[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#991186: marked as done (unblock: trafficserver/8.1.1+ds-1.1)

Your message dated Sat, 17 Jul 2021 13:52:37 +0200
with message-id <CAM8zJQv+g5pJ1vgg5pyToWKwxOBcNwVZ1zwXkWePfNBeSdpVbw@mail.gmail.com>
and subject line Re: Bug#991186: unblock: trafficserver/8.1.1+ds-1.1
has caused the Debian Bug report #991186,
regarding unblock: trafficserver/8.1.1+ds-1.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
991186: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991186
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: carnil@debian.org,jmm@debian.org,debian@jbfavre.org

Hi release team,

Please unblock package trafficserver

[ Reason ]
Trafficserver is affected by several CVEs, covered in #990303 and are
CVE-2021-27577, CVE-2021-32565, CVE-2021-32566, CVE-2021-32567 and
CVE-2021-35474..

[ Impact ]
Security issues remain open in bullseye (for now). But it is planned
to release a DSA for buster. So we want to make sure the fixes are
already present in the upper suite before it's release.

[ Tests ]
None further specifically.

[ Risks ]
Targetted upstream patch applied without problem.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
None.

unblock trafficserver/8.1.1+ds-1.1

Regards,
Salvatore

diff -Nru trafficserver-8.1.1+ds/debian/changelog trafficserver-8.1.1+ds/debian/changelog
--- trafficserver-8.1.1+ds/debian/changelog	2020-12-06 16:26:39.000000000 +0100
+++ trafficserver-8.1.1+ds/debian/changelog	2021-07-15 21:48:17.000000000 +0200
@@ -1,3 +1,20 @@
+trafficserver (8.1.1+ds-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Address CVE-2021-27577, CVE-2021-32565, CVE-2021-32566, CVE-2021-32567 and
+    CVE-2021-35474.
+    - CVE-2021-27577: Incorrect handling of url fragment leads to cache
+      poisoning
+    - CVE-2021-32565: HTTP Request Smuggling, content length with invalid
+      charters
+    - CVE-2021-32566: Specific sequence of HTTP/2 frames can cause ATS to
+      crash
+    - CVE-2021-32567: Reading HTTP/2 frames too many times
+    - CVE-2021-35474: Dynamic stack buffer overflow in cachekey plugin
+    (Closes: #990303)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 15 Jul 2021 21:48:17 +0200
+
 trafficserver (8.1.1+ds-1) unstable; urgency=medium
 
   * New upstream version 8.1.0+ds
diff -Nru trafficserver-8.1.1+ds/debian/patches/0018-Fixes-7971.patch trafficserver-8.1.1+ds/debian/patches/0018-Fixes-7971.patch
--- trafficserver-8.1.1+ds/debian/patches/0018-Fixes-7971.patch	1970-01-01 01:00:00.000000000 +0100
+++ trafficserver-8.1.1+ds/debian/patches/0018-Fixes-7971.patch	2021-07-15 21:45:16.000000000 +0200
@@ -0,0 +1,153 @@
+From: Evan Zelkowitz <eze@apache.org>
+Date: Tue, 22 Jun 2021 14:32:55 -0700
+Subject: Fixes (#7971)
+Origin: https://github.com/apache/trafficserver/commit/b82a3d192f995fb9d78e1c44d51d9acca4783277
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-27577
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32565
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32566
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-32567
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-35474
+Bug-Debian: https://bugs.debian.org/990303
+
+* String the url fragment for outgoing requests (#7966)
+
+Co-authored-by: Susan Hinrichs <shinrich@verizonmedia.com>
+(cherry picked from commit 2b13eb33794574e62249997b4ba654d943a10f2d)
+
+* Ensure that the content-length value is only digits (#7964)
+
+Co-authored-by: Susan Hinrichs <shinrich@verizonmedia.com>
+(cherry picked from commit 668d0f8668fec1cd350b0ceba3f7f8e4020ae3ca)
+
+* Schedule H2 reenable event only if it's necessary
+
+Co-authored-by: Katsutoshi Ikenoya <kikenoya@yahoo-corp.jp>
+
+* Fix dynamic-stack-buffer-overflow of cachekey plugin (#7945)
+
+* Fix dynamic-stack-buffer-overflow of cachekey plugin
+
+* Check dst_size include null termination
+
+(cherry picked from commit 5a9339d7bc65e1c2d8d2a0fc80bb051daf3cdb0b)
+
+Co-authored-by: Bryan Call <bcall@apache.org>
+Co-authored-by: Masakazu Kitajo <maskit@apache.org>
+Co-authored-by: Katsutoshi Ikenoya <kikenoya@yahoo-corp.jp>
+Co-authored-by: Masaori Koshiba <masaori@apache.org>
+---
+ plugins/cachekey/cachekey.cc      |  2 +-
+ proxy/hdrs/HTTP.cc                | 11 +++++++++++
+ proxy/http/HttpTransact.cc        |  5 ++++-
+ proxy/http2/Http2ClientSession.cc | 14 +++++++-------
+ proxy/logging/LogUtils.cc         |  2 +-
+ 5 files changed, 24 insertions(+), 10 deletions(-)
+
+diff --git a/plugins/cachekey/cachekey.cc b/plugins/cachekey/cachekey.cc
+index 5f128894bfa8..44925b3db280 100644
+--- a/plugins/cachekey/cachekey.cc
++++ b/plugins/cachekey/cachekey.cc
+@@ -41,7 +41,7 @@ appendEncoded(String &target, const char *s, size_t len)
+     return;
+   }
+ 
+-  char tmp[len * 2];
++  char tmp[len * 3 + 1];
+   size_t written;
+ 
+   /* The default table does not encode the comma, so we need to use our own table here. */
+diff --git a/proxy/hdrs/HTTP.cc b/proxy/hdrs/HTTP.cc
+index 6a2ecc41d3ad..48032dd9ddf4 100644
+--- a/proxy/hdrs/HTTP.cc
++++ b/proxy/hdrs/HTTP.cc
+@@ -1202,6 +1202,17 @@ validate_hdr_content_length(HdrHeap *heap, HTTPHdrImpl *hh)
+     int content_length_len         = 0;
+     const char *content_length_val = content_length_field->value_get(&content_length_len);
+ 
++    // RFC 7230 section 3.3.2
++    // Content-Length = 1*DIGIT
++    //
++    // If the content-length value contains a non-numeric value, the header is invalid
++    for (int i = 0; i < content_length_len; i++) {
++      if (!isdigit(content_length_val[i])) {
++        Debug("http", "Content-Length value contains non-digit, returning parse error");
++        return PARSE_RESULT_ERROR;
++      }
++    }
++
+     while (content_length_field->has_dups()) {
+       int content_length_len_2         = 0;
+       const char *content_length_val_2 = content_length_field->m_next_dup->value_get(&content_length_len_2);
+diff --git a/proxy/http/HttpTransact.cc b/proxy/http/HttpTransact.cc
+index c3d135b98e88..2de29a8d08d8 100644
+--- a/proxy/http/HttpTransact.cc
++++ b/proxy/http/HttpTransact.cc
+@@ -7619,9 +7619,12 @@ HttpTransact::build_request(State *s, HTTPHdr *base_request, HTTPHdr *outgoing_r
+ 
+   // HttpTransactHeaders::convert_request(outgoing_version, outgoing_request); // commented out this idea
+ 
++  URL *url = outgoing_request->url_get();
++  // Remove fragment from upstream URL
++  url->fragment_set(NULL, 0);
++
+   // Check whether a Host header field is missing from a 1.0 or 1.1 request.
+   if (outgoing_version != HTTPVersion(0, 9) && !outgoing_request->presence(MIME_PRESENCE_HOST)) {
+-    URL *url = outgoing_request->url_get();
+     int host_len;
+     const char *host = url->host_get(&host_len);
+ 
+diff --git a/proxy/http2/Http2ClientSession.cc b/proxy/http2/Http2ClientSession.cc
+index 6d7d3de79923..ee952b8a2753 100644
+--- a/proxy/http2/Http2ClientSession.cc
++++ b/proxy/http2/Http2ClientSession.cc
+@@ -82,11 +82,6 @@ Http2ClientSession::destroy()
+ void
+ Http2ClientSession::free()
+ {
+-  if (this->_reenable_event) {
+-    this->_reenable_event->cancel();
+-    this->_reenable_event = nullptr;
+-  }
+-
+   if (h2_pushed_urls) {
+     this->h2_pushed_urls = ink_hash_table_destroy(this->h2_pushed_urls);
+   }
+@@ -107,6 +102,11 @@ Http2ClientSession::free()
+   REMEMBER(NO_EVENT, this->recursion)
+   Http2SsnDebug("session free");
+ 
++  if (this->_reenable_event) {
++    this->_reenable_event->cancel();
++    this->_reenable_event = nullptr;
++  }
++
+   // Don't free active ProxySession
+   ink_release_assert(is_active() == false);
+ 
+@@ -653,8 +653,8 @@ Http2ClientSession::remember(const SourceLocation &location, int event, int reen
+ bool
+ Http2ClientSession::_should_do_something_else()
+ {
+-  // Do something else every 128 incoming frames
+-  return (this->_n_frame_read & 0x7F) == 0;
++  // Do something else every 128 incoming frames if connection state isn't closed
++  return (this->_n_frame_read & 0x7F) == 0 && !connection_state.is_state_closed();
+ }
+ 
+ int64_t
+diff --git a/proxy/logging/LogUtils.cc b/proxy/logging/LogUtils.cc
+index 94becf250ac2..475bee87cad4 100644
+--- a/proxy/logging/LogUtils.cc
++++ b/proxy/logging/LogUtils.cc
+@@ -343,7 +343,7 @@ escapify_url_common(Arena *arena, char *url, size_t len_in, int *len_out, char *
+   //
+   size_t out_len = len_in + 2 * count;
+ 
+-  if (dst && out_len > dst_size) {
++  if (dst && (out_len + 1) > dst_size) {
+     *len_out = 0;
+     return nullptr;
+   }
+-- 
+2.32.0
+
diff -Nru trafficserver-8.1.1+ds/debian/patches/series trafficserver-8.1.1+ds/debian/patches/series
--- trafficserver-8.1.1+ds/debian/patches/series	2020-12-06 16:26:39.000000000 +0100
+++ trafficserver-8.1.1+ds/debian/patches/series	2021-07-15 21:45:33.000000000 +0200
@@ -10,3 +10,4 @@
 0015-as-needed-fix.patch
 0016-fix_python_3.8.patch
 0017-fix_sphinx_3.0.patch
+0018-Fixes-7971.patch

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: