJ_NOTNULL(sp, SESS_MAGIC); + AZ(sp->restarts); +@@ -1478,10 +1481,14 @@ + sp->wrk->vcl = NULL; + + http_Setup(sp->http, sp->ws); +- done = http_DissectRequest(sp); ++ err_code = http_DissectRequest(sp); + + /* If we could not even parse the request, just close */ +- if (done == 400) { ++ if (err_code == 400) ++ (void)write(sp->fd, r_400, strlen(r_400)); ++ else if (err_code == 413) ++ (void)write(sp->fd, r_413, strlen(r_413)); ++ if (err_code != 0) { + sp->step = STP_DONE; + vca_close_session(sp, "junk"); + return (0); +@@ -1493,12 +1500,6 @@ + /* Catch original request, before modification */ + HTTP_Copy(sp->http0, sp->http); + +- if (done != 0) { +- sp->err_code = done; +- sp->step = STP_ERROR; +- return (0); +- } +- + sp->doclose = http_DoConnection(sp->http); + + /* XXX: Handle TRACE & OPTIONS of Max-Forwards = 0 */ +@@ -1508,13 +1509,14 @@ + */ + if (http_GetHdr(sp->http, H_Expect, &p)) { + if (strcasecmp(p, "100-continue")) { +- sp->err_code = 417; +- sp->step = STP_ERROR; ++ (void)write(sp->fd, r_417, strlen(r_417)); ++ sp->step = STP_DONE; ++ vca_close_session(sp, "junk"); + return (0); + } + + /* XXX: Don't bother with write failures for now */ +- (void)write(sp->fd, r, strlen(r)); ++ (void)write(sp->fd, r_100, strlen(r_100)); + /* XXX: When we do ESI includes, this is not removed + * XXX: because we use http0 as our basis. Believed + * XXX: safe, but potentially confusing. +--- a/bin/varnishd/cache_http.c ++++ b/bin/varnishd/cache_http.c +@@ -601,7 +601,7 @@ + hp->hd[h2].e = p; + + if (!Tlen(hp->hd[h2])) +- return (413); ++ return (400); + + /* Skip SP */ + for (; vct_issp(*p); p++) { +--- /dev/null ++++ b/bin/varnishtest/tests/r01367.vtc +@@ -0,0 +1,30 @@ ++varnishtest "blank GET" ++ ++server s1 { ++ rxreq ++ txresp ++} -start ++ ++varnish v1 -vcl+backend { ++ sub vcl_error { ++ return (restart); ++ } ++} -start ++ ++client c1 { ++ send "GET \nHost: example.com\n\n" ++ rxresp ++ expect resp.status == 400 ++} -run ++ ++client c1 { ++ txreq -hdr "Expect: Santa-Claus" ++ rxresp ++ expect resp.status == 417 ++} -run ++ ++client c1 { ++ txreq ++ rxresp ++ expect resp.status == 200 ++} -run diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..6aa15b3 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2013-4484.patch -- 1.8.5
signature.asc
Description: Digital signature
