Processed: Re: Bug#931610: stretch-pu: package pound/2.7-1.3+deb9u1
Processing control commands: > tags -1 + confirmed Bug #931610 [release.debian.org] stretch-pu: package pound/2.7-1.3+deb9u1 Added tag(s) confirmed. -- 931610: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931610 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#931610: stretch-pu: package pound/2.7-1.3+deb9u1
Control: tags -1 + confirmed On Thu, 2019-08-22 at 11:51 +0200, Carsten Leonhardt wrote: [...] > longer testing revealed a regression (CPU load built up slowly, > finally reaching 100%). > > I found a fix and have applied it, the fixed version is running on > live servers since at least a week now, without a sign of abnormal > CPU load. > Thanks for the update. Please go ahead. Regards, Adam
Processed: Re: Bug#931610: stretch-pu: package pound/2.7-1.3+deb9u1
Processing control commands: > tags -1 - confirmed Bug #931610 [release.debian.org] stretch-pu: package pound/2.7-1.3+deb9u1 Removed tag(s) confirmed. -- 931610: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931610 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#931610: stretch-pu: package pound/2.7-1.3+deb9u1
Control: tags -1 - confirmed Hi Adam, > On Sat, 2019-07-13 at 12:36 +0200, Carsten Leonhardt wrote: >> Control: tags -1 - moreinfo >> >> Hi, >> >> attached is a new debdiff, the only change is that I removed some >> cruft >> from the "Origin" field in the patch metadata. >> >> I've deployed this version on live servers this morning and tested >> them. >> > > Please go ahead; thanks. longer testing revealed a regression (CPU load built up slowly, finally reaching 100%). I found a fix and have applied it, the fixed version is running on live servers since at least a week now, without a sign of abnormal CPU load. To see just the fix: https://salsa.debian.org/debian/pound/commit/bdd20196df7ff52f65c57c83c1ae5a56e74bca03 A full debdiff is attached. Sorry for the complication, I should have written earlier. Regards, Carsten diff -Nru pound-2.7/debian/changelog pound-2.7/debian/changelog --- pound-2.7/debian/changelog 2017-02-19 14:13:02.0 + +++ pound-2.7/debian/changelog 2019-07-07 21:44:04.0 + @@ -1,3 +1,10 @@ +pound (2.7-1.3+deb9u1) stretch; urgency=medium + + * Fix request smuggling via crafted headers, CVE-2016-10711 +(Closes: #888786). + + -- Carsten Leonhardt Sun, 07 Jul 2019 23:44:04 +0200 + pound (2.7-1.3) unstable; urgency=medium * Non-maintainer upload. diff -Nru pound-2.7/debian/patches/0003-CVE-2016-1071.patch pound-2.7/debian/patches/0003-CVE-2016-1071.patch --- pound-2.7/debian/patches/0003-CVE-2016-1071.patch 1970-01-01 00:00:00.0 + +++ pound-2.7/debian/patches/0003-CVE-2016-1071.patch 2019-07-07 21:44:04.0 + @@ -0,0 +1,210 @@ +Description: Backport fix for CVE-2016-10711 +Author: Robert Segall +Origin: upstream, http://www.apsis.ch/pound/Pound-2.8a.tgz +Last-Update: 2019-07-07 +--- a/http.c b/http.c +@@ -31,7 +31,8 @@ + static char *h500 = "500 Internal Server Error", + *h501 = "501 Not Implemented", + *h503 = "503 Service Unavailable", +-*h414 = "414 Request URI too long"; ++*h414 = "414 Request URI too long", ++*h400 = "Bad Request"; + + static char *err_response = "HTTP/1.0 %s\r\nContent-Type: text/html\r\nContent-Length: %d\r\nExpires: now\r\nPragma: no-cache\r\nCache-control: no-cache,no-store\r\n\r\n%s"; + +@@ -83,7 +84,7 @@ + safe_url, safe_url); + snprintf(rep, sizeof(rep), + "HTTP/1.0 %d %s\r\nLocation: %s\r\nContent-Type: text/html\r\nContent-Length: %d\r\n\r\n", +-code, code_msg, safe_url, strlen(cont)); ++code, code_msg, safe_url, (int)strlen(cont)); + BIO_write(c, rep, strlen(rep)); + BIO_write(c, cont, strlen(cont)); + BIO_flush(c); +@@ -126,11 +127,11 @@ + get_line(BIO *const in, char *const buf, const int bufsize) + { + chartmp; +-int i, n_read; ++int i, n_read, seen_cr; + + memset(buf, 0, bufsize); +-for(n_read = 0;;) +-switch(BIO_gets(in, buf + n_read, bufsize - n_read - 1)) { ++for(i = 0, seen_cr = 0; i < bufsize - 1; i++) ++switch(BIO_read(in, &tmp, 1)) { + case -2: + /* BIO_gets not implemented */ + return -1; +@@ -138,24 +139,49 @@ + case -1: + return 1; + default: +-for(i = n_read; i < bufsize && buf[i]; i++) +-if(buf[i] == '\n' || buf[i] == '\r') { +-buf[i] = '\0'; ++if(seen_cr) ++if(tmp != '\n') { ++/* we have CR not followed by NL */ ++do { ++if(BIO_read(in, &tmp, 1) < 0) ++return 1; ++} while(tmp != '\n'); ++return 1; ++} else { ++buf[i - 1] = '\0'; + return 0; + } +-if(i < bufsize) { +-n_read = i; ++ ++if(!iscntrl(tmp) || tmp == '\t') { ++buf[i] = tmp; ++continue; ++} ++ ++if(tmp == '\r') { ++seen_cr = 1; + continue; + } +-logmsg(LOG_NOTICE, "(%lx) line too long: %s", pthread_self(), buf); +-/* skip rest of "line" */ +-tmp = '\0'; +-while(tmp != '\n') +-if(BIO_read(in, &tmp, 1) != 1) ++ ++if(tmp == '\n') { ++/* line ends in NL only (no CR) */ ++buf[i] = 0; ++return 0; ++} ++ ++/* all other control characters cause an error */ ++do { ++if(BIO_read(in, &tmp, 1) < 0) + return 1; +-break; ++} while(tmp != '\n'); ++return 1; + } +-return 0; ++ ++/* line too long */ ++do { ++if(BIO_read(in, &tmp, 1) < 0) ++return 1; ++} while(tmp != '\n'); ++return 1; + } + + /* +@@ -393,22 +419,16 @@ + +
Processed: Re: Bug#931610: stretch-pu: package pound/2.7-1.3+deb9u1
Processing control commands: > tags -1 + confirmed Bug #931610 [release.debian.org] stretch-pu: package pound/2.7-1.3+deb9u1 Added tag(s) confirmed. -- 931610: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931610 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#931610: stretch-pu: package pound/2.7-1.3+deb9u1
Control: tags -1 + confirmed On Sat, 2019-07-13 at 12:36 +0200, Carsten Leonhardt wrote: > Control: tags -1 - moreinfo > > Hi, > > attached is a new debdiff, the only change is that I removed some > cruft > from the "Origin" field in the patch metadata. > > I've deployed this version on live servers this morning and tested > them. > Please go ahead; thanks. Regards, Adam
Bug#931610: stretch-pu: package pound/2.7-1.3+deb9u1
