(pre-approval) unblock: trafficserver/5.0.1-1+deb8u1

To: debian-release@lists.debian.org, Arno Töll <arno@debian.org>
Cc: 778895-submitter@bugs.debian.org
Subject: (pre-approval) unblock: trafficserver/5.0.1-1+deb8u1
From: Arnaud Fontaine <arnau@debian.org>
Date: Tue, 10 Mar 2015 16:24:13 +0900
Message-id: <[🔎] 878uf52u3m.fsf@duckcorp.org>
In-reply-to: <20150221131856.26089.36377.reportbug@m25s06.vlinux.de>

Hello,

I  have  prepared  an  NMU  for  trafficserver  fixing  #778895  RC  bug
(CVE-2014-10022) and considering that a new upstream release has already
been   uploaded   to    unstable,   I   would   like    to   upload   to
testing-proposed-updates. I'm  Cc'ing the maintainer of  this package to
get his approval as well.

I have attached the NMU patch to  this email. The package builds fine in
a Jessie chroot and all the tests ran during the build pass.

Regards,
-- 
Arnaud Fontaine

diff -Nru trafficserver-5.0.1/debian/changelog trafficserver-5.0.1/debian/changelog
--- trafficserver-5.0.1/debian/changelog	2014-07-24 01:13:29.000000000 +0900
+++ trafficserver-5.0.1/debian/changelog	2015-03-10 16:18:36.000000000 +0900
@@ -1,3 +1,11 @@
+trafficserver (5.0.1-1+deb8u1) testing-proposed-updates; urgency=high
+
+  * Add patch to fix CVE-2014-10022 that allowed a remote attacker to
+    cause a denial of service via unspecified vectors, related to internal
+    buffer sizing. Closes: #778895.
+
+ -- Arnaud Fontaine <arnau@debian.org>  Tue, 10 Mar 2015 15:26:31 +0900
+
 trafficserver (5.0.1-1) unstable; urgency=medium
 
   * New upstream release including a fix for CVE-2014-3525 that allowed
diff -Nru trafficserver-5.0.1/debian/patches/CVE-2014-10022.patch trafficserver-5.0.1/debian/patches/CVE-2014-10022.patch
--- trafficserver-5.0.1/debian/patches/CVE-2014-10022.patch	1970-01-01 09:00:00.000000000 +0900
+++ trafficserver-5.0.1/debian/patches/CVE-2014-10022.patch	2015-03-10 15:19:22.000000000 +0900
@@ -0,0 +1,59 @@
+From: Leif Hedstrom <zwoop@apache.org>
+Date: Tue, 2 Dec 2014 20:08:40 +0000 (-0700)
+Subject: Fix the internal buffer sizing. Thanks to Sudheer for helping isolating this bug
+X-Git-Url: https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;a=commitdiff_plain;h=8b5f0345dade6b2822d9b52c8ad12e63011a5c12
+
+Fix the internal buffer sizing. Thanks to Sudheer for helping isolating this bug
+---
+
+Index: trafficserver-5.0.1/proxy/http/HttpTransact.cc
+===================================================================
+--- trafficserver-5.0.1.orig/proxy/http/HttpTransact.cc	2015-03-10 15:19:18.303880106 +0900
++++ trafficserver-5.0.1/proxy/http/HttpTransact.cc	2015-03-10 15:19:18.299880090 +0900
+@@ -5378,9 +5378,8 @@
+       int req_length = incoming_hdr->length_get();
+       HTTP_RELEASE_ASSERT(req_length > 0);
+ 
+-      s->internal_msg_buffer_index = 0;
+-      s->internal_msg_buffer_size = req_length * 2;
+       s->free_internal_msg_buffer();
++      s->internal_msg_buffer_size = req_length * 2;
+ 
+       if (s->internal_msg_buffer_size <= max_iobuffer_size) {
+         s->internal_msg_buffer_fast_allocator_size = buffer_size_to_index(s->internal_msg_buffer_size);
+@@ -8074,7 +8073,6 @@
+   s->free_internal_msg_buffer();
+   s->internal_msg_buffer = new_msg;
+   s->internal_msg_buffer_size = len;
+-  s->internal_msg_buffer_index = 0;
+   s->internal_msg_buffer_fast_allocator_size = -1;
+ 
+   s->hdr_info.client_response.value_set(MIME_FIELD_CONTENT_TYPE, MIME_LEN_CONTENT_TYPE, body_type, strlen(body_type));
+@@ -8157,7 +8155,6 @@
+   //////////////////////////
+   // set descriptive text //
+   //////////////////////////
+-  s->internal_msg_buffer_index = 0;
+   s->free_internal_msg_buffer();
+   s->internal_msg_buffer_fast_allocator_size = -1;
+   s->internal_msg_buffer = body_factory->fabricate_with_old_api_build_va("redirect#moved_temporarily", s, 8192,
+Index: trafficserver-5.0.1/proxy/http/HttpTransact.h
+===================================================================
+--- trafficserver-5.0.1.orig/proxy/http/HttpTransact.h	2015-03-10 15:19:18.303880106 +0900
++++ trafficserver-5.0.1/proxy/http/HttpTransact.h	2015-03-10 15:19:18.299880090 +0900
+@@ -912,7 +912,6 @@
+     char *internal_msg_buffer_type;     // out
+     int64_t internal_msg_buffer_size;       // out
+     int64_t internal_msg_buffer_fast_allocator_size;
+-    int64_t internal_msg_buffer_index;      // out
+ 
+     bool icp_lookup_success;    // in
+     struct sockaddr_in icp_ip_result;   // in
+@@ -1051,7 +1050,6 @@
+         internal_msg_buffer_type(NULL),
+         internal_msg_buffer_size(0),
+         internal_msg_buffer_fast_allocator_size(-1),
+-        internal_msg_buffer_index(0),
+         icp_lookup_success(false),
+         scheme(-1),
+         next_hop_scheme(scheme),
diff -Nru trafficserver-5.0.1/debian/patches/series trafficserver-5.0.1/debian/patches/series
--- trafficserver-5.0.1/debian/patches/series	2014-07-05 21:41:59.000000000 +0900
+++ trafficserver-5.0.1/debian/patches/series	2015-03-10 15:19:15.000000000 +0900
@@ -0,0 +1 @@
+CVE-2014-10022.patch

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: (pre-approval) unblock: trafficserver/5.0.1-1+deb8u1
  - From: Ivo De Decker <ivodd@debian.org>

Prev by Date: Re: Hints for d-i jessie RC2, part 2
Next by Date: Re: Hints for d-i jessie RC2, part 2
Previous by thread: Bug#780169: jessie-pu: package youtube-dl/2014.08.05-1jessie0.1
Next by thread: Re: (pre-approval) unblock: trafficserver/5.0.1-1+deb8u1
Index(es):
- Date
- Thread