From 755a4d53436820620839266cc8f8881af8d633f9 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 28 2022 10:34:36 +0000 Subject: import varnish-6.0.8-2.module+el8.7.0+17239+94d153bd.1 --- diff --git a/SOURCES/varnish-6.0.8-CVE-2022-45060.patch b/SOURCES/varnish-6.0.8-CVE-2022-45060.patch new file mode 100644 index 0000000..6261b91 --- /dev/null +++ b/SOURCES/varnish-6.0.8-CVE-2022-45060.patch @@ -0,0 +1,85 @@ +diff --git a/bin/varnishd/http2/cache_http2_hpack.c b/bin/varnishd/http2/cache_http2_hpack.c +index d432629..b0dacb9 100644 +--- a/bin/varnishd/http2/cache_http2_hpack.c ++++ b/bin/varnishd/http2/cache_http2_hpack.c +@@ -93,18 +93,25 @@ static h2_error + h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) + { + /* XXX: This might belong in cache/cache_http.c */ ++ const char *b0; + unsigned n; ++ int disallow_empty; ++ char *p; ++ int i; + + CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC); + AN(b); + assert(namelen >= 2); /* 2 chars from the ': ' that we added */ + assert(namelen <= len); ++ ++ disallow_empty = 0; + + if (len > UINT_MAX) { /* XXX: cache_param max header size */ + VSLb(hp->vsl, SLT_BogoHeader, "Header too large: %.20s", b); + return (H2SE_ENHANCE_YOUR_CALM); + } + ++ b0 = b; + if (b[0] == ':') { + /* Match H/2 pseudo headers */ + /* XXX: Should probably have some include tbl for +@@ -113,10 +120,24 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) + b += namelen; + len -= namelen; + n = HTTP_HDR_METHOD; ++ disallow_empty = 1; ++ ++ /* First field cannot contain SP or CTL */ ++ for (p = b, i = 0; i < len; p++, i++) { ++ if (vct_issp(*p) || vct_isctl(*p)) ++ return (H2SE_PROTOCOL_ERROR); ++ } + } else if (!strncmp(b, ":path: ", namelen)) { + b += namelen; + len -= namelen; + n = HTTP_HDR_URL; ++ disallow_empty = 1; ++ ++ /* Second field cannot contain LWS or CTL */ ++ for (p = b, i = 0; i < len; p++, i++) { ++ if (vct_islws(*p) || vct_isctl(*p)) ++ return (H2SE_PROTOCOL_ERROR); ++ } + } else if (!strncmp(b, ":scheme: ", namelen)) { + /* XXX: What to do about this one? (typically + "http" or "https"). For now set it as a normal +@@ -124,6 +145,15 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) + b++; + len-=1; + n = hp->nhd; ++ ++ for (p = b + namelen, i = 0; i < len-namelen; ++ p++, i++) { ++ if (vct_issp(*p) || vct_isctl(*p)) ++ return (H2SE_PROTOCOL_ERROR); ++ } ++ ++ if (!i) ++ return (H2SE_PROTOCOL_ERROR); + } else if (!strncmp(b, ":authority: ", namelen)) { + b+=6; + len-=6; +@@ -160,6 +190,13 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) + hp->hd[n].b = b; + hp->hd[n].e = b + len; + ++ if (disallow_empty && !Tlen(hp->hd[n])) { ++ VSLb(hp->vsl, SLT_BogoHeader, ++ "Empty pseudo-header %.*s", ++ (int)namelen, b0); ++ return (H2SE_PROTOCOL_ERROR); ++ } ++ + return (0); + } + diff --git a/SPECS/varnish.spec b/SPECS/varnish.spec index 03b615a..e04ee71 100644 --- a/SPECS/varnish.spec +++ b/SPECS/varnish.spec @@ -19,7 +19,7 @@ Summary: High-performance HTTP accelerator Name: varnish Version: 6.0.8 -Release: 1%{?dist}.1 +Release: 2%{?dist}.1 License: BSD Group: System Environment/Daemons URL: https://www.varnish-cache.org/ @@ -35,6 +35,9 @@ Patch11: varnish-6.0.0.fix_el6_fortify_source.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2045031 Patch100: varnish-6.0.8.CVE-2022-23959.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2141844 +Patch101: varnish-6.0.8-CVE-2022-45060.patch + Obsoletes: varnish-libs %if %{with python3} @@ -144,6 +147,7 @@ sed -i '8 i\RPM_BUILD_ROOT=%{buildroot}' find-provides %endif %patch100 -p1 +%patch101 -p1 %build %if 0%{?rhel} == 6 @@ -376,8 +380,12 @@ fi %changelog -* Tue Feb 01 2022 Luboš Uhliarik - 6.0.8-1.1 -- Resolves: #2047648 - CVE-2022-23959 varnish:6/varnish: Varnish HTTP/1 Request +* Mon Nov 14 2022 Luboš Uhliarik - 6.0.8-2.1 +- Resolves: #2142092 - CVE-2022-45060 varnish:6/varnish: Request Forgery + Vulnerability + +* Tue Feb 01 2022 Luboš Uhliarik - 6.0.8-2 +- Resolves: #2047650 - CVE-2022-23959 varnish:6/varnish: Varnish HTTP/1 Request Smuggling Vulnerability * Thu Jul 22 2021 Luboš Uhliarik - 6.0.8-1