From 336cc11a149e0b1e44bf74c1ba3fa8aa340a828f Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Tue, 21 Nov 2017 12:13:33 +0100 Subject: main/varnish: security upgrade to 4.1.9 (CVE-2017-8807) fixes #8168 --- main/varnish/APKBUILD | 31 +++++----- main/varnish/CVE-2017-12425.patch | 108 ---------------------------------- main/varnish/fix-stack-overflow.patch | 16 ++--- 3 files changed, 22 insertions(+), 133 deletions(-) delete mode 100644 main/varnish/CVE-2017-12425.patch diff --git a/main/varnish/APKBUILD b/main/varnish/APKBUILD index 853d94d01e..511753afbe 100644 --- a/main/varnish/APKBUILD +++ b/main/varnish/APKBUILD @@ -2,8 +2,8 @@ # Contributor: V.Krishn # Maintainer: Natanael Copa pkgname=varnish -pkgver=4.1.2 -pkgrel=2 +pkgver=4.1.9 +pkgrel=0 pkgdesc="High-performance HTTP accelerator" url="http://www.varnish-cache.org/" arch="all" @@ -16,7 +16,7 @@ install="varnish.pre-install" subpackages="$pkgname-dev $pkgname-doc $pkgname-libs $pkgname-geoip" pkgusers="varnish" pkggroups="varnish" -source="http://repo.varnish-cache.org/source/varnish-$pkgver.tar.gz +source="http://varnish-cache.org/_downloads/varnish-$pkgver.tgz fix-compat-execinfo.patch fix-stack-overflow.patch musl-mode_t.patch @@ -25,12 +25,13 @@ source="http://repo.varnish-cache.org/source/varnish-$pkgver.tar.gz varnishd.confd varnishd.logrotate maxminddb.vcl - CVE-2017-12425.patch " _builddir="$srcdir"/varnish-$pkgver # secfixes: +# 4.1.9-r0: +# - CVE-2017-8807 # 4.1.2-r2: # - CVE-2017-12425 @@ -42,7 +43,6 @@ prepare() { *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; esac done - update_config_sub || return 1 } build() { @@ -90,30 +90,27 @@ geoip() { install -m755 -D "$srcdir"/maxminddb.vcl "$subpkgdir"/usr/lib/varnish/plugins/maxminddb.vcl } -md5sums="51d446c0193dd773f5a881f7c0beb304 varnish-4.1.2.tar.gz +md5sums="d537dd5a89ad6d6ac77d93f04b2374f8 varnish-4.1.9.tgz 2fec4f98c892e07d97d93a7bb8529fea fix-compat-execinfo.patch -c942796a1359c9b7e0a5a53d16db476e fix-stack-overflow.patch +e345a5241e68b4763de33f6c7db3350e fix-stack-overflow.patch 54d12d231c505c95ae3ae09487b5dde4 musl-mode_t.patch a3d78275f93f59fd4ebad1d09fc41c9e varnishd.initd 1ed5a6de82e6204400229fa79a54d9a7 varnishd.confd a6cb8a43c9465699cf956dc992998225 varnishd.logrotate -2cbaa46b9da9f78ecf4c906730f7c5e3 maxminddb.vcl -3a77f76b532623a42f549b55ca6b73e6 CVE-2017-12425.patch" -sha256sums="9728da944d28eb5be90e7ab6799c2c4c831ef4df5e5154537eb7f2e5d5e348c4 varnish-4.1.2.tar.gz +2cbaa46b9da9f78ecf4c906730f7c5e3 maxminddb.vcl" +sha256sums="22d884aad87e585ce5f3b4a6d33442e3a855162f27e48358c7c93af1b5f2fc87 varnish-4.1.9.tgz 66a281c03bcf0c01bc8215fe39a3b6a593751fb2034824b471596d517554e183 fix-compat-execinfo.patch -a58d9c5dd2c1a0e9883d58ddec684993bc9fe6e91132c99b00c82a1c4228e647 fix-stack-overflow.patch +24eb8f4614be262ad9b4486ef61f1520b5259237eb2ec9034715aa7100d09ab4 fix-stack-overflow.patch f96b6dab0e68e169cffceb63776e312d8585bc2a46dfcc5fa2b1ec5e953ad624 musl-mode_t.patch fda5d424ecb2279195ab85bb9c834fe59999fa9b753cad61d5475520e98263dc varnishd.initd c252697811103e9846069b4d4de750105d79960a289ea1f7fcf1e99f682fb5dc varnishd.confd 017173cb42bb60f853063b7fbc843120c547e501233ce2299e1066b5d81e4d5e varnishd.logrotate -fd6c810a6099b1b0c2eb572aec239e3f51debc52a6c32fce715f265d7b1a1f85 maxminddb.vcl -2bab06b7c45be181b1cee33d4564a89a52a4c8424c7afd78a30165859b55075d