Bug#991122: unblock: varnish/6.5.2-1
On Sun, Jul 18, 2021 at 10:14:46AM +0200, Graham Inggs wrote:
> Control: tags -1 + moreinfo
>
> Hi Stig
>
> Please attach a filtered debdiff to this bug. Something like:
>
> filterdiff -x '*/build-aux/*' -x '*/doc/html/*'
> varnish-6.5.1-1--6.5.2-1.debdiff >filtered.debdiff
>
> Please also show the command that you end up using, so we can see
> which parts were excluded.
Hello,
I used the command
filterdiff -x '*/build-aux/*' -x '*/doc/html/*' varnish-6.5.1-1--6.5.2-1.debdiff > varnish-6.5.1-1--6.5.2-1.filtered.debdiff
Attached is the diff. Changes are the upstream bugfix, as well as two commits
in the packaging repository:
https://salsa.debian.org/varnish-team/varnish/-/commit/b38fddf5fb3a7acf5c88d6a0f9906cb0967f16bb (lint: debian/*.install, paths should not begin with /)
https://salsa.debian.org/varnish-team/varnish/-/commit/46da54a751ae85afae8403fbf8ca360f322c349c (Declare compliance with Debian Policy 4.5.0)
diff -Nru varnish-6.5.1/Makefile.in varnish-6.5.2/Makefile.in
--- varnish-6.5.1/Makefile.in 2020-09-25 11:44:45.000000000 +0200
+++ varnish-6.5.2/Makefile.in 2021-07-02 13:57:15.000000000 +0200
@@ -207,7 +207,8 @@
$(top_srcdir)/build-aux/ltmain.sh \
$(top_srcdir)/build-aux/missing ChangeLog INSTALL \
build-aux/compile build-aux/config.guess build-aux/config.sub \
- build-aux/install-sh build-aux/ltmain.sh build-aux/missing
+ build-aux/depcomp build-aux/install-sh build-aux/ltmain.sh \
+ build-aux/missing build-aux/ylwrap
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
distdir = $(PACKAGE)-$(VERSION)
top_distdir = $(distdir)
diff -Nru varnish-6.5.1/bin/varnishd/http2/cache_http2.h varnish-6.5.2/bin/varnishd/http2/cache_http2.h
--- varnish-6.5.1/bin/varnishd/http2/cache_http2.h 2020-09-25 11:14:30.000000000 +0200
+++ varnish-6.5.2/bin/varnishd/http2/cache_http2.h 2021-07-02 13:57:09.000000000 +0200
@@ -134,6 +134,8 @@
/* Where to wake this stream up */
struct worker *wrk;
+ ssize_t reqbody_bytes;
+
VTAILQ_ENTRY(h2_req) tx_list;
h2_error error;
};
diff -Nru varnish-6.5.1/bin/varnishd/http2/cache_http2_proto.c varnish-6.5.2/bin/varnishd/http2/cache_http2_proto.c
--- varnish-6.5.1/bin/varnishd/http2/cache_http2_proto.c 2020-09-25 11:14:30.000000000 +0200
+++ varnish-6.5.2/bin/varnishd/http2/cache_http2_proto.c 2021-07-02 13:57:09.000000000 +0200
@@ -554,6 +554,7 @@
struct req *req, struct h2_req *r2)
{
h2_error h2e;
+ ssize_t cl;
ASSERT_RXTHR(h2);
assert(r2->state == H2_S_OPEN);
@@ -574,16 +575,24 @@
// XXX: Have I mentioned H/2 Is hodge-podge ?
