[Pkg-varnish-devel] Bug#728989: Bug#728989: varnish: CVE-2013-4484

Salvatore Bonaccorso carnil at debian.org
Mon Dec 2 19:03:56 UTC 2013 

Hi 

On Thu, Nov 07, 2013 at 08:31:46PM +0100, Stig Sandbeck Mathisen wrote:
> Salvatore Bonaccorso <carnil at debian.org> writes:
> 
> > Know you are already aware, opening bugreport to keep track of this
> > issue.
> 
> Thanks.
> 
> > the following vulnerability was published for varnish.
> >
> > CVE-2013-4484[0]:
> > | Varnish before 3.0.5 allows remote attackers to cause a denial of
> > | service (child-process crash and temporary caching outage) via a GET
> > | request with trailing whitespace characters and no URI.
> 
> Just to add some information about this issue:
> 
> Varnish is not vulnerable in its default configuration.
> 
> To be vulnerable, varnish must be configured with "return(restart)"
> inside the "vcl_error" sub. Example:
> 
>     sub vcl_error {
>         return(restart);
>     }
> 
> A workaround for people with matching configurations: Ensure that
> vcl_error does "return(deliver)" for status codes 400 and 413, before
> any "return(restart)". Example:
> 
>     sub vcl_error {
>         if (obj.status == 400 || obj.status == 413) {
>             return(deliver);
>         }
>     }

Thanks for fixing this with the 3.0.5-1 upload. Could you please also
prepare packages for squeeze-security and wheezy-security? I did
already had a look at wheezy today, attached is proposed debdiff (but
not yet tested apart the testsuite).

Regards,
Salvatore
-------------- next part --------------
diff -Nru varnish-3.0.2/debian/changelog varnish-3.0.2/debian/changelog
--- varnish-3.0.2/debian/changelog	2012-05-01 16:22:42.000000000 +0200
+++ varnish-3.0.2/debian/changelog	2013-12-02 07:40:45.000000000 +0100
@@ -1,3 +1,13 @@
+varnish (3.0.2-2+deb7u1) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Add CVE-2013-4484.patch patch.
+    CVE-2013-4484: A remote attacker can mount a denial of service
+    (child-process crash and temporary caching outage) via a GET request
+    with trailing whitespace characters and no URI. (Closes: #728989)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Mon, 02 Dec 2013 07:36:11 +0100
+
 varnish (3.0.2-2) unstable; urgency=low
 
   [ Knut Arne Bj?rndal ]
diff -Nru varnish-3.0.2/debian/patches/CVE-2013-4484.patch varnish-3.0.2/debian/patches/CVE-2013-4484.patch
--- varnish-3.0.2/debian/patches/CVE-2013-4484.patch	1970-01-01 01:00:00.000000000 +0100
+++ varnish-3.0.2/debian/patches/CVE-2013-4484.patch	2013-12-02 07:40:45.000000000 +0100
@@ -0,0 +1,121 @@
+Description: Fix denial of service handling certain GET requests
+ CVE-2013-4484: A remote attacker can mount a denial of service
+ (child-process crash and temporary caching outage) via a GET request
+ with trailing whitespace characters and no URI.
+Origin: backport, https://www.varnish-cache.org/trac/changeset/4bd5b7991bf602a6c46dd0d65fc04d4b8d9667a6?format=diff&new=4bd5b7991bf602a6c46dd0d65fc04d4b8d9667a6
+Bug: https://www.varnish-cache.org/trac/ticket/1367
+Bug-Debian: http://bugs.debian.org/728989
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1025127
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <carnil at debian.org>
+Last-Update: 2013-12-01
+
+--- a/bin/varnishd/cache_center.c
++++ b/bin/varnishd/cache_center.c
+@@ -1453,9 +1453,12 @@
+ static int
+ cnt_start(struct sess *sp)
+ {
+-	uint16_t done;
++	uint16_t err_code;
+ 	char *p;
+-	const char *r = "HTTP/1.1 100 Continue\r\n\r\n";
++	const char *r_100 = "HTTP/1.1 100 Continue\r\n\r\n";
++	const char *r_400 = "HTTP/1.1 400 Bad Request\r\n\r\n";
++	const char *r_413 = "HTTP/1.1 413 Request Entity Too Large\r\n\r\n";
++	const char *r_417 = "HTTP/1.1 417 Expectation Failed\r\n\r\n";
+ 
+ 	CHECK_OBJ_NOTNULL(sp, SESS_MAGIC);
+ 	AZ(sp->restarts);
+@@ -1478,10 +1481,14 @@
+ 	sp->wrk->vcl = NULL;
+ 
+ 	http_Setup(sp->http, sp->ws);
+-	done = http_DissectRequest(sp);
++	err_code = http_DissectRequest(sp);
+ 
+ 	/* If we could not even parse the request, just close */
+-	if (done == 400) {
++	if (err_code == 400)
++		(void)write(sp->fd, r_400, strlen(r_400));
++	else if (err_code == 413)
++		(void)write(sp->fd, r_413, strlen(r_413));
++	if (err_code != 0) {
+ 		sp->step = STP_DONE;
+ 		vca_close_session(sp, "junk");
+ 		return (0);
+@@ -1493,12 +1500,6 @@
+ 	/* Catch original request, before modification */
+ 	HTTP_Copy(sp->http0, sp->http);
+ 
+-	if (done != 0) {
+-		sp->err_code = done;
+-		sp->step = STP_ERROR;
+-		return (0);
+-	}
+-
+ 	sp->doclose = http_DoConnection(sp->http);
+ 
+ 	/* XXX: Handle TRACE & OPTIONS of Max-Forwards = 0 */
+@@ -1508,13 +1509,14 @@
+ 	 */
+ 	if (http_GetHdr(sp->http, H_Expect, &p)) {
+ 		if (strcasecmp(p, "100-continue")) {
+-			sp->err_code = 417;
+-			sp->step = STP_ERROR;
++			(void)write(sp->fd, r_417, strlen(r_417));
++			sp->step = STP_DONE;
++			vca_close_session(sp, "junk");
+ 			return (0);
+ 		}
+ 
+ 		/* XXX: Don't bother with write failures for now */
+-		(void)write(sp->fd, r, strlen(r));
++		(void)write(sp->fd, r_100, strlen(r_100));
+ 		/* XXX: When we do ESI includes, this is not removed
+ 		 * XXX: because we use http0 as our basis.  Believed
+ 		 * XXX: safe, but potentially confusing.
+--- a/bin/varnishd/cache_http.c
++++ b/bin/varnishd/cache_http.c
+@@ -601,7 +601,7 @@
+ 	hp->hd[h2].e = p;
+ 
+ 	if (!Tlen(hp->hd[h2]))
+-		return (413);
++		return (400);
+ 
+ 	/* Skip SP */
+ 	for (; vct_issp(*p); p++) {
+--- /dev/null
++++ b/bin/varnishtest/tests/r01367.vtc
+@@ -0,0 +1,30 @@
++varnishtest "blank GET"
++
++server s1 {
++	rxreq
++	txresp
++} -start
++
++varnish v1 -vcl+backend { 
++	sub vcl_error {
++		return (restart);
++	}
++} -start
++
++client c1 {
++	send "GET    \nHost: example.com\n\n"
++	rxresp
++	expect resp.status == 400
++} -run
++
++client c1 {
++	txreq -hdr "Expect: Santa-Claus"
++	rxresp
++	expect resp.status == 417
++} -run
++
++client c1 {
++	txreq
++	rxresp
++	expect resp.status == 200
++} -run
diff -Nru varnish-3.0.2/debian/patches/series varnish-3.0.2/debian/patches/series
--- varnish-3.0.2/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ varnish-3.0.2/debian/patches/series	2013-12-02 07:40:45.000000000 +0100
@@ -0,0 +1 @@
+CVE-2013-4484.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-varnish-devel/attachments/20131202/48372cb1/attachment.sig>

More information about the Pkg-varnish-devel mailing list