Hello, I have prepared an NMU for trafficserver fixing #778895 RC bug (CVE-2014-10022) and considering that a new upstream release has already been uploaded to unstable, I would like to upload to testing-proposed-updates. I'm Cc'ing the maintainer of this package to get his approval as well. I have attached the NMU patch to this email. The package builds fine in a Jessie chroot and all the tests ran during the build pass. Regards, -- Arnaud Fontaine
diff -Nru trafficserver-5.0.1/debian/changelog trafficserver-5.0.1/debian/changelog --- trafficserver-5.0.1/debian/changelog 2014-07-24 01:13:29.000000000 +0900 +++ trafficserver-5.0.1/debian/changelog 2015-03-10 16:18:36.000000000 +0900 @@ -1,3 +1,11 @@ +trafficserver (5.0.1-1+deb8u1) testing-proposed-updates; urgency=high + + * Add patch to fix CVE-2014-10022 that allowed a remote attacker to + cause a denial of service via unspecified vectors, related to internal + buffer sizing. Closes: #778895. + + -- Arnaud Fontaine <arnau@debian.org> Tue, 10 Mar 2015 15:26:31 +0900 + trafficserver (5.0.1-1) unstable; urgency=medium * New upstream release including a fix for CVE-2014-3525 that allowed diff -Nru trafficserver-5.0.1/debian/patches/CVE-2014-10022.patch trafficserver-5.0.1/debian/patches/CVE-2014-10022.patch --- trafficserver-5.0.1/debian/patches/CVE-2014-10022.patch 1970-01-01 09:00:00.000000000 +0900 +++ trafficserver-5.0.1/debian/patches/CVE-2014-10022.patch 2015-03-10 15:19:22.000000000 +0900 @@ -0,0 +1,59 @@ +From: Leif Hedstrom <zwoop@apache.org> +Date: Tue, 2 Dec 2014 20:08:40 +0000 (-0700) +Subject: Fix the internal buffer sizing. Thanks to Sudheer for helping isolating this bug +X-Git-Url: https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;a=commitdiff_plain;h=8b5f0345dade6b2822d9b52c8ad12e63011a5c12 + +Fix the internal buffer sizing. Thanks to Sudheer for helping isolating this bug +--- + +Index: trafficserver-5.0.1/proxy/http/HttpTransact.cc +=================================================================== +--- trafficserver-5.0.1.orig/proxy/http/HttpTransact.cc 2015-03-10 15:19:18.303880106 +0900 ++++ trafficserver-5.0.1/proxy/http/HttpTransact.cc 2015-03-10 15:19:18.299880090 +0900 +@@ -5378,9 +5378,8 @@ + int req_length = incoming_hdr->length_get(); + HTTP_RELEASE_ASSERT(req_length > 0); + +- s->internal_msg_buffer_index = 0; +- s->internal_msg_buffer_size = req_length * 2; + s->free_internal_msg_buffer(); ++ s->internal_msg_buffer_size = req_length * 2; + + if (s->internal_msg_buffer_size <= max_iobuffer_size) { + s->internal_msg_buffer_fast_allocator_size = buffer_size_to_index(s->internal_msg_buffer_size); +@@ -8074,7 +8073,6 @@ + s->free_internal_msg_buffer(); + s->internal_msg_buffer = new_msg; + s->internal_msg_buffer_size = len; +- s->internal_msg_buffer_index = 0; + s->internal_msg_buffer_fast_allocator_size = -1; + + s->hdr_info.client_response.value_set(MIME_FIELD_CONTENT_TYPE, MIME_LEN_CONTENT_TYPE, body_type, strlen(body_type)); +@@ -8157,7 +8155,6 @@ + ////////////////////////// + // set descriptive text // + ////////////////////////// +- s->internal_msg_buffer_index = 0; + s->free_internal_msg_buffer(); + s->internal_msg_buffer_fast_allocator_size = -1; + s->internal_msg_buffer = body_factory->fabricate_with_old_api_build_va("redirect#moved_temporarily", s, 8192, +Index: trafficserver-5.0.1/proxy/http/HttpTransact.h +=================================================================== +--- trafficserver-5.0.1.orig/proxy/http/HttpTransact.h 2015-03-10 15:19:18.303880106 +0900 ++++ trafficserver-5.0.1/proxy/http/HttpTransact.h 2015-03-10 15:19:18.299880090 +0900 +@@ -912,7 +912,6 @@ + char *internal_msg_buffer_type; // out + int64_t internal_msg_buffer_size; // out + int64_t internal_msg_buffer_fast_allocator_size; +- int64_t internal_msg_buffer_index; // out + + bool icp_lookup_success; // in + struct sockaddr_in icp_ip_result; // in +@@ -1051,7 +1050,6 @@ + internal_msg_buffer_type(NULL), + internal_msg_buffer_size(0), + internal_msg_buffer_fast_allocator_size(-1), +- internal_msg_buffer_index(0), + icp_lookup_success(false), + scheme(-1), + next_hop_scheme(scheme), diff -Nru trafficserver-5.0.1/debian/patches/series trafficserver-5.0.1/debian/patches/series --- trafficserver-5.0.1/debian/patches/series 2014-07-05 21:41:59.000000000 +0900 +++ trafficserver-5.0.1/debian/patches/series 2015-03-10 15:19:15.000000000 +0900 @@ -0,0 +1 @@ +CVE-2014-10022.patch
Attachment:
signature.asc
Description: PGP signature