http_CollectHdrSep(req->http, H_Cookie, "; "); // rfc7540,l,3114,3120
+ cl = http_GetContentLength(req->http);
+ assert(cl >= -2);
+ if (cl == -2) {
+ VSLb(h2->vsl, SLT_Debug, "Non-parseable Content-Length");
+ return (H2SE_PROTOCOL_ERROR);
+ }
+
if (req->req_body_status == NULL) {
- if (!http_GetHdr(req->http, H_Content_Length, NULL))
+ if (cl == -1)
req->req_body_status = BS_EOF;
else
req->req_body_status = BS_LENGTH;
+ req->htc->content_length = cl;
} else {
/* A HEADER frame contained END_STREAM */
assert (req->req_body_status == BS_NONE);
r2->state = H2_S_CLOS_REM;
- if (http_GetContentLength(req->http) > 0)
+ if (cl > 0)
return (H2CE_PROTOCOL_ERROR); //rfc7540,l,1838,1840
}
@@ -737,6 +746,7 @@
int w1 = 0, w2 = 0;
char buf[4];
unsigned wi;
+ ssize_t cl;
CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC);
ASSERT_RXTHR(h2);
@@ -755,6 +765,23 @@
Lck_Unlock(&h2->sess->mtx);
return (h2->error ? h2->error : r2->error);
}
+
+ r2->reqbody_bytes += h2->rxf_len;
+ if (h2->rxf_flags & H2FF_DATA_END_STREAM)
+ r2->state = H2_S_CLOS_REM;
+ cl = r2->req->htc->content_length;
+ if (cl >= 0 && (r2->reqbody_bytes > cl ||
+ (r2->state >= H2_S_CLOS_REM && r2->reqbody_bytes != cl))) {
+ VSLb(h2->vsl, SLT_Debug,
+ "H2: stream %u: Received data and Content-Length"
+ " mismatch", h2->rxf_stream);
+ r2->error = H2SE_PROTOCOL_ERROR; // rfc7540,l,3150,3163
+ if (r2->cond)
+ AZ(pthread_cond_signal(r2->cond));
+ Lck_Unlock(&h2->sess->mtx);
+ return (H2SE_PROTOCOL_ERROR);
+ }
+
AZ(h2->mailcall);
h2->mailcall = r2;
h2->req0->r_window -= h2->rxf_len;
@@ -773,6 +800,8 @@
r2->r_window += wi;
w2 = 1;
}
+
+
Lck_Unlock(&h2->sess->mtx);
if (w1 || w2) {
@@ -795,7 +824,7 @@
struct h2_req *r2;
struct h2_sess *h2;
unsigned l;
- enum vfp_status retval = VFP_OK;
+ enum vfp_status retval;
CHECK_OBJ_NOTNULL(vc, VFP_CTX_MAGIC);
CHECK_OBJ_NOTNULL(vfe, VFP_ENTRY_MAGIC);
@@ -808,7 +837,6 @@
*lp = 0;
Lck_Lock(&h2->sess->mtx);
- assert (r2->state == H2_S_OPEN);
r2->cond = &vc->wrk->cond;
while (h2->mailcall != r2 && h2->error == 0 && r2->error == 0)
AZ(Lck_CondWait(r2->cond, &h2->sess->mtx, 0));
@@ -831,12 +859,10 @@
Lck_Unlock(&h2->sess->mtx);
return (VFP_OK);
}
- if (h2->rxf_len == 0) {
- if (h2->rxf_flags & H2FF_DATA_END_STREAM) {
- retval = VFP_END;
- r2->state = H2_S_CLOS_REM;
- }
- }
+ if (h2->rxf_len == 0 && r2->state >= H2_S_CLOS_REM)
+ retval = VFP_END;
+ else
+ retval = VFP_OK;
h2->mailcall = NULL;
AZ(pthread_cond_signal(h2->cond));
}
diff -Nru varnish-6.5.1/bin/varnishtest/tests/f00007.vtc varnish-6.5.2/bin/varnishtest/tests/f00007.vtc
--- varnish-6.5.1/bin/varnishtest/tests/f00007.vtc 1970-01-01 01:00:00.000000000 +0100
+++ varnish-6.5.2/bin/varnishtest/tests/f00007.vtc 2021-07-02 13:57:09.000000000 +0200
@@ -0,0 +1,82 @@
+varnishtest "H/2 content length smuggling attack"
+
+server s1 {
+ rxreqhdrs
+ expect_close
+} -start
+
+server s2 {
+ rxreqhdrs
+ expect_close
+} -start
+
+server s3 {
+ rxreq
+ expect_close
+} -start
+
+server s4 {
+ rxreq
+ expect req.body == "A"
+ txresp
+} -start
+
+varnish v1 -vcl+backend {
+ import vtc;
+ sub vcl_backend_fetch {
+ if (bereq.url == "/1") {
+ set bereq.backend = s1;
+ } else if (bereq.url == "/2") {
+ set bereq.backend = s2;
+ } else if (bereq.url == "/3") {
+ set bereq.backend = s3;
+ } else {
+ set bereq.backend = s4;
+ }
+ }
+} -start
+
+varnish v1 -cliok "param.set feature +http2"
+varnish v1 -cliok "param.set debug +syncvsl"
+
+client c1 {
+ stream 1 {
+ txreq -req POST -url /1 -hdr "content-length" "1" -nostrend
+ txdata -data "AGET /FAIL HTTP/1.1\r\n\r\n"
+ rxrst
+ expect rst.err == PROTOCOL_ERROR
+ } -run
+} -run
+
+client c2 {
+ stream 1 {
+ txreq -req POST -url /2 -hdr "content-length" "1" -nostrend
+ txdata -data "AGET /FAIL HTTP/1.1\r\n\r\n" -nostrend
+ txdata
+ rxrst
+ expect rst.err == PROTOCOL_ERROR
+ } -run
+} -run
+
+client c3 {
+ stream 1 {
+ txreq -req POST -url /3 -hdr "content-length" "1" -nostrend
+ txdata -data "A" -nostrend
+ txdata -data "GET /FAIL HTTP/1.1\r\n\r\n"
+ rxwinup
+ rxrst
+ expect rst.err == PROTOCOL_ERROR
+ } -run
+} -run
+
+client c4 {
+ stream 1 {
+ txreq -req POST -url /4 -hdr "content-length" "1" -nostrend
+ txdata -data "A" -nostrend
+ txdata
+ rxwinup
+ rxwinup
+ rxresp
+ expect resp.status == 200
+ } -run
+} -run
diff -Nru varnish-6.5.1/configure varnish-6.5.2/configure
--- varnish-6.5.1/configure 2020-09-25 11:44:44.000000000 +0200
+++ varnish-6.5.2/configure 2021-07-02 13:57:34.000000000 +0200
@@ -1,7 +1,7 @@
#! /bin/sh
# From configure.ac Id.
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for Varnish 6.5.1.
+# Generated by GNU Autoconf 2.69 for Varnish 6.5.2.
#
# Report bugs to <varnish-dev@varnish-cache.org>.
#
@@ -594,8 +594,8 @@
# Identity of this package.
PACKAGE_NAME='Varnish'
PACKAGE_TARNAME='varnish'
-PACKAGE_VERSION='6.5.1'
-PACKAGE_STRING='Varnish 6.5.1'
+PACKAGE_VERSION='6.5.2'
+PACKAGE_STRING='Varnish 6.5.2'
PACKAGE_BUGREPORT='varnish-dev@varnish-cache.org'
PACKAGE_URL=''
@@ -1433,7 +1433,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures Varnish 6.5.1 to adapt to many kinds of systems.
+\`configure' configures Varnish 6.5.2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1505,7 +1505,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of Varnish 6.5.1:";;
+ short | recursive ) echo "Configuration of Varnish 6.5.2:";;
esac
cat <<\_ACEOF
@@ -1672,7 +1672,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-Varnish configure 6.5.1
+Varnish configure 6.5.2
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2147,7 +2147,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by Varnish $as_me 6.5.1, which was
+It was created by Varnish $as_me 6.5.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -4532,7 +4532,7 @@
# Define the identity of the package.
PACKAGE='varnish'
- VERSION='6.5.1'
+ VERSION='6.5.2'
cat >>confdefs.h <<_ACEOF
@@ -24939,7 +24939,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by Varnish $as_me 6.5.1, which was
+This file was extended by Varnish $as_me 6.5.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -25005,7 +25005,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-Varnish config.status 6.5.1
+Varnish config.status 6.5.2
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -Nru varnish-6.5.1/configure.ac varnish-6.5.2/configure.ac
--- varnish-6.5.1/configure.ac 2020-09-25 11:14:30.000000000 +0200
+++ varnish-6.5.2/configure.ac 2021-07-02 13:57:09.000000000 +0200
@@ -2,7 +2,7 @@
AC_COPYRIGHT([Copyright (c) 2006 Verdens Gang AS
Copyright (c) 2006-2020 Varnish Software])
AC_REVISION([$Id$])
-AC_INIT([Varnish], [6.5.1], [varnish-dev@varnish-cache.org])
+AC_INIT([Varnish], [6.5.2], [varnish-dev@varnish-cache.org])
AC_CONFIG_SRCDIR(include/miniobj.h)
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4])
diff -Nru varnish-6.5.1/debian/changelog varnish-6.5.2/debian/changelog
--- varnish-6.5.1/debian/changelog 2020-09-29 23:21:31.000000000 +0200
+++ varnish-6.5.2/debian/changelog 2021-07-14 21:46:38.000000000 +0200
@@ -1,3 +1,10 @@
+varnish (6.5.2-1) unstable; urgency=medium
+
+ * New upstream release.
+ (Closes: #991040, VSV00007, CVE-2021-36740)
+
+ -- Stig Sandbeck Mathisen <ssm@debian.org> Wed, 14 Jul 2021 21:46:38 +0200
+
varnish (6.5.1-1) unstable; urgency=medium
* New upstream release.
diff -Nru varnish-6.5.1/debian/control varnish-6.5.2/debian/control
--- varnish-6.5.1/debian/control 2020-09-29 23:21:31.000000000 +0200
+++ varnish-6.5.2/debian/control 2021-07-14 21:46:38.000000000 +0200
@@ -18,7 +18,7 @@
pkg-config,
python3-sphinx,
xsltproc
-Standards-Version: 4.4.1
+Standards-Version: 4.5.0
Vcs-Browser: https://salsa.debian.org/varnish-team/varnish
Vcs-Git: https://salsa.debian.org/varnish-team/varnish.git
Homepage: https://www.varnish-cache.org/
diff -Nru varnish-6.5.1/debian/libvarnishapi-dev.install varnish-6.5.2/debian/libvarnishapi-dev.install
--- varnish-6.5.1/debian/libvarnishapi-dev.install 2020-09-29 23:21:31.000000000 +0200
+++ varnish-6.5.2/debian/libvarnishapi-dev.install 2021-07-14 21:46:38.000000000 +0200
@@ -2,5 +2,5 @@
usr/share/aclocal
usr/share/varnish/vsctool.py
usr/share/varnish/vmodtool.py
-/usr/lib/*/libvarnishapi.so
-/usr/lib/*/pkgconfig/*.pc
+usr/lib/*/libvarnishapi.so
+usr/lib/*/pkgconfig/*.pc
diff -Nru varnish-6.5.1/debian/libvarnishapi2.install varnish-6.5.2/debian/libvarnishapi2.install
--- varnish-6.5.1/debian/libvarnishapi2.install 2020-09-29 23:21:31.000000000 +0200
+++ varnish-6.5.2/debian/libvarnishapi2.install 2021-07-14 21:46:38.000000000 +0200
@@ -1 +1 @@
-/usr/lib/*/lib*.so.*
+usr/lib/*/lib*.so.*
diff -Nru varnish-6.5.1/debian/varnish.install varnish-6.5.2/debian/varnish.install
--- varnish-6.5.1/debian/varnish.install 2020-09-29 23:21:31.000000000 +0200
+++ varnish-6.5.2/debian/varnish.install 2021-07-14 21:46:38.000000000 +0200
@@ -1,7 +1,7 @@
etc/varnish/default.vcl
usr/bin/*
usr/sbin/*
-/usr/lib/*/varnish
+usr/lib/*/varnish
usr/share/man
usr/share/varnish/vcl
debian/*.service lib/systemd/system/
diff -Nru varnish-6.5.1/doc/changes.html varnish-6.5.2/doc/changes.html
--- varnish-6.5.1/doc/changes.html 2020-09-25 11:47:47.000000000 +0200
+++ varnish-6.5.2/doc/changes.html 2021-07-02 14:01:33.000000000 +0200
@@ -385,6 +385,12 @@
individual releases. These documents are updated as part of the
release process.</p>
</div>
+<div class="section" id="varnish-cache-6-5-2-2021-07-13">
+<h1>Varnish Cache 6.5.2 (2021-07-13)</h1>
+<ul class="simple">
+<li>Fix an HTTP/2.0 request smuggling vulnerability. (<a class="reference external" href="https://varnish-cache.org/security/VSV00007.html">VSV00007</a>)</li>
+</ul>
+</div>
<div class="section" id="varnish-cache-6-5-1-2020-09-25">
<h1>Varnish Cache 6.5.1 (2020-09-25)</h1>
<ul class="simple">
diff -Nru varnish-6.5.1/doc/changes.rst varnish-6.5.2/doc/changes.rst
--- varnish-6.5.1/doc/changes.rst 2020-09-25 11:14:30.000000000 +0200
+++ varnish-6.5.2/doc/changes.rst 2021-07-02 13:57:09.000000000 +0200
@@ -27,6 +27,14 @@
release process.