Control: tags -1 - moreinfo Hi, attached is a new debdiff, the only change is that I removed some cruft from the "Origin" field in the patch metadata. I've deployed this version on live servers this morning and tested them. Also, the bug is now fixed in sid. Regards, Carsten diff -Nru pound-2.7/debian/changelog pound-2.7/debian/changelog --- pound-2.7/debian/changelog 2017-02-19 14:13:02.0 + +++ pound-2.7/debian/changelog 2019-07-07 21:44:04.0 + @@ -1,3 +1,10 @@ +pound (2.7-1.3+deb9u1) stretch; urgency=medium + + * Fix request smuggling via crafted headers, CVE-2016-10711 +(Closes: #888786). + + -- Carsten Leonhardt Sun, 07 Jul 2019 23:44:04 +0200 + pound (2.7-1.3) unstable; urgency=medium * Non-maintainer upload. diff -Nru pound-2.7/debian/patches/0003-CVE-2016-1071.patch pound-2.7/debian/patches/0003-CVE-2016-1071.patch --- pound-2.7/debian/patches/0003-CVE-2016-1071.patch 1970-01-01 00:00:00.0 + +++ pound-2.7/debian/patches/0003-CVE-2016-1071.patch 2019-07-07 21:44:04.0 + @@ -0,0 +1,210 @@ +Description: Backport fix for CVE-2016-10711 +Author: Robert Segall +Origin: upstream, http://www.apsis.ch/pound/Pound-2.8a.tgz +Last-Update: 2019-07-07 +--- a/http.c b/http.c +@@ -31,7 +31,8 @@ + static char *h500 = "500 Internal Server Error", + *h501 = "501 Not Implemented", + *h503 = "503 Service Unavailable", +-*h414 = "414 Request URI too long"; ++*h414 = "414 Request URI too long", ++*h400 = "Bad Request"; + + static char *err_response = "HTTP/1.0 %s\r\nContent-Type: text/html\r\nContent-Length: %d\r\nExpires: now\r\nPragma: no-cache\r\nCache-control: no-cache,no-store\r\n\r\n%s"; + +@@ -83,7 +84,7 @@ + safe_url, safe_url); + snprintf(rep, sizeof(rep), + "HTTP/1.0 %d %s\r\nLocation: %s\r\nContent-Type: text/html\r\nContent-Length: %d\r\n\r\n", +-code, code_msg, safe_url, strlen(cont)); ++code, code_msg, safe_url, (int)strlen(cont)); + BIO_write(c, rep, strlen(rep)); + BIO_write(c, cont, strlen(cont)); + BIO_flush(c); +@@ -126,11 +127,11 @@ + get_line(BIO *const in, char *const buf, const int bufsize) + { + chartmp; +-int i, n_read; ++int i, n_read, seen_cr; + + memset(buf, 0, bufsize); +-for(n_read = 0;;) +-switch(BIO_gets(in, buf + n_read, bufsize - n_read - 1)) { ++for(i = 0, seen_cr = 0; i < bufsize - 1; i++) ++switch(BIO_read(in, &tmp, 1)) { + case -2: + /* BIO_gets not implemented */ + return -1; +@@ -138,24 +139,49 @@ + case -1: + return 1; + default: +-for(i = n_read; i < bufsize && buf[i]; i++) +-if(buf[i] == '\n' || buf[i] == '\r') { +-buf[i] = '\0'; ++if(seen_cr) ++if(tmp != '\n') { ++/* we have CR not followed by NL */ ++do { ++if(BIO_read(in, &tmp, 1) < 0) ++return 1; ++} while(tmp != '\n'); ++return 1; ++} else { ++buf[i - 1] = '\0'; + return 0; + } +-if(i < bufsize) { +-n_read = i; ++ ++if(!iscntrl(tmp) || tmp == '\t') { ++buf[i] = tmp; ++continue; ++} ++ ++if(tmp == '\r') { ++seen_cr = 1; + continue; + } +-logmsg(LOG_NOTICE, "(%lx) line too long: %s", pthread_self(), buf); +-/* skip rest of "line" */ +-tmp = '\0'; +-while(tmp != '\n') +-if(BIO_read(in, &tmp, 1) != 1) ++ ++if(tmp == '\n') { ++/* line ends in NL only (no CR) */ ++buf[i] = 0; ++return 0; ++} ++ ++/* all other control characters cause an error */ ++do { ++if(BIO_read(in, &tmp, 1) < 0) + return 1; +-break; ++} while(tmp != '\n'); ++return 1; + } +-return 0; ++ ++/* line too long */ ++do { ++if(BIO_read(in, &tmp, 1) < 0) ++return 1; ++} while(tmp != '\n'); ++return 1; + } + + /* +@@ -393,22 +419,16 @@ + + /* HTTP/1.1 allows leading CRLF */ + memset(buf, 0, MAXBUF); +-while((res = BIO_gets(in, buf, MAXBUF - 1)) > 0) { +-has_eol = strip_eol(buf); ++while((res = get_line(in, buf, MAXBUF)) == 0) + if(buf[0]) + break; +-} + +-if(res <= 0) { ++if(res < 0) { + /* this is expected to occur only on client reads */ + /* logmsg(LOG_NOTICE, "headers: bad starting read"); */ + return NULL; +-} else if(!has_eol) { +-/* check for request length limit */ +-logmsg(LOG_WARNI
Processed: Re: Bug#931610: stretch-pu: package pound/2.7-1.3+deb9u1
Processing control commands: > tags -1 - moreinfo Bug #931610 [release.debian.org] stretch-pu: package pound/2.7-1.3+deb9u1 Removed tag(s) moreinfo. -- 931610: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931610 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#931610: stretch-pu: package pound/2.7-1.3+deb9u1
Processing control commands: > tags -1 - moreinfo Bug #931610 [release.debian.org] stretch-pu: package pound/2.7-1.3+deb9u1 Removed tag(s) moreinfo. -- 931610: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931610 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#931610: stretch-pu: package pound/2.7-1.3+deb9u1
Control: tags -1 - moreinfo > On 2019-07-08 09:40, Carsten Leonhardt wrote: >> pound is affected by non-dsa CVE-2016-10711. > > The metadata for #888786 indicates that the issue affects the package > in unstable, and is not yet fixed there. Is that correct? No, the package was removed from unstable. I reintroduced it only in experimental so far. Regards, Carsten
Bug#931610: stretch-pu: package pound/2.7-1.3+deb9u1
Control: tags -1 + moreinfo On 2019-07-08 09:40, Carsten Leonhardt wrote: pound is affected by non-dsa CVE-2016-10711. The metadata for #888786 indicates that the issue affects the package in unstable, and is not yet fixed there. Is that correct? Regards, Adam
Processed: Re: Bug#931610: stretch-pu: package pound/2.7-1.3+deb9u1
Processing control commands: > tags -1 + moreinfo Bug #931610 [release.debian.org] stretch-pu: package pound/2.7-1.3+deb9u1 Added tag(s) moreinfo. -- 931610: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931610 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#931610: stretch-pu: package pound/2.7-1.3+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu pound is affected by non-dsa CVE-2016-10711. Attached is the diff, backported from pound 2.8a, same as the diff being used by SUSE. (c.f. https://security-tracker.debian.org/tracker/CVE-2016-10711 ) Thanks! diff --git a/debian/changelog b/debian/changelog index d5946a9..d59d80c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +pound (2.7-1.3+deb9u1) stretch; urgency=medium + + * Fix request smuggling via crafted headers, CVE-2016-10711 +(Closes: #888786). + + -- Carsten Leonhardt Sun, 07 Jul 2019 23:44:04 +0200 + pound (2.7-1.3) unstable; urgency=medium * Non-maintainer upload. diff --git a/debian/patches/0003-CVE-2016-1071.patch b/debian/patches/0003-CVE-2016-1071.patch new file mode 100644 index 000..09da940 --- /dev/null +++ b/debian/patches/0003-CVE-2016-1071.patch @@ -0,0 +1,210 @@ +Description: Backport fix for CVE-2016-10711 +Author: Robert Segall +Origin: upstream, http://www.apsis.ch/pound/Pound-2.8a.tgz +Last-Update: 2019-07-07 +--- a/http.c b/http.c +@@ -31,7 +31,8 @@ + static char *h500 = "500 Internal Server Error", + *h501 = "501 Not Implemented", + *h503 = "503 Service Unavailable", +-*h414 = "414 Request URI too long"; ++*h414 = "414 Request URI too long", ++*h400 = "Bad Request"; + + static char *err_response = "HTTP/1.0 %s\r\nContent-Type: text/html\r\nContent-Length: %d\r\nExpires: now\r\nPragma: no-cache\r\nCache-control: no-cache,no-store\r\n\r\n%s"; + +@@ -83,7 +84,7 @@ + safe_url, safe_url); + snprintf(rep, sizeof(rep), + "HTTP/1.0 %d %s\r\nLocation: %s\r\nContent-Type: text/html\r\nContent-Length: %d\r\n\r\n", +-code, code_msg, safe_url, strlen(cont)); ++code, code_msg, safe_url, (int)strlen(cont)); + BIO_write(c, rep, strlen(rep)); + BIO_write(c, cont, strlen(cont)); + BIO_flush(c); +@@ -126,11 +127,11 @@ + get_line(BIO *const in, char *const buf, const int bufsize) + { + chartmp; +-int i, n_read; ++int i, n_read, seen_cr; + + memset(buf, 0, bufsize); +-for(n_read = 0;;) +-switch(BIO_gets(in, buf + n_read, bufsize - n_read - 1)) { ++for(i = 0, seen_cr = 0; i < bufsize - 1; i++) ++switch(BIO_read(in, &tmp, 1)) { + case -2: + /* BIO_gets not implemented */ + return -1; +@@ -138,24 +139,49 @@ + case -1: + return 1; + default: +-for(i = n_read; i < bufsize && buf[i]; i++) +-if(buf[i] == '\n' || buf[i] == '\r') { +-buf[i] = '\0'; ++if(seen_cr) ++if(tmp != '\n') { ++/* we have CR not followed by NL */ ++do { ++if(BIO_read(in, &tmp, 1) < 0) ++return 1; ++} while(tmp != '\n'); ++return 1; ++} else { ++buf[i - 1] = '\0'; + return 0; + } +-if(i < bufsize) { +-n_read = i; ++ ++if(!iscntrl(tmp) || tmp == '\t') { ++buf[i] = tmp; ++continue; ++} ++ ++if(tmp == '\r') { ++seen_cr = 1; + continue; + } +-logmsg(LOG_NOTICE, "(%lx) line too long: %s", pthread_self(), buf); +-/* skip rest of "line" */ +-tmp = '\0'; +-while(tmp != '\n') +-if(BIO_read(in, &tmp, 1) != 1) ++ ++if(tmp == '\n') { ++/* line ends in NL only (no CR) */ ++buf[i] = 0; ++return 0; ++} ++ ++/* all other control characters cause an error */ ++do { ++if(BIO_read(in, &tmp, 1) < 0) + return 1; +-break; ++} while(tmp != '\n'); ++return 1; + } +-return 0; ++ ++/* line too long */ ++do { ++if(BIO_read(in, &tmp, 1) < 0) ++return 1; ++} while(tmp != '\n'); ++return 1; + } + + /* +@@ -393,22 +419,16 @@ + + /* HTTP/1.1 allows leading CRLF */ + memset(buf, 0, MAXBUF); +-while((res = BIO_gets(in, buf, MAXBUF - 1)) > 0) { +-has_eol = strip_eol(buf); ++while((res = get_line(in, buf, MAXBUF)) == 0) + if(buf[0]) + break; +-} + +-if(res <= 0) { ++if(res < 0) { + /* this is expected to occur only on client reads */ + /* logmsg(LOG_NOTICE, "headers: bad starting read"); */ + return NULL; +-} else if(!has_eol) { +-/* check for request length limit */ +-logmsg(LOG_WARNING, "(%lx) e414 headers: request URI too long", pthread_self()); +-err_reply(cl, h414, lstn->err414); +-