Bug#991186: unblock: trafficserver/8.1.1+ds-1.1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#991186: unblock: trafficserver/8.1.1+ds-1.1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 16 Jul 2021 21:11:15 +0200
Message-id: <[🔎] 162646267535.628512.3312795137071116622.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 991186@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: carnil@debian.org,jmm@debian.org,debian@jbfavre.org

Hi release team,

Please unblock package trafficserver

[ Reason ]
Trafficserver is affected by several CVEs, covered in #990303 and are
CVE-2021-27577, CVE-2021-32565, CVE-2021-32566, CVE-2021-32567 and
CVE-2021-35474..

[ Impact ]
Security issues remain open in bullseye (for now). But it is planned
to release a DSA for buster. So we want to make sure the fixes are
already present in the upper suite before it's release.

[ Tests ]
None further specifically.

[ Risks ]
Targetted upstream patch applied without problem.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
None.

unblock trafficserver/8.1.1+ds-1.1

Regards,
Salvatore

diff -Nru trafficserver-8.1.1+ds/debian/changelog trafficserver-8.1.1+ds/debian/changelog
--- trafficserver-8.1.1+ds/debian/changelog	2020-12-06 16:26:39.000000000 +0100
+++ trafficserver-8.1.1+ds/debian/changelog	2021-07-15 21:48:17.000000000 +0200
@@ -1,3 +1,20 @@
+trafficserver (8.1.1+ds-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Address CVE-2021-27577, CVE-2021-32565, CVE-2021-32566, CVE-2021-32567 and
+    CVE-2021-35474.
+    - CVE-2021-27577: Incorrect handling of url fragment leads to cache
+      poisoning
+    - CVE-2021-32565: HTTP Request Smuggling, content length with invalid
+      charters
+    - CVE-2021-32566: Specific sequence of HTTP/2 frames can cause ATS to
+      crash
+    - CVE-2021-32567: Reading HTTP/2 frames too many times
+    - CVE-2021-35474: Dynamic stack buffer overflow in cachekey plugin
+    (Closes: #990303)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 15 Jul 2021 21:48:17 +0200
+
 trafficserver (8.1.1+ds-1) unstable; urgency=medium
 
   * New upstream version 8.1.0+ds
diff -Nru trafficserver-8.1.1+ds/debian/patches/0018-Fixes-7971.patch trafficserver-8.1.1+ds/debian/patches/0018-Fixes-7971.patch
--- trafficserver-8.1.1+ds/debian/patches/0018-Fixes-7971.patch	1970-01-01 01:00:00.000000000 +0100
+++ trafficserver-8.1.1+ds/debian/patches/0018-Fixes-7971.patch	2021-07-15 21:45:16.000000000 +0200
@@ -0,0 +1,153 @@
+From: Evan Zelkowitz <eze@apache.org>
+Date: Tue, 22 Jun 2021 14:32:55 -0700
+Subject: Fixes (#7971)
+Origin: https://github.com/apache/trafficserver/commit/b82a3d192f995fb9d78e1c44d51d9acca4783277
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-27577
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32565
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32566
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32567
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-35474
+Bug-Debian: https://bugs.debian.org/990303
+
+* String the url fragment for outgoing requests (#7966)
+
+Co-authored-by: Susan Hinrichs <shinrich@verizonmedia.com>
+(cherry picked from commit 2b13eb33794574e62249997b4ba654d943a10f2d)
+
+* Ensure that the content-length value is only digits (#7964)
+
+Co-authored-by: Susan Hinrichs <shinrich@verizonmedia.com>
+(cherry picked from commit 668d0f8668fec1cd350b0ceba3f7f8e4020ae3ca)
+
+* Schedule H2 reenable event only if it's necessary
+
+Co-authored-by: Katsutoshi Ikenoya <kikenoya@yahoo-corp.jp>
+
+* Fix dynamic-stack-buffer-overflow of cachekey plugin (#7945)
+
+* Fix dynamic-stack-buffer-overflow of cachekey plugin
+
+* Check dst_size include null termination
+
+(cherry picked from commit 5a9339d7bc65e1c2d8d2a0fc80bb051daf3cdb0b)
+
+Co-authored-by: Bryan Call <bcall@apache.org>
+Co-authored-by: Masakazu Kitajo <maskit@apache.org>
+Co-authored-by: Katsutoshi Ikenoya <kikenoya@yahoo-corp.jp>
+Co-authored-by: Masaori Koshiba <masaori@apache.org>
+---
+ plugins/cachekey/cachekey.cc      |  2 +-
+ proxy/hdrs/HTTP.cc                | 11 +++++++++++
+ proxy/http/HttpTransact.cc        |  5 ++++-
+ proxy/http2/Http2ClientSession.cc | 14 +++++++-------
+ proxy/logging/LogUtils.cc         |  2 +-
+ 5 files changed, 24 insertions(+), 10 deletions(-)
+
+diff --git a/plugins/cachekey/cachekey.cc b/plugins/cachekey/cachekey.cc
+index 5f128894bfa8..44925b3db280 100644
+--- a/plugins/cachekey/cachekey.cc
++++ b/plugins/cachekey/cachekey.cc
+@@ -41,7 +41,7 @@ appendEncoded(String &target, const char *s, size_t len)
+     return;
+   }
+ 
+-  char tmp[len * 2];
++  char tmp[len * 3 + 1];
+   size_t written;
+ 
+   /* The default table does not encode the comma, so we need to use our own table here. */
+diff --git a/proxy/hdrs/HTTP.cc b/proxy/hdrs/HTTP.cc
+index 6a2ecc41d3ad..48032dd9ddf4 100644
+--- a/proxy/hdrs/HTTP.cc
++++ b/proxy/hdrs/HTTP.cc
+@@ -1202,6 +1202,17 @@ validate_hdr_content_length(HdrHeap *heap, HTTPHdrImpl *hh)
+     int content_length_len         = 0;
+     const char *content_length_val = content_length_field->value_get(&content_length_len);
+ 
++    // RFC 7230 section 3.3.2
++    // Content-Length = 1*DIGIT
++    //
++    // If the content-length value contains a non-numeric value, the header is invalid
++    for (int i = 0; i < content_length_len; i++) {
++      if (!isdigit(content_length_val[i])) {
++        Debug("http", "Content-Length value contains non-digit, returning parse error");
++        return PARSE_RESULT_ERROR;
++      }
++    }
++
+     while (content_length_field->has_dups()) {
+       int content_length_len_2         = 0;
+       const char *content_length_val_2 = content_length_field->m_next_dup->value_get(&content_length_len_2);
+diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc
+index c3d135b98e88..2de29a8d08d8 100644
+--- a/proxy/http/HttpTransact.cc
++++ b/proxy/http/HttpTransact.cc
+@@ -7619,9 +7619,12 @@ HttpTransact::build_request(State *s, HTTPHdr *base_request, HTTPHdr *outgoing_r
+ 
+   // HttpTransactHeaders::convert_request(outgoing_version, outgoing_request); // commented out this idea
+ 
++  URL *url = outgoing_request->url_get();
++  // Remove fragment from upstream URL
++  url->fragment_set(NULL, 0);
++
+   // Check whether a Host header field is missing from a 1.0 or 1.1 request.
+   if (outgoing_version != HTTPVersion(0, 9) && !outgoing_request->presence(MIME_PRESENCE_HOST)) {
+-    URL *url = outgoing_request->url_get();
+     int host_len;
+     const char *host = url->host_get(&host_len);
+ 
+diff --git a/proxy/http2/Http2ClientSession.cc b/proxy/http2/Http2ClientSession.cc
+index 6d7d3de79923..ee952b8a2753 100644
+--- a/proxy/http2/Http2ClientSession.cc
++++ b/proxy/http2/Http2ClientSession.cc
+@@ -82,11 +82,6 @@ Http2ClientSession::destroy()
+ void
+ Http2ClientSession::free()
+ {
+-  if (this->_reenable_event) {
+-    this->_reenable_event->cancel();
+-    this->_reenable_event = nullptr;
+-  }
+-
+   if (h2_pushed_urls) {
+     this->h2_pushed_urls = ink_hash_table_destroy(this->h2_pushed_urls);
+   }
+@@ -107,6 +102,11 @@ Http2ClientSession::free()
+   REMEMBER(NO_EVENT, this->recursion)
+   Http2SsnDebug("session free");
+ 
++  if (this->_reenable_event) {
++    this->_reenable_event->cancel();
++    this->_reenable_event = nullptr;
++  }
++
+   // Don't free active ProxySession
+   ink_release_assert(is_active() == false);
+ 
+@@ -653,8 +653,8 @@ Http2ClientSession::remember(const SourceLocation &location, int event, int reen
+ bool
+ Http2ClientSession::_should_do_something_else()
+ {
+-  // Do something else every 128 incoming frames
+-  return (this->_n_frame_read & 0x7F) == 0;
++  // Do something else every 128 incoming frames if connection state isn't closed
++  return (this->_n_frame_read & 0x7F) == 0 && !connection_state.is_state_closed();
+ }
+ 
+ int64_t
+diff --git a/proxy/logging/LogUtils.cc b/proxy/logging/LogUtils.cc
+index 94becf250ac2..475bee87cad4 100644
+--- a/proxy/logging/LogUtils.cc
++++ b/proxy/logging/LogUtils.cc
+@@ -343,7 +343,7 @@ escapify_url_common(Arena *arena, char *url, size_t len_in, int *len_out, char *
+   //
+   size_t out_len = len_in + 2 * count;
+ 
+-  if (dst && out_len > dst_size) {
++  if (dst && (out_len + 1) > dst_size) {
+     *len_out = 0;
+     return nullptr;
+   }
+-- 
+2.32.0
+
diff -Nru trafficserver-8.1.1+ds/debian/patches/series trafficserver-8.1.1+ds/debian/patches/series
--- trafficserver-8.1.1+ds/debian/patches/series	2020-12-06 16:26:39.000000000 +0100
+++ trafficserver-8.1.1+ds/debian/patches/series	2021-07-15 21:45:33.000000000 +0200
@@ -10,3 +10,4 @@
 0015-as-needed-fix.patch
 0016-fix_python_3.8.patch
 0017-fix_sphinx_3.0.patch
+0018-Fixes-7971.patch

Reply to:

Follow-Ups:
- Bug#991186: marked as done (unblock: trafficserver/8.1.1+ds-1.1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#991182: unblock: jailkit/2.21-4
Next by Date: Bug#991189: unblock: fail2ban/0.11.2-2
Previous by thread: Bug#991182: unblock: jailkit/2.21-4
Next by thread: Bug#991186: marked as done (unblock: trafficserver/8.1.1+ds-1.1)
Index(es):
- Date
- Thread