Hi Stig, On Mon, Dec 02, 2013 at 09:46:29PM +0100, Salvatore Bonaccorso wrote: > Hi, > > On Mon, Dec 02, 2013 at 09:52:01PM +0100, Stig Sandbeck Mathisen wrote: > > Salvatore Bonaccorso <car...@debian.org> writes: > > > > > Thanks for fixing this with the 3.0.5-1 upload. Could you please also > > > prepare packages for squeeze-security and wheezy-security? I did > > > already had a look at wheezy today, attached is proposed debdiff (but > > > not yet tested apart the testsuite). > > > > Thanks for the debdiff. I'll take a look at it. > > Thanks. > > > Do you, by any chance, have this as a git commit available somewhere? > > Yes, sure. Attaching a format-patch from my local copy.
And attached also the one for squeeze-security. Unless something obvious broken or regression with these, I plan to prepare a DSA for these. (It passes all the testsuite so far). Regards, Salvatore
From c0a927032f2deba8755607e2de389b2c931262d0 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso <car...@debian.org> Date: Sun, 1 Dec 2013 23:18:34 +0100 Subject: [PATCH] Add CVE-2013-4484.patch patch CVE-2013-4484: A remote attacker can mount a denial of service (child-process crash and temporary caching outage) via a GET request with trailing whitespace characters and no URI. Closes: #728989 --- debian/patches/CVE-2013-4484.patch | 107 +++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 108 insertions(+) create mode 100644 debian/patches/CVE-2013-4484.patch diff --git a/debian/patches/CVE-2013-4484.patch b/debian/patches/CVE-2013-4484.patch new file mode 100644 index 0000000..cb2267f --- /dev/null +++ b/debian/patches/CVE-2013-4484.patch @@ -0,0 +1,107 @@ +Description: Fix denial of service handling certain GET requests + CVE-2013-4484: A remote attacker can mount a denial of service + (child-process crash and temporary caching outage) via a GET request + with trailing whitespace characters and no URI. +Origin: backport, https://www.varnish-cache.org/trac/changeset/4bd5b7991bf602a6c46dd0d65fc04d4b8d9667a6?format=diff&new=4bd5b7991bf602a6c46dd0d65fc04d4b8d9667a6 +Bug: https://www.varnish-cache.org/trac/ticket/1367 +Bug-Debian: http://bugs.debian.org/728989 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1025127 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2013-12-07 + +--- /dev/null ++++ b/bin/varnishtest/tests/r01367.vtc +@@ -0,0 +1,30 @@ ++test "blank GET" ++ ++server s1 { ++ rxreq ++ txresp ++} -start ++ ++varnish v1 -vcl+backend { ++ sub vcl_error { ++ return (restart); ++ } ++} -start ++ ++client c1 { ++ send "GET \nHost: example.com\n\n" ++ rxresp ++ expect resp.status == 400 ++} -run ++ ++client c1 { ++ txreq -hdr "Expect: Santa-Claus" ++ rxresp ++ expect resp.status == 417 ++} -run ++ ++client c1 { ++ txreq ++ rxresp ++ expect resp.status == 200 ++} -run +--- a/bin/varnishd/cache_center.c ++++ b/bin/varnishd/cache_center.c +@@ -1096,9 +1096,11 @@ + static int + cnt_start(struct sess *sp) + { +- int done; ++ int err_code; + char *p; +- const char *r = "HTTP/1.1 100 Continue\r\n\r\n"; ++ const char *r_100 = "HTTP/1.1 100 Continue\r\n\r\n"; ++ const char *r_400 = "HTTP/1.1 400 Bad Request\r\n\r\n"; ++ const char *r_417 = "HTTP/1.1 417 Expectation Failed\r\n\r\n"; + + CHECK_OBJ_NOTNULL(sp, SESS_MAGIC); + AZ(sp->restarts); +@@ -1121,10 +1123,12 @@ + sp->wrk->vcl = NULL; + + http_Setup(sp->http, sp->ws); +- done = http_DissectRequest(sp); ++ err_code = http_DissectRequest(sp); + + /* If we could not even parse the request, just close */ +- if (done < 0) { ++ if (err_code == 400) ++ (void)write(sp->fd, r_400, strlen(r_400)); ++ if (err_code != 0) { + sp->step = STP_DONE; + vca_close_session(sp, "junk"); + return (0); +@@ -1136,12 +1140,6 @@ + /* Catch original request, before modification */ + HTTP_Copy(sp->http0, sp->http); + +- if (done != 0) { +- sp->err_code = done; +- sp->step = STP_ERROR; +- return (0); +- } +- + sp->doclose = http_DoConnection(sp->http); + + /* XXX: Handle TRACE & OPTIONS of Max-Forwards = 0 */ +@@ -1151,13 +1149,14 @@ + */ + if (http_GetHdr(sp->http, H_Expect, &p)) { + if (strcasecmp(p, "100-continue")) { +- sp->err_code = 417; +- sp->step = STP_ERROR; ++ (void)write(sp->fd, r_417, strlen(r_417)); ++ sp->step = STP_DONE; ++ vca_close_session(sp, "junk"); + return (0); + } + + /* XXX: Don't bother with write failures for now */ +- (void)write(sp->fd, r, strlen(r)); ++ (void)write(sp->fd, r_100, strlen(r_100)); + /* XXX: When we do ESI includes, this is not removed + * XXX: because we use http0 as our basis. Believed + * XXX: safe, but potentially confusing. diff --git a/debian/patches/series b/debian/patches/series index 237a7cf..f1696f2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ debian-changes-2.1.3-8 +CVE-2013-4484.patch -- 1.8.5.1
signature.asc
Description: Digital signature