================================
+Varnish Cache 6.5.2 (2021-07-13)
+================================
+
+* Fix an HTTP/2.0 request smuggling vulnerability. (VSV00007_)
+
+.. _VSV00007: https://varnish-cache.org/security/VSV00007.html
+
+================================
Varnish Cache 6.5.1 (2020-09-25)
================================
diff -Nru varnish-6.5.1/doc/sphinx/conf.py varnish-6.5.2/doc/sphinx/conf.py
--- varnish-6.5.1/doc/sphinx/conf.py 2020-09-25 11:45:01.000000000 +0200
+++ varnish-6.5.2/doc/sphinx/conf.py 2021-07-02 13:57:46.000000000 +0200
@@ -45,9 +45,9 @@
# built documents.
#
# The short X.Y version.
-version = '6.5.1'
+version = '6.5.2'
# The full version, including alpha/beta/rc tags.
-release = '6.5.1'
+release = '6.5.2'
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
@@ -135,7 +135,7 @@
# The name for this set of Sphinx documents. If None, it defaults to
# "<project> v<release> documentation".
-html_title = "Varnish version 6.5.1 documentation"
+html_title = "Varnish version 6.5.2 documentation"
# A shorter title for the navigation bar. Default is the same as html_title.
#html_short_title = None
diff -Nru varnish-6.5.1/doc/sphinx/reference/mkfs.mse.rst~ varnish-6.5.2/doc/sphinx/reference/mkfs.mse.rst~
--- varnish-6.5.1/doc/sphinx/reference/mkfs.mse.rst~ 1970-01-01 01:00:00.000000000 +0100
+++ varnish-6.5.2/doc/sphinx/reference/mkfs.mse.rst~ 2018-10-02 16:48:42.000000000 +0200
@@ -0,0 +1,57 @@
+.. role:: ref(emphasis)
+
+.. _mkfs.mse(1):
+
+========
+mkfs.mse
+========
+
+-------------------------------
+Massive Storage Engine mkfs.mse
+-------------------------------
+
+:Manual section: 1
+
+SYNOPSIS
+========
+
+mkfs.mse [-c <in.conf>] [-f]
+
+DESCRIPTION
+===========
+
+The `mkfs.mse` utility creates and initializes the data files and stores
+for use with Massive Storage Engine. It reads the same configuration file
+as would be pointed to when directing `varnishd` to use MSE for object
+storage, and this utility needs to be run once before starting `varnishd`
+with MSE for the first time.
+
+If a previous configuration exists and is initialized in the data files
+and stores, `mkfs.mse` will give an error instead of overwriting the
+existing data. If overwrite and clear of the data files is wanted, use the
+`-f` force flag to override the error. This will clear the cache
+completely, having an empty cache when `varnishd` is then started.
+
+OPTIONS
+=======
+
+-c <in.conf>
+
+ The configuration file to use. See `man mse-config` for details of the
+ configuration file.
+
+-f
+
+ Use the force option. This overrides the error of previous existing
+ configuration.
+
+HISTORY
+=======
+
+This manual page was written by Martin Blix Grydeland
+<martin@varnish-software.com>.
+
+COPYRIGHT
+=========
+
+* Copyright (c) 2018 Varnish Software
diff -Nru varnish-6.5.1/include/vcs_version.h varnish-6.5.2/include/vcs_version.h
--- varnish-6.5.1/include/vcs_version.h 2020-09-25 11:46:08.000000000 +0200
+++ varnish-6.5.2/include/vcs_version.h 2021-07-02 13:59:57.000000000 +0200
@@ -1,8 +1,8 @@
-/* 1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64 */
+/* e7233b0ad2639043341819d19a8d2e418e94ce1b */
/*
* NB: This file is machine generated, DO NOT EDIT!
*
* Edit and run include/generate.py instead.
*/
-#define VCS_Version "1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64"
+#define VCS_Version "e7233b0ad2639043341819d19a8d2e418e94ce1b"
diff -Nru varnish-6.5.1/include/vmod_abi.h varnish-6.5.2/include/vmod_abi.h
--- varnish-6.5.1/include/vmod_abi.h 2020-09-25 11:46:08.000000000 +0200
+++ varnish-6.5.2/include/vmod_abi.h 2021-07-02 13:59:57.000000000 +0200
@@ -4,4 +4,4 @@
* Edit and run include/generate.py instead.
*/
-#define VMOD_ABI_Version "Varnish 6.5.1 1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64"
+#define VMOD_ABI_Version "Varnish 6.5.2 e7233b0ad2639043341819d19a8d2e418e94ce1b"
Reply to: