- Changed default mask for varnish log dir to 700, closing #915413

- Added a patch for CVE-2013-4484 from upstream, closing #1025128
2013-11-21 04:05:48 +01:00 · 2013-11-21 04:05:48 +01:00 · c9bb450be8
commit c9bb450be8
parent e89334aea9
2 changed files with 120 additions and 2 deletions
--- a/varnish-3.0.4.fix_CVE-2013-4484.patch
+++ b/varnish-3.0.4.fix_CVE-2013-4484.patch
@ -0,0 +1,112 @@
+diff -Naur ../varnish-3.0.4.orig/bin/varnishd/cache_center.c ./bin/varnishd/cache_center.c
+--- ../varnish-3.0.4.orig/bin/varnishd/cache_center.c	2013-06-14 10:39:31.000000000 +0200
+++ ./bin/varnishd/cache_center.c	2013-11-21 00:48:00.486460486 +0100
+@@ -1471,9 +1471,12 @@
+ static int
+ cnt_start(struct sess *sp)
+ {
+-	uint16_t done;
+	uint16_t err_code;
+ 	char *p;
+-	const char *r = "HTTP/1.1 100 Continue\r\n\r\n";
+	const char *r_100 = "HTTP/1.1 100 Continue\r\n\r\n";
+	const char *r_400 = "HTTP/1.1 400 Bad Request\r\n\r\n";
+	const char *r_413 = "HTTP/1.1 413 Request Entity Too Large\r\n\r\n";
+	const char *r_417 = "HTTP/1.1 417 Expectation Failed\r\n\r\n";
+ 
+ 	CHECK_OBJ_NOTNULL(sp, SESS_MAGIC);
+ 	AZ(sp->restarts);
+@@ -1496,10 +1499,14 @@
+ 	sp->wrk->vcl = NULL;
+ 
+ 	http_Setup(sp->http, sp->ws);
+-	done = http_DissectRequest(sp);
+	err_code = http_DissectRequest(sp);
+ 
+ 	/* If we could not even parse the request, just close */
+-	if (done == 400) {
+	if (err_code == 400)
+		(void)write(sp->fd, r_400, strlen(r_400));
+	else if (err_code == 413)
+		(void)write(sp->fd, r_413, strlen(r_413));
+	if (err_code != 0) {
+ 		sp->step = STP_DONE;
+ 		vca_close_session(sp, "junk");
+ 		return (0);
+@@ -1511,12 +1518,6 @@
+ 	/* Catch original request, before modification */
+ 	HTTP_Copy(sp->http0, sp->http);
+ 
+-	if (done != 0) {
+-		sp->err_code = done;
+-		sp->step = STP_ERROR;
+-		return (0);
+-	}
+-
+ 	sp->doclose = http_DoConnection(sp->http);
+ 
+ 	/* XXX: Handle TRACE & OPTIONS of Max-Forwards = 0 */
+@@ -1526,13 +1527,14 @@
+ 	 */
+ 	if (http_GetHdr(sp->http, H_Expect, &p)) {
+ 		if (strcasecmp(p, "100-continue")) {
+-			sp->err_code = 417;
+-			sp->step = STP_ERROR;
+			(void)write(sp->fd, r_417, strlen(r_417));
+			sp->step = STP_DONE;
+			vca_close_session(sp, "junk");
+ 			return (0);
+ 		}
+ 
+ 		/* XXX: Don't bother with write failures for now */
+-		(void)write(sp->fd, r, strlen(r));
+		(void)write(sp->fd, r_100, strlen(r_100));
+ 		/* XXX: When we do ESI includes, this is not removed
+ 		 * XXX: because we use http0 as our basis.  Believed
+ 		 * XXX: safe, but potentially confusing.
+diff -Naur ../varnish-3.0.4.orig/bin/varnishd/cache_http.c ./bin/varnishd/cache_http.c
+--- ../varnish-3.0.4.orig/bin/varnishd/cache_http.c	2013-06-14 10:39:31.000000000 +0200
+++ ./bin/varnishd/cache_http.c	2013-11-21 00:48:00.486460486 +0100
+@@ -601,7 +601,7 @@
+ 	hp->hd[h2].e = p;
+ 
+ 	if (!Tlen(hp->hd[h2]))
+-		return (413);
+		return (400);
+ 
+ 	/* Skip SP */
+ 	for (; vct_issp(*p); p++) {
+diff -Naur ../varnish-3.0.4.orig/bin/varnishtest/tests/r01367.vtc ./bin/varnishtest/tests/r01367.vtc
+--- ../varnish-3.0.4.orig/bin/varnishtest/tests/r01367.vtc	1970-01-01 01:00:00.000000000 +0100
+++ ./bin/varnishtest/tests/r01367.vtc	2013-11-21 00:48:00.486460486 +0100
+@@ -0,0 +1,30 @@
+varnishtest "blank GET"
+
+server s1 {
+	rxreq
+	txresp
+} -start
+
+varnish v1 -vcl+backend { 
+	sub vcl_error {
+		return (restart);
+	}
+} -start
+
+client c1 {
+	send "GET    \nHost: example.com\n\n"
+	rxresp
+	expect resp.status == 400
+} -run
+
+client c1 {
+	txreq -hdr "Expect: Santa-Claus"
+	rxresp
+	expect resp.status == 417
+} -run
+
+client c1 {
+	txreq
+	rxresp
+	expect resp.status == 200
+} -run
--- a/varnish.spec
+++ b/varnish.spec
@ -3,7 +3,7 @@
 Summary: High-performance HTTP accelerator
 Name: varnish
 Version: 3.0.4
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: BSD
 Group: System Environment/Daemons
 URL: http://www.varnish-cache.org/
@ -13,6 +13,7 @@ Source2: varnish.params
 Source3: varnishncsa.service
 Source4: varnishlog.service
 Patch2:  varnish.fix_ppc64_upstream_bug_1194.patch
+Patch3:  varnish-3.0.4.fix_CVE-2013-4484.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 # To build from git, start with a make dist, see redhat/README.redhat 
 # You will need at least automake autoconf libtool python-docutils
@ -90,6 +91,7 @@ Documentation files for %name
 #%setup -q -n varnish-cache

 %patch2
+%patch3

 mkdir examples
 cp bin/varnishd/default.vcl etc/zope-plone.vcl examples
@ -177,7 +179,7 @@ rm -rf %{buildroot}
 %{_sbindir}/*
 %{_bindir}/*
 %{_var}/lib/varnish
-%{_var}/log/varnish
+%attr(0700,root,root) %dir %{_var}/log/varnish
 %{_mandir}/man1/*.1*
 %{_mandir}/man3/*.3*
 %{_mandir}/man7/*.7*
@ -306,6 +308,10 @@ fi
 %endif

 %changelog
+* Thu Nov 21 2013 Ingvar Hagelund <ingvar@redpill-linpro.com> 3.0.4-2
+- Changed default mask for varnish log dir to 700, closing #915413 
+- Added a patch for CVE-2013-4484 from upstream, closing #1025128
+
 * Mon Aug 12 2013 Ingvar Hagelund <ingvar@redpill-linpro.com> 3.0.4-1
 - New upstream release
 - Added libedit-devel to the build reqs