Control: tags 990303 + patch Hi Jean Baptiste,
I've prepared an NMU for trafficserver (versioned as 8.1.1+ds-1.1). The diff is attached to this message. Given the timeframe for the full freeze I went ahead with no delay, as Moritz would like to see as well a buster-security update. I hope this was fine with you to go straight with the NMU version to unstable, including a cherry-pick of the commit Moritz referenced before. Regards, Salvatore
diff -Nru trafficserver-8.1.1+ds/debian/changelog trafficserver-8.1.1+ds/debian/changelog --- trafficserver-8.1.1+ds/debian/changelog 2020-12-06 16:26:39.000000000 +0100 +++ trafficserver-8.1.1+ds/debian/changelog 2021-07-15 21:48:17.000000000 +0200 @@ -1,3 +1,20 @@ +trafficserver (8.1.1+ds-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Address CVE-2021-27577, CVE-2021-32565, CVE-2021-32566, CVE-2021-32567 and + CVE-2021-35474. + - CVE-2021-27577: Incorrect handling of url fragment leads to cache + poisoning + - CVE-2021-32565: HTTP Request Smuggling, content length with invalid + charters + - CVE-2021-32566: Specific sequence of HTTP/2 frames can cause ATS to + crash + - CVE-2021-32567: Reading HTTP/2 frames too many times + - CVE-2021-35474: Dynamic stack buffer overflow in cachekey plugin + (Closes: #990303) + + -- Salvatore Bonaccorso <car...@debian.org> Thu, 15 Jul 2021 21:48:17 +0200 + trafficserver (8.1.1+ds-1) unstable; urgency=medium * New upstream version 8.1.0+ds diff -Nru trafficserver-8.1.1+ds/debian/patches/0018-Fixes-7971.patch trafficserver-8.1.1+ds/debian/patches/0018-Fixes-7971.patch --- trafficserver-8.1.1+ds/debian/patches/0018-Fixes-7971.patch 1970-01-01 01:00:00.000000000 +0100 +++ trafficserver-8.1.1+ds/debian/patches/0018-Fixes-7971.patch 2021-07-15 21:45:16.000000000 +0200 @@ -0,0 +1,153 @@ +From: Evan Zelkowitz <e...@apache.org> +Date: Tue, 22 Jun 2021 14:32:55 -0700 +Subject: Fixes (#7971) +Origin: https://github.com/apache/trafficserver/commit/b82a3d192f995fb9d78e1c44d51d9acca4783277 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-27577 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32565 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32566 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32567 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-35474 +Bug-Debian: https://bugs.debian.org/990303 + +* String the url fragment for outgoing requests (#7966) + +Co-authored-by: Susan Hinrichs <shinr...@verizonmedia.com> +(cherry picked from commit 2b13eb33794574e62249997b4ba654d943a10f2d) + +* Ensure that the content-length value is only digits (#7964) + +Co-authored-by: Susan Hinrichs <shinr...@verizonmedia.com> +(cherry picked from commit 668d0f8668fec1cd350b0ceba3f7f8e4020ae3ca) + +* Schedule H2 reenable event only if it's necessary + +Co-authored-by: Katsutoshi Ikenoya <kiken...@yahoo-corp.jp> + +* Fix dynamic-stack-buffer-overflow of cachekey plugin (#7945) + +* Fix dynamic-stack-buffer-overflow of cachekey plugin + +* Check dst_size include null termination + +(cherry picked from commit 5a9339d7bc65e1c2d8d2a0fc80bb051daf3cdb0b) + +Co-authored-by: Bryan Call <bc...@apache.org> +Co-authored-by: Masakazu Kitajo <mas...@apache.org> +Co-authored-by: Katsutoshi Ikenoya <kiken...@yahoo-corp.jp> +Co-authored-by: Masaori Koshiba <masa...@apache.org> +--- + plugins/cachekey/cachekey.cc | 2 +- + proxy/hdrs/HTTP.cc | 11 +++++++++++ + proxy/http/HttpTransact.cc | 5 ++++- + proxy/http2/Http2ClientSession.cc | 14 +++++++------- + proxy/logging/LogUtils.cc | 2 +- + 5 files changed, 24 insertions(+), 10 deletions(-) + +diff --git a/plugins/cachekey/cachekey.cc b/plugins/cachekey/cachekey.cc +index 5f128894bfa8..44925b3db280 100644 +--- a/plugins/cachekey/cachekey.cc ++++ b/plugins/cachekey/cachekey.cc +@@ -41,7 +41,7 @@ appendEncoded(String &target, const char *s, size_t len) + return; + } + +- char tmp[len * 2]; ++ char tmp[len * 3 + 1]; + size_t written; + + /* The default table does not encode the comma, so we need to use our own table here. */ +diff --git a/proxy/hdrs/HTTP.cc b/proxy/hdrs/HTTP.cc +index 6a2ecc41d3ad..48032dd9ddf4 100644 +--- a/proxy/hdrs/HTTP.cc ++++ b/proxy/hdrs/HTTP.cc +@@ -1202,6 +1202,17 @@ validate_hdr_content_length(HdrHeap *heap, HTTPHdrImpl *hh) + int content_length_len = 0; + const char *content_length_val = content_length_field->value_get(&content_length_len); + ++ // RFC 7230 section 3.3.2 ++ // Content-Length = 1*DIGIT ++ // ++ // If the content-length value contains a non-numeric value, the header is invalid ++ for (int i = 0; i < content_length_len; i++) { ++ if (!isdigit(content_length_val[i])) { ++ Debug("http", "Content-Length value contains non-digit, returning parse error"); ++ return PARSE_RESULT_ERROR; ++ } ++ } ++ + while (content_length_field->has_dups()) { + int content_length_len_2 = 0; + const char *content_length_val_2 = content_length_field->m_next_dup->value_get(&content_length_len_2); +diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc +index c3d135b98e88..2de29a8d08d8 100644 +--- a/proxy/http/HttpTransact.cc ++++ b/proxy/http/HttpTransact.cc +@@ -7619,9 +7619,12 @@ HttpTransact::build_request(State *s, HTTPHdr *base_request, HTTPHdr *outgoing_r + + // HttpTransactHeaders::convert_request(outgoing_version, outgoing_request); // commented out this idea + ++ URL *url = outgoing_request->url_get(); ++ // Remove fragment from upstream URL ++ url->fragment_set(NULL, 0); ++ + // Check whether a Host header field is missing from a 1.0 or 1.1 request. + if (outgoing_version != HTTPVersion(0, 9) && !outgoing_request->presence(MIME_PRESENCE_HOST)) { +- URL *url = outgoing_request->url_get(); + int host_len; + const char *host = url->host_get(&host_len); + +diff --git a/proxy/http2/Http2ClientSession.cc b/proxy/http2/Http2ClientSession.cc +index 6d7d3de79923..ee952b8a2753 100644 +--- a/proxy/http2/Http2ClientSession.cc ++++ b/proxy/http2/Http2ClientSession.cc +@@ -82,11 +82,6 @@ Http2ClientSession::destroy() + void + Http2ClientSession::free() + { +- if (this->_reenable_event) { +- this->_reenable_event->cancel(); +- this->_reenable_event = nullptr; +- } +- + if (h2_pushed_urls) { + this->h2_pushed_urls = ink_hash_table_destroy(this->h2_pushed_urls); + } +@@ -107,6 +102,11 @@ Http2ClientSession::free() + REMEMBER(NO_EVENT, this->recursion) + Http2SsnDebug("session free"); + ++ if (this->_reenable_event) { ++ this->_reenable_event->cancel(); ++ this->_reenable_event = nullptr; ++ } ++ + // Don't free active ProxySession + ink_release_assert(is_active() == false); + +@@ -653,8 +653,8 @@ Http2ClientSession::remember(const SourceLocation &location, int event, int reen + bool + Http2ClientSession::_should_do_something_else() + { +- // Do something else every 128 incoming frames +- return (this->_n_frame_read & 0x7F) == 0; ++ // Do something else every 128 incoming frames if connection state isn't closed ++ return (this->_n_frame_read & 0x7F) == 0 && !connection_state.is_state_closed(); + } + + int64_t +diff --git a/proxy/logging/LogUtils.cc b/proxy/logging/LogUtils.cc +index 94becf250ac2..475bee87cad4 100644 +--- a/proxy/logging/LogUtils.cc ++++ b/proxy/logging/LogUtils.cc +@@ -343,7 +343,7 @@ escapify_url_common(Arena *arena, char *url, size_t len_in, int *len_out, char * + // + size_t out_len = len_in + 2 * count; + +- if (dst && out_len > dst_size) { ++ if (dst && (out_len + 1) > dst_size) { + *len_out = 0; + return nullptr; + } +-- +2.32.0 + diff -Nru trafficserver-8.1.1+ds/debian/patches/series trafficserver-8.1.1+ds/debian/patches/series --- trafficserver-8.1.1+ds/debian/patches/series 2020-12-06 16:26:39.000000000 +0100 +++ trafficserver-8.1.1+ds/debian/patches/series 2021-07-15 21:45:33.000000000 +0200 @@ -10,3 +10,4 @@ 0015-as-needed-fix.patch 0016-fix_python_3.8.patch 0017-fix_sphinx_3.0.patch +0018-Fixes-7971.patch