Bug#991186: unblock: trafficserver/8.1.1+ds-1.1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: carnil@debian.org,jmm@debian.org,debian@jbfavre.org
Hi release team,
Please unblock package trafficserver
[ Reason ]
Trafficserver is affected by several CVEs, covered in #990303 and are
CVE-2021-27577, CVE-2021-32565, CVE-2021-32566, CVE-2021-32567 and
CVE-2021-35474..
[ Impact ]
Security issues remain open in bullseye (for now). But it is planned
to release a DSA for buster. So we want to make sure the fixes are
already present in the upper suite before it's release.
[ Tests ]
None further specifically.
[ Risks ]
Targetted upstream patch applied without problem.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
None.
unblock trafficserver/8.1.1+ds-1.1
Regards,
Salvatore
diff -Nru trafficserver-8.1.1+ds/debian/changelog trafficserver-8.1.1+ds/debian/changelog
--- trafficserver-8.1.1+ds/debian/changelog 2020-12-06 16:26:39.000000000 +0100
+++ trafficserver-8.1.1+ds/debian/changelog 2021-07-15 21:48:17.000000000 +0200
@@ -1,3 +1,20 @@
+trafficserver (8.1.1+ds-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Address CVE-2021-27577, CVE-2021-32565, CVE-2021-32566, CVE-2021-32567 and
+ CVE-2021-35474.
+ - CVE-2021-27577: Incorrect handling of url fragment leads to cache
+ poisoning
+ - CVE-2021-32565: HTTP Request Smuggling, content length with invalid
+ charters
+ - CVE-2021-32566: Specific sequence of HTTP/2 frames can cause ATS to
+ crash
+ - CVE-2021-32567: Reading HTTP/2 frames too many times
+ - CVE-2021-35474: Dynamic stack buffer overflow in cachekey plugin
+ (Closes: #990303)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Thu, 15 Jul 2021 21:48:17 +0200
+
trafficserver (8.1.1+ds-1) unstable; urgency=medium
* New upstream version 8.1.0+ds
diff -Nru trafficserver-8.1.1+ds/debian/patches/0018-Fixes-7971.patch trafficserver-8.1.1+ds/debian/patches/0018-Fixes-7971.patch
--- trafficserver-8.1.1+ds/debian/patches/0018-Fixes-7971.patch 1970-01-01 01:00:00.000000000 +0100
+++ trafficserver-8.1.1+ds/debian/patches/0018-Fixes-7971.patch 2021-07-15 21:45:16.000000000 +0200
@@ -0,0 +1,153 @@
+From: Evan Zelkowitz <eze@apache.org>
+Date: Tue, 22 Jun 2021 14:32:55 -0700
+Subject: Fixes (#7971)
+Origin: https://github.com/apache/trafficserver/commit/b82a3d192f995fb9d78e1c44d51d9acca4783277
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-27577
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32565
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32566
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32567
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-35474
+Bug-Debian: https://bugs.debian.org/990303
+
+* String the url fragment for outgoing requests (#7966)
+
+Co-authored-by: Susan Hinrichs <shinrich@verizonmedia.com>
+(cherry picked from commit 2b13eb33794574e62249997b4ba654d943a10f2d)
+
+* Ensure that the content-length value is only digits (#7964)
+
+Co-authored-by: Susan Hinrichs <shinrich@verizonmedia.com>
+(cherry picked from commit 668d0f8668fec1cd350b0ceba3f7f8e4020ae3ca)
+
+* Schedule H2 reenable event only if it's necessary
+
+Co-authored-by: Katsutoshi Ikenoya <kikenoya@yahoo-corp.jp>
+
+* Fix dynamic-stack-buffer-overflow of cachekey plugin (#7945)
+
+* Fix dynamic-stack-buffer-overflow of cachekey plugin
+
+* Check dst_size include null termination
+
+(cherry picked from commit 5a9339d7bc65e1c2d8d2a0fc80bb051daf3cdb0b)
+
+Co-authored-by: Bryan Call <bcall@apache.org>
+Co-authored-by: Masakazu Kitajo <maskit@apache.org>
+Co-authored-by: Katsutoshi Ikenoya <kikenoya@yahoo-corp.jp>
+Co-authored-by: Masaori Koshiba <masaori@apache.org>
+---
+ plugins/cachekey/cachekey.cc | 2 +-
+ proxy/hdrs/HTTP.cc | 11 +++++++++++
+ proxy/http/HttpTransact.cc | 5 ++++-
+ proxy/http2/Http2ClientSession.cc | 14 +++++++-------
+ proxy/logging/LogUtils.cc | 2 +-
+ 5 files changed, 24 insertions(+), 10 deletions(-)
+
+diff --git a/plugins/cachekey/cachekey.cc b/plugins/cachekey/cachekey.cc
+index 5f128894bfa8..44925b3db280 100644
+--- a/plugins/cachekey/cachekey.cc