CVE-2017-12425.patch" -sha512sums="28c4e5a3a74bf5294e6d1f7a48cd3ec64faffca89388b7ea9ed3de3cd58bede357383bcdd021ff783a411590c0a0a1cb747981507272352c1521b4fcac35e179 varnish-4.1.2.tar.gz +fd6c810a6099b1b0c2eb572aec239e3f51debc52a6c32fce715f265d7b1a1f85 maxminddb.vcl" +sha512sums="c51d75f65030b0cbfea48565a85af41b77597b29ae45388346796edf33bb15e5ab488c34f98497c5caf77fe594118e97bbaf5c397b4a7d16c31decfbc69eed60 varnish-4.1.9.tgz e4c3b8fe85ccb3f37c69561b981f89c757acc5534379afec551b7eabc2fe8661e3566513f4bfea9192af8576fc587b34170008f5818038c17c412ac64b27cf51 fix-compat-execinfo.patch -d07a187f5e17644d724b1b555506f65bd9e0a23084d0f4dbb836ec6cc1f1585b6e2d8b3818543823f60dcc3089a0466e08c627c9518ed178238580ec3996caef fix-stack-overflow.patch +a5b9d6f25b2ed11656f961b6a17d173b2fc9f9ef4f2562a69b07ff1d180117eb7e8da0299bf23054f0044c9abd67d76d8e3e92fb2847638ab507562c1a4c577d fix-stack-overflow.patch 8758bef9039a2cca23b7302668bd49f1ea07f54835512a8a9558bb9ed5de1c0fca53f2085ccd298fe0c6579fc81c3b583a85f4f6b25b6ad85f89bf3be04afb70 musl-mode_t.patch 146387f493fb2323e7720fa495fca101ea7435ac8e4b57c8f7a02f2d9c7faedb1188465fb4a59a67600cf8b3c9cce9946cd52e31c1d348c2a5f042c1eeb21226 varnishd.initd f2b4f88c1cea5d8576bf5c6ea82ee841c1fa9dd10daaef668c262669c2d3bc9d151f3c491f8678717047cf0d161c25b4104dd4d29bc8ddb44dd749b7f58c39e7 varnishd.confd 8fb1cba86ede5eff28a494f6b1da1a651d66383cdeb63922104407f28903dea0c643155b6d7ac8353b8c63d480a6c5b43a70c7252bc51ee73317c33a1844c52c varnishd.logrotate -69f088819cff6d4441813be284f4117f232d08908515bd15d96bd5bb9d41ba7100657a52fd408d44c396d004366062ae22fbf08e2a983cd8023b554539ccf596 maxminddb.vcl -ff2dab956cc58e2177776ec3e0c6067d1e1767f1b717e57f5ed4c47e019d4976f4e33099c066381ecd6ab5f0ca28a721d671ba70a6e675d0b5932d156764efab CVE-2017-12425.patch" +69f088819cff6d4441813be284f4117f232d08908515bd15d96bd5bb9d41ba7100657a52fd408d44c396d004366062ae22fbf08e2a983cd8023b554539ccf596 maxminddb.vcl" diff --git a/main/varnish/CVE-2017-12425.patch b/main/varnish/CVE-2017-12425.patch deleted file mode 100644 index 0ff0d9f57a..0000000000 --- a/main/varnish/CVE-2017-12425.patch +++ /dev/null @@ -1,108 +0,0 @@ -From c37821ddd539a23845ae8e9a7a9cc958358c1541 Mon Sep 17 00:00:00 2001 -From: Martin Blix Grydeland -Date: Thu, 27 Jul 2017 11:52:58 +0200 -Subject: [PATCH] Correctly handle bogusly large chunk sizes - -This fixes a denial of service attack vector where bogusly large chunk -sizes in requests could be used to force restarts of the Varnish -server. - -This is Varnish Security Vulnerability VSV00001 - -For more information visit: https://varnish-cache.org/security/VSV00001 - -Fixes: #2379 ---- - bin/varnishd/http1/cache_http1_vfp.c | 2 +- - bin/varnishtest/tests/f00001.vtc | 69 ++++++++++++++++++++++++++++++++++++ - 2 files changed, 70 insertions(+), 1 deletion(-) - create mode 100644 bin/varnishtest/tests/f00001.vtc - -diff --git a/bin/varnishd/http1/cache_http1_vfp.c b/bin/varnishd/http1/cache_http1_vfp.c -index b836cd3ca..ded1550bf 100644 ---- a/bin/varnishd/http1/cache_http1_vfp.c -+++ b/bin/varnishd/http1/cache_http1_vfp.c -@@ -155,7 +155,7 @@ v1f_pull_chunked(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, - if (q == NULL || *q != '\0') - return (VFP_Error(vc, "chunked header number syntax")); - cl = (ssize_t)cll; -- if((uintmax_t)cl != cll) -+ if (cl < 0 || (uintmax_t)cl != cll) - return (VFP_Error(vc, "bogusly large chunk size")); - - vfe->priv2 = cl; -diff --git a/bin/varnishtest/tests/f00001.vtc b/bin/varnishtest/tests/f00001.vtc -new file mode 100644 -index 000000000..bfb559228 ---- /dev/null -+++ b/bin/varnishtest/tests/f00001.vtc -@@ -0,0 +1,69 @@ -+varnishtest "Check that we handle bogusly large chunks correctly" -+ -+# Check that the bug has been fixed -+ -+server s1 { -+ rxreq -+ txresp -+ -+ accept -+ rxreq -+ txresp -+} -start -+ -+varnish v1 -vcl+backend { -+} -start -+ -+client c1 { -+ send "POST / HTTP/1.1\r\n" -+ send "Transfer-Encoding: chunked\r\n\r\n" -+ send "FFFFFFFFFFFFFFED\r\n" -+ send "0\r\n\r\n" -+ -+ rxresp -+ expect resp.status == 503 -+} -run -+ -+# Check that the published workaround does not cause harm -+ -+varnish v1 -cliok "param.set vcc_allow_inline_c true" -+ -+varnish v1 -vcl+backend { -+ sub exploit_workaround { -+ # This needs to be defined before your vcl_recv function -+ # Make sure that the runtime parameter vcc_allow_inline_c is set to true -+ if (req.http.transfer-encoding ~ "(?i)chunked") { -+ C{ -+ struct dummy_req { -+ unsigned magic; -+ int step; -+ int req_body_status; -+ }; -+ ((struct dummy_req *)ctx->req)->req_body_status = 5; -+ }C -+ -+ return (synth(503, "Bad request")); -+ } -+ } -+ -+ sub vcl_recv { -+ # Call this early in your vcl_recv function -+ call exploit_workaround; -+ } -+} -+ -+client c1 { -+ send "POST / HTTP/1.1\r\n" -+ send "Transfer-Encoding: chunked\r\n\r\n" -+ send "FFFFFFFFFFFFFFED\r\n" -+ -+ expect_close -+} -run -+ -+# Make sure that varnish is still running -+ -+client c1 { -+ txreq -+ rxresp -+ expect resp.status == 200 -+} -run diff --git a/main/varnish/fix-stack-overflow.patch b/main/varnish/fix-stack-overflow.patch index 67677b3306..23fb7cc12c 100644 --- a/main/varnish/fix-stack-overflow.patch +++ b/main/varnish/fix-stack-overflow.patch @@ -1,6 +1,6 @@ -From bc0b56b8703e7e02af745af28bc6fff48ab806ba Mon Sep 17 00:00:00 2001 +From f88f2ead8cc5958262d333c46e94ddc8a3c9ae18 Mon Sep 17 00:00:00 2001 From: Natanael Copa -Date: Wed, 2 Mar 2016 10:46:49 +0100 +Date: Tue, 21 Nov 2017 12:10:34 +0100 Subject: [PATCH] fix stack overflow in epoll waiter musl libc has a default thread stack of 80k. avoid overflow the stack by @@ -10,10 +10,10 @@ allocating the epol_event array on heap instead of stack. 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/bin/varnishd/waiter/cache_waiter_epoll.c b/bin/varnishd/waiter/cache_waiter_epoll.c -index f50ae46..65719e5 100644 +index 71c426a..ccbc64c 100644 --- a/bin/varnishd/waiter/cache_waiter_epoll.c +++ b/bin/varnishd/waiter/cache_waiter_epoll.c -@@ -71,7 +71,7 @@ struct vwe { +@@ -74,7 +74,7 @@ struct vwe { static void * vwe_thread(void *priv) { @@ -22,16 +22,16 @@ index f50ae46..65719e5 100644 struct waited *wp; struct waiter *w; double now, then; -@@ -83,6 +83,8 @@ vwe_thread(void *priv) - w = vwe->waiter; +@@ -87,6 +87,8 @@ vwe_thread(void *priv) CHECK_OBJ_NOTNULL(w, WAITER_MAGIC); THR_SetName("cache-epoll"); + THR_Init(); + ev = malloc(NEEV * sizeof(struct epoll_event)); + assert(ev != NULL); now = VTIM_real(); while (1) { -@@ -146,6 +148,7 @@ vwe_thread(void *priv) +@@ -154,6 +156,7 @@ vwe_thread(void *priv) AZ(close(vwe->pipe[0])); AZ(close(vwe->pipe[1])); AZ(close(vwe->epfd)); @@ -40,5 +40,5 @@ index f50ae46..65719e5 100644 } -- -2.7.2 +2.13.5 -- cgit v1.2.3