import varnish-6.6.2-2.el9_1.1

SOURCES/varnish-6.6.2-CVE-2022-45060.patch

@@ -0,0 +1,76 @@
+diff --git a/bin/varnishd/http2/cache_http2_hpack.c b/bin/varnishd/http2/cache_http2_hpack.c
+index 6bc062e..570b871 100644
+--- a/bin/varnishd/http2/cache_http2_hpack.c
++++ b/bin/varnishd/http2/cache_http2_hpack.c
+@@ -97,11 +97,16 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
+ 	/* XXX: This might belong in cache/cache_http.c */
+ 	const char *b0;
+ 	unsigned n;
++	int disallow_empty;
++	char *p;
++	int i;
+ 
+ 	CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC);
+ 	AN(b);
+ 	assert(namelen >= 2);	/* 2 chars from the ': ' that we added */
+ 	assert(namelen <= len);
++	
++	disallow_empty = 0;
+ 
+ 	if (len > UINT_MAX) {	/* XXX: cache_param max header size */
+ 		VSLb(hp->vsl, SLT_BogoHeader, "Header too large: %.20s", b);
+@@ -117,10 +122,24 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
+ 			b += namelen;
+ 			len -= namelen;
+ 			n = HTTP_HDR_METHOD;
++			disallow_empty = 1;
++
++			/* First field cannot contain SP or CTL */
++			for (p = b, i = 0; i < len; p++, i++) {
++				if (vct_issp(*p) || vct_isctl(*p))
++					return (H2SE_PROTOCOL_ERROR);
++			}
+ 		} else if (!strncmp(b, ":path: ", namelen)) {
+ 			b += namelen;
+ 			len -= namelen;
+ 			n = HTTP_HDR_URL;
++			disallow_empty = 1;
++
++			/* Second field cannot contain LWS or CTL */
++			for (p = b, i = 0; i < len; p++, i++) {
++				if (vct_islws(*p) || vct_isctl(*p))
++					return (H2SE_PROTOCOL_ERROR);
++			}
+ 		} else if (!strncmp(b, ":scheme: ", namelen)) {
+ 			/* XXX: What to do about this one? (typically
+ 			   "http" or "https"). For now set it as a normal
+@@ -128,6 +147,15 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
+ 			b++;
+ 			len-=1;
+ 			n = hp->nhd;
++
++			for (p = b + namelen, i = 0; i < len-namelen;
++			    p++, i++) {
++				if (vct_issp(*p) || vct_isctl(*p))
++					return (H2SE_PROTOCOL_ERROR);
++			}
++
++			if (!i)
++				return (H2SE_PROTOCOL_ERROR);
+ 		} else if (!strncmp(b, ":authority: ", namelen)) {
+ 			b+=6;
+ 			len-=6;
+@@ -164,6 +192,13 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
+ 	hp->hd[n].b = b;
+ 	hp->hd[n].e = b + len;
+ 
++	if (disallow_empty && !Tlen(hp->hd[n])) {
++		VSLb(hp->vsl, SLT_BogoHeader,
++		    "Empty pseudo-header %.*s",
++		    (int)namelen, b0);
++		return (H2SE_PROTOCOL_ERROR);
++	}
++
+ 	return (0);
+ }
+ 

SPECS/varnish.spec

@@ -23,7 +23,7 @@
 Summary: High-performance HTTP accelerator
 Name: varnish
 Version: 6.6.2
-Release: 2%{?dist}
+Release: 2%{?dist}.1
 License: BSD
 URL: https://www.varnish-cache.org/
 Source0: http://varnish-cache.org/_downloads/%{name}-%{version}.tgz
@@ -64,6 +64,9 @@ Source1: https://github.com/varnishcache/pkg-varnish-cache/archive/%{commit1}.ta
 # Patch 018: gcc-10.0.1/s390x compilation fix, upstream commit b0af060
 #Patch18: varnish-6.3.2_fix_s390x.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=2141844
+Patch100: varnish-6.6.2-CVE-2022-45060.patch
+
 %if 0%{?fedora} > 29
 Provides: varnish%{_isa} = %{version}-%{release}
 Provides: varnishd(abi)%{_isa} = %{abi}
@@ -156,6 +159,8 @@ ln -s pkg-varnish-cache-%{commit1}/debian debian
 cp redhat/find-provides .
 sed -i 's,rst2man-3.6,rst2man-3.4,g; s,rst2html-3.6,rst2html-3.4,g; s,phinx-build-3.6,phinx-build-3.4,g' configure
 
+%patch100 -p1 -b .CVE-2022-45060
+
 %build
 # https://gcc.gnu.org/wiki/FAQ#PR323
 %ifarch %ix86
@@ -300,6 +305,9 @@ test -f /etc/varnish/secret || (uuidgen > /etc/varnish/secret && chmod 0600 /etc
 
 
 %changelog
+* Mon Nov 14 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.6.2-2.1
+- Resolves: #2142095 - CVE-2022-45060 varnish: Request Forgery Vulnerability
+
 * Thu Feb 17 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.6.2-2
 - new version 6.6.2
 - Resolves: #2007641 - rebase Varnish to 6.6.2