++++ b/plugins/cachekey/cachekey.cc
+@@ -41,7 +41,7 @@ appendEncoded(String &target, const char *s, size_t len)
+ return;
+ }
+
+- char tmp[len * 2];
++ char tmp[len * 3 + 1];
+ size_t written;
+
+ /* The default table does not encode the comma, so we need to use our own table here. */
+diff --git a/proxy/hdrs/HTTP.cc b/proxy/hdrs/HTTP.cc
+index 6a2ecc41d3ad..48032dd9ddf4 100644
+--- a/proxy/hdrs/HTTP.cc
++++ b/proxy/hdrs/HTTP.cc
+@@ -1202,6 +1202,17 @@ validate_hdr_content_length(HdrHeap *heap, HTTPHdrImpl *hh)
+ int content_length_len = 0;
+ const char *content_length_val = content_length_field->value_get(&content_length_len);
+
++ // RFC 7230 section 3.3.2
++ // Content-Length = 1*DIGIT
++ //
++ // If the content-length value contains a non-numeric value, the header is invalid
++ for (int i = 0; i < content_length_len; i++) {
++ if (!isdigit(content_length_val[i])) {
++ Debug("http", "Content-Length value contains non-digit, returning parse error");
++ return PARSE_RESULT_ERROR;
++ }
++ }
++
+ while (content_length_field->has_dups()) {
+ int content_length_len_2 = 0;
+ const char *content_length_val_2 = content_length_field->m_next_dup->value_get(&content_length_len_2);
+diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc
+index c3d135b98e88..2de29a8d08d8 100644
+--- a/proxy/http/HttpTransact.cc
++++ b/proxy/http/HttpTransact.cc
+@@ -7619,9 +7619,12 @@ HttpTransact::build_request(State *s, HTTPHdr *base_request, HTTPHdr *outgoing_r
+
+ // HttpTransactHeaders::convert_request(outgoing_version, outgoing_request); // commented out this idea
+
++ URL *url = outgoing_request->url_get();
++ // Remove fragment from upstream URL
++ url->fragment_set(NULL, 0);
++
+ // Check whether a Host header field is missing from a 1.0 or 1.1 request.
+ if (outgoing_version != HTTPVersion(0, 9) && !outgoing_request->presence(MIME_PRESENCE_HOST)) {
+- URL *url = outgoing_request->url_get();
+ int host_len;
+ const char *host = url->host_get(&host_len);
+
+diff --git a/proxy/http2/Http2ClientSession.cc b/proxy/http2/Http2ClientSession.cc
+index 6d7d3de79923..ee952b8a2753 100644
+--- a/proxy/http2/Http2ClientSession.cc
++++ b/proxy/http2/Http2ClientSession.cc
+@@ -82,11 +82,6 @@ Http2ClientSession::destroy()
+ void
+ Http2ClientSession::free()
+ {
+- if (this->_reenable_event) {
+- this->_reenable_event->cancel();
+- this->_reenable_event = nullptr;
+- }
+-
+ if (h2_pushed_urls) {
+ this->h2_pushed_urls = ink_hash_table_destroy(this->h2_pushed_urls);
+ }
+@@ -107,6 +102,11 @@ Http2ClientSession::free()
+ REMEMBER(NO_EVENT, this->recursion)
+ Http2SsnDebug("session free");
+
++ if (this->_reenable_event) {
++ this->_reenable_event->cancel();
++ this->_reenable_event = nullptr;
++ }
++
+ // Don't free active ProxySession
+ ink_release_assert(is_active() == false);
+
+@@ -653,8 +653,8 @@ Http2ClientSession::remember(const SourceLocation &location, int event, int reen
+ bool
+ Http2ClientSession::_should_do_something_else()
+ {
+- // Do something else every 128 incoming frames
+- return (this->_n_frame_read & 0x7F) == 0;
++ // Do something else every 128 incoming frames if connection state isn't closed
++ return (this->_n_frame_read & 0x7F) == 0 && !connection_state.is_state_closed();
+ }
+
+ int64_t
+diff --git a/proxy/logging/LogUtils.cc b/proxy/logging/LogUtils.cc
+index 94becf250ac2..475bee87cad4 100644
+--- a/proxy/logging/LogUtils.cc
++++ b/proxy/logging/LogUtils.cc
+@@ -343,7 +343,7 @@ escapify_url_common(Arena *arena, char *url, size_t len_in, int *len_out, char *
+ //
+ size_t out_len = len_in + 2 * count;
+
+- if (dst && out_len > dst_size) {
++ if (dst && (out_len + 1) > dst_size) {
+ *len_out = 0;
+ return nullptr;
+ }
+--
+2.32.0
+
diff -Nru trafficserver-8.1.1+ds/debian/patches/series trafficserver-8.1.1+ds/debian/patches/series
--- trafficserver-8.1.1+ds/debian/patches/series 2020-12-06 16:26:39.000000000 +0100
+++ trafficserver-8.1.1+ds/debian/patches/series 2021-07-15 21:45:33.000000000 +0200
@@ -10,3 +10,4 @@
0015-as-needed-fix.patch
0016-fix_python_3.8.patch
0017-fix_sphinx_3.0.patch
+0018-Fixes-7971.patch
Reply to: