diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2017-11-21 12:13:33 +0100 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2017-11-22 10:07:38 +0100 |
| commit | 336cc11a149e0b1e44bf74c1ba3fa8aa340a828f (patch) | |
| tree | 2dd0f858733cb5a7dd0863bce4bd6b7afccf4d25 /main/varnish/CVE-2017-12425.patch | |
| parent | 34e89c4d9e42e4680ca030051e82b28a2c22a508 (diff) | |
| download | aports-336cc11a149e0b1e44bf74c1ba3fa8aa340a828f.tar.bz2 aports-336cc11a149e0b1e44bf74c1ba3fa8aa340a828f.tar.xz | |
main/varnish: security upgrade to 4.1.9 (CVE-2017-8807)
fixes #8168
Diffstat (limited to 'main/varnish/CVE-2017-12425.patch')
| -rw-r--r-- | main/varnish/CVE-2017-12425.patch | 108 |
1 files changed, 0 insertions, 108 deletions
diff --git a/main/varnish/CVE-2017-12425.patch b/main/varnish/CVE-2017-12425.patch deleted file mode 100644 index 0ff0d9f57a..0000000000 --- a/main/varnish/CVE-2017-12425.patch +++ /dev/null @@ -1,108 +0,0 @@ -From c37821ddd539a23845ae8e9a7a9cc958358c1541 Mon Sep 17 00:00:00 2001 -From: Martin Blix Grydeland <martin@varnish-software.com> -Date: Thu, 27 Jul 2017 11:52:58 +0200 -Subject: [PATCH] Correctly handle bogusly large chunk sizes - -This fixes a denial of service attack vector where bogusly large chunk -sizes in requests could be used to force restarts of the Varnish -server. - -This is Varnish Security Vulnerability VSV00001 - -For more information visit: https://varnish-cache.org/security/VSV00001 - -Fixes: #2379 ---- - bin/varnishd/http1/cache_http1_vfp.c | 2 +- - bin/varnishtest/tests/f00001.vtc | 69 ++++++++++++++++++++++++++++++++++++ - 2 files changed, 70 insertions(+), 1 deletion(-) - create mode 100644 bin/varnishtest/tests/f00001.vtc - -diff --git a/bin/varnishd/http1/cache_http1_vfp.c b/bin/varnishd/http1/cache_http1_vfp.c -index b836cd3ca..ded1550bf 100644 ---- a/bin/varnishd/http1/cache_http1_vfp.c -+++ b/bin/varnishd/http1/cache_http1_vfp.c -@@ -155,7 +155,7 @@ v1f_pull_chunked(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, - if (q == NULL || *q != '\0') - return (VFP_Error(vc, "chunked header number syntax")); - cl = (ssize_t)cll; -- if((uintmax_t)cl != cll) -+ if (cl < 0 || (uintmax_t)cl != cll) - return (VFP_Error(vc, "bogusly large chunk size")); - - vfe->priv2 = cl; -diff --git a/bin/varnishtest/tests/f00001.vtc b/bin/varnishtest/tests/f00001.vtc -new file mode 100644 -index 000000000..bfb559228 ---- /dev/null -+++ b/bin/varnishtest/tests/f00001.vtc -@@ -0,0 +1,69 @@ -+varnishtest "Check that we handle bogusly large chunks correctly" -+ -+# Check that the bug has been fixed -+ -+server s1 { -+ rxreq -+ txresp -+ -+ accept -+ rxreq -+ txresp -+} -start -+ -+varnish v1 -vcl+backend { -+} -start -+ -+client c1 { -+ send "POST / HTTP/1.1\r\n" -+ send "Transfer-Encoding: chunked\r\n\r\n" -+ send "FFFFFFFFFFFFFFED\r\n" -+ send "0\r\n\r\n" -+ -+ rxresp -+ expect resp.status == 503 -+} -run -+ -+# Check that the published workaround does not cause harm -+ -+varnish v1 -cliok "param.set vcc_allow_inline_c true" -+ -+varnish v1 -vcl+backend { -+ sub exploit_workaround { -+ # This needs to be defined before your vcl_recv function -+ # Make sure that the runtime parameter vcc_allow_inline_c is set to true -+ if (req.http.transfer-encoding ~ "(?i)chunked") { -+ C{ -+ struct dummy_req { -+ unsigned magic; -+ int step; -+ int req_body_status; -+ }; -+ ((struct dummy_req *)ctx->req)->req_body_status = 5; -+ }C -+ -+ return (synth(503, "Bad request")); -+ } -+ } -+ -+ sub vcl_recv { -+ # Call this early in your vcl_recv function -+ call exploit_workaround; -+ } -+} -+ -+client c1 { -+ send "POST / HTTP/1.1\r\n" -+ send "Transfer-Encoding: chunked\r\n\r\n" -+ send "FFFFFFFFFFFFFFED\r\n" -+ -+ expect_close -+} -run -+ -+# Make sure that varnish is still running -+ -+client c1 { -+ txreq -+ rxresp -+ expect resp.status == 200 -+} -run |