From c9bb450be8fbadc047e70708f018dcf3a75eef75 Mon Sep 17 00:00:00 2001 From: Ingvar Hagelund Date: Thu, 21 Nov 2013 04:05:48 +0100 Subject: [PATCH] - Changed default mask for varnish log dir to 700, closing #915413 - Added a patch for CVE-2013-4484 from upstream, closing #1025128 --- varnish-3.0.4.fix_CVE-2013-4484.patch | 112 ++++++++++++++++++++++++++ varnish.spec | 10 ++- 2 files changed, 120 insertions(+), 2 deletions(-) create mode 100644 varnish-3.0.4.fix_CVE-2013-4484.patch diff --git a/varnish-3.0.4.fix_CVE-2013-4484.patch b/varnish-3.0.4.fix_CVE-2013-4484.patch new file mode 100644 index 0000000..f70cfb6 --- /dev/null +++ b/varnish-3.0.4.fix_CVE-2013-4484.patch @@ -0,0 +1,112 @@ +diff -Naur ../varnish-3.0.4.orig/bin/varnishd/cache_center.c ./bin/varnishd/cache_center.c +--- ../varnish-3.0.4.orig/bin/varnishd/cache_center.c 2013-06-14 10:39:31.000000000 +0200 ++++ ./bin/varnishd/cache_center.c 2013-11-21 00:48:00.486460486 +0100 +@@ -1471,9 +1471,12 @@ + static int + cnt_start(struct sess *sp) + { +- uint16_t done; ++ uint16_t err_code; + char *p; +- const char *r = "HTTP/1.1 100 Continue\r\n\r\n"; ++ const char *r_100 = "HTTP/1.1 100 Continue\r\n\r\n"; ++ const char *r_400 = "HTTP/1.1 400 Bad Request\r\n\r\n"; ++ const char *r_413 = "HTTP/1.1 413 Request Entity Too Large\r\n\r\n"; ++ const char *r_417 = "HTTP/1.1 417 Expectation Failed\r\n\r\n"; + + CHECK_OBJ_NOTNULL(sp, SESS_MAGIC); + AZ(sp->restarts); +@@ -1496,10 +1499,14 @@ + sp->wrk->vcl = NULL; + + http_Setup(sp->http, sp->ws); +- done = http_DissectRequest(sp); ++ err_code = http_DissectRequest(sp); + + /* If we could not even parse the request, just close */ +- if (done == 400) { ++ if (err_code == 400) ++ (void)write(sp->fd, r_400, strlen(r_400)); ++ else if (err_code == 413) ++ (void)write(sp->fd, r_413, strlen(r_413)); ++ if (err_code != 0) { + sp->step = STP_DONE; + vca_close_session(sp, "junk"); + return (0); +@@ -1511,12 +1518,6 @@ + /* Catch original request, before modification */ + HTTP_Copy(sp->http0, sp->http); + +- if (done != 0) { +- sp->err_code = done; +- sp->step = STP_ERROR; +- return (0); +- } +- + sp->doclose = http_DoConnection(sp->http); + + /* XXX: Handle TRACE & OPTIONS of Max-Forwards = 0 */ +@@ -1526,13 +1527,14 @@ + */ + if (http_GetHdr(sp->http, H_Expect, &p)) { + if (strcasecmp(p, "100-continue")) { +- sp->err_code = 417; +- sp->step = STP_ERROR; ++ (void)write(sp->fd, r_417, strlen(r_417)); ++ sp->step = STP_DONE; ++ vca_close_session(sp, "junk"); + return (0); + } + + /* XXX: Don't bother with write failures for now */ +- (void)write(sp->fd, r, strlen(r)); ++ (void)write(sp->fd, r_100, strlen(r_100)); + /* XXX: When we do ESI includes, this is not removed + * XXX: because we use http0 as our basis. Believed + * XXX: safe, but potentially confusing. +diff -Naur ../varnish-3.0.4.orig/bin/varnishd/cache_http.c ./bin/varnishd/cache_http.c +--- ../varnish-3.0.4.orig/bin/varnishd/cache_http.c 2013-06-14 10:39:31.000000000 +0200 ++++ ./bin/varnishd/cache_http.c 2013-11-21 00:48:00.486460486 +0100 +@@ -601,7 +601,7 @@ + hp->hd[h2].e = p; + + if (!Tlen(hp->hd[h2])) +- return (413); ++ return (400); + + /* Skip SP */ + for (; vct_issp(*p); p++) { +diff -Naur ../varnish-3.0.4.orig/bin/varnishtest/tests/r01367.vtc ./bin/varnishtest/tests/r01367.vtc +--- ../varnish-3.0.4.orig/bin/varnishtest/tests/r01367.vtc 1970-01-01 01:00:00.000000000 +0100 ++++ ./bin/varnishtest/tests/r01367.vtc 2013-11-21 00:48:00.486460486 +0100 +@@ -0,0 +1,30 @@ ++varnishtest "blank GET" ++ ++server s1 { ++ rxreq ++ txresp ++} -start ++ ++varnish v1 -vcl+backend { ++ sub vcl_error { ++ return (restart); ++ } ++} -start ++ ++client c1 { ++ send "GET \nHost: example.com\n\n" ++ rxresp ++ expect resp.status == 400 ++} -run ++ ++client c1 { ++ txreq -hdr "Expect: Santa-Claus" ++ rxresp ++ expect resp.status == 417 ++} -run ++ ++client c1 { ++ txreq ++ rxresp ++ expect resp.status == 200 ++} -run diff --git a/varnish.spec b/varnish.spec index 5f65b14..0fb942e 100644 --- a/varnish.spec +++ b/varnish.spec @@ -3,7 +3,7 @@ Summary: High-performance HTTP accelerator Name: varnish Version: 3.0.4 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD Group: System Environment/Daemons URL: http://www.varnish-cache.org/ @@ -13,6 +13,7 @@ Source2: varnish.params Source3: varnishncsa.service Source4: varnishlog.service Patch2: varnish.fix_ppc64_upstream_bug_1194.patch +Patch3: varnish-3.0.4.fix_CVE-2013-4484.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) # To build from git, start with a make dist, see redhat/README.redhat # You will need at least automake autoconf libtool python-docutils @@ -90,6 +91,7 @@ Documentation files for %name #%setup -q -n varnish-cache %patch2 +%patch3 mkdir examples cp bin/varnishd/default.vcl etc/zope-plone.vcl examples @@ -177,7 +179,7 @@ rm -rf %{buildroot} %{_sbindir}/* %{_bindir}/* %{_var}/lib/varnish -%{_var}/log/varnish +%attr(0700,root,root) %dir %{_var}/log/varnish %{_mandir}/man1/*.1* %{_mandir}/man3/*.3* %{_mandir}/man7/*.7* @@ -306,6 +308,10 @@ fi %endif %changelog +* Thu Nov 21 2013 Ingvar Hagelund 3.0.4-2 +- Changed default mask for varnish log dir to 700, closing #915413 +- Added a patch for CVE-2013-4484 from upstream, closing #1025128 + * Mon Aug 12 2013 Ingvar Hagelund 3.0.4-1 - New upstream release - Added libedit-devel to the build reqs