add patch for CVE-2013-4484/bnc848451

OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=63
2013-11-01 18:55:27 +00:00 · 2013-11-01 18:55:27 +00:00 · 0fd5fc57ff
commit 0fd5fc57ff
parent 3bb635b81a
3 changed files with 147 additions and 2 deletions
--- a/0001-Make-up-our-mind-Any-req.-we-receive-from-the-client.patch
+++ b/0001-Make-up-our-mind-Any-req.-we-receive-from-the-client.patch
@ -0,0 +1,136 @@
+From 4bd5b7991bf602a6c46dd0d65fc04d4b8d9667a6 Mon Sep 17 00:00:00 2001
+From: Martin Blix Grydeland <martin@varnish-software.com>
+Date: Wed, 30 Oct 2013 13:48:20 +0100
+Subject: [PATCH] Make up our mind:  Any req.* we receive from the client with
+ fundamental trouble gets failed back without VCL involvement.
+References: https://www.varnish-cache.org/trac/ticket/1367
+References: CVE-2013-4484
+References: https://bugzilla.novell.com/show_bug.cgi?id=848451
+
+Fixes	#1367
+---
+ bin/varnishd/cache_center.c      | 28 +++++++++++++++-------------
+ bin/varnishd/cache_http.c        |  2 +-
+ bin/varnishtest/tests/r01367.vtc | 30 ++++++++++++++++++++++++++++++
+ 3 files changed, 46 insertions(+), 14 deletions(-)
+ create mode 100644 bin/varnishtest/tests/r01367.vtc
+
+diff --git a/bin/varnishd/cache_center.c b/bin/varnishd/cache_center.c
+index 19eb2ce..fdf7cee 100644
+--- a/bin/varnishd/cache_center.c
+++ b/bin/varnishd/cache_center.c
+@@ -1474,9 +1474,12 @@ DOT start -> recv [style=bold,color=green]
+ static int
+ cnt_start(struct sess *sp)
+ {
+-	uint16_t done;
+	uint16_t err_code;
+ 	char *p;
+-	const char *r = "HTTP/1.1 100 Continue\r\n\r\n";
+	const char *r_100 = "HTTP/1.1 100 Continue\r\n\r\n";
+	const char *r_400 = "HTTP/1.1 400 Bad Request\r\n\r\n";
+	const char *r_413 = "HTTP/1.1 413 Request Entity Too Large\r\n\r\n";
+	const char *r_417 = "HTTP/1.1 417 Expectation Failed\r\n\r\n";
+ 
+ 	CHECK_OBJ_NOTNULL(sp, SESS_MAGIC);
+ 	AZ(sp->restarts);
+@@ -1499,10 +1502,14 @@ cnt_start(struct sess *sp)
+ 	sp->wrk->vcl = NULL;
+ 
+ 	http_Setup(sp->http, sp->ws);
+-	done = http_DissectRequest(sp);
+	err_code = http_DissectRequest(sp);
+ 
+ 	/* If we could not even parse the request, just close */
+-	if (done == 400) {
+	if (err_code == 400)
+		(void)write(sp->fd, r_400, strlen(r_400));
+	else if (err_code == 413)
+		(void)write(sp->fd, r_413, strlen(r_413));
+	if (err_code != 0) {
+ 		sp->step = STP_DONE;
+ 		vca_close_session(sp, "junk");
+ 		return (0);
+@@ -1514,12 +1521,6 @@ cnt_start(struct sess *sp)
+ 	/* Catch original request, before modification */
+ 	HTTP_Copy(sp->http0, sp->http);
+ 
+-	if (done != 0) {
+-		sp->err_code = done;
+-		sp->step = STP_ERROR;
+-		return (0);
+-	}
+-
+ 	sp->doclose = http_DoConnection(sp->http);
+ 
+ 	/* XXX: Handle TRACE & OPTIONS of Max-Forwards = 0 */
+@@ -1529,13 +1530,14 @@ cnt_start(struct sess *sp)
+ 	 */
+ 	if (http_GetHdr(sp->http, H_Expect, &p)) {
+ 		if (strcasecmp(p, "100-continue")) {
+-			sp->err_code = 417;
+-			sp->step = STP_ERROR;
+			(void)write(sp->fd, r_417, strlen(r_417));
+			sp->step = STP_DONE;
+			vca_close_session(sp, "junk");
+ 			return (0);
+ 		}
+ 
+ 		/* XXX: Don't bother with write failures for now */
+-		(void)write(sp->fd, r, strlen(r));
+		(void)write(sp->fd, r_100, strlen(r_100));
+ 		/* XXX: When we do ESI includes, this is not removed
+ 		 * XXX: because we use http0 as our basis.  Believed
+ 		 * XXX: safe, but potentially confusing.
+diff --git a/bin/varnishd/cache_http.c b/bin/varnishd/cache_http.c
+index 8753acc..605975b 100644
+--- a/bin/varnishd/cache_http.c
+++ b/bin/varnishd/cache_http.c
+@@ -601,7 +601,7 @@ http_splitline(struct worker *w, int fd, struct http *hp,
+ 	hp->hd[h2].e = p;
+ 
+ 	if (!Tlen(hp->hd[h2]))
+-		return (413);
+		return (400);
+ 
+ 	/* Skip SP */
+ 	for (; vct_issp(*p); p++) {
+diff --git a/bin/varnishtest/tests/r01367.vtc b/bin/varnishtest/tests/r01367.vtc
+new file mode 100644
+index 0000000..e1de20a
+--- /dev/null
+++ b/bin/varnishtest/tests/r01367.vtc
+@@ -0,0 +1,30 @@
+varnishtest "blank GET"
+
+server s1 {
+	rxreq
+	txresp
+} -start
+
+varnish v1 -vcl+backend { 
+	sub vcl_error {
+		return (restart);
+	}
+} -start
+
+client c1 {
+	send "GET    \nHost: example.com\n\n"
+	rxresp
+	expect resp.status == 400
+} -run
+
+client c1 {
+	txreq -hdr "Expect: Santa-Claus"
+	rxresp
+	expect resp.status == 417
+} -run
+
+client c1 {
+	txreq
+	rxresp
+	expect resp.status == 200
+} -run
+-- 
+1.8.2
+
--- a/varnish.changes
+++ b/varnish.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Nov  1 18:52:49 UTC 2013 - jengelh@inai.de
+
+- Add 0001-Make-up-our-mind-Any-req.-we-receive-from-the-client.patch
+  (CVE-2013-4484, bnc#48451)
+
 -------------------------------------------------------------------
 Fri Oct  4 21:48:01 UTC 2013 - jengelh@inai.de

--- a/varnish.spec
+++ b/varnish.spec
@ -24,8 +24,10 @@ License:        BSD-2-Clause
 Group:          Productivity/Networking/Web/Proxy
 URL:            http://varnish-cache.org/

+#Git-Clone:	git://git.varnish-cache.org/varnish-cache
+#Git-Web:	https://varnish-cache.org/trac/browser
 #DL-URL:	http://downloads.sf.net/varnish/%name-%version.tar.bz2
-Source0:	%name-%version.tar.xz
+Source:         %name-%version.tar.xz
 Source2:    varnish.init
 Source3:    varnish.sysconfig
 Source4:	vcl.conf
@ -34,6 +36,7 @@ Source6:    varnishlog.init
 Source7:	varnish.service
 Source8:	varnishlog.service
 Patch1:		varnish-disable-pcrejit.diff
+Patch2:         0001-Make-up-our-mind-Any-req.-we-receive-from-the-client.patch

 BuildRoot:      %_tmppath/%name-%version-build
 BuildRequires:  libxslt, ncurses-devel, pcre-devel
@ -96,7 +99,7 @@ This package holds the development files for varnish.

 %prep
 %setup -q
-%patch -P 1 -p1
+%patch -P 1 -P 2 -p1

 %build
 export CFLAGS="%optflags -fstack-protector"