diff --git a/CVE-2022-38150.patch b/CVE-2022-38150.patch new file mode 100644 index 0000000000000000000000000000000000000000..f7c6dd49c636ec48ea7ef15166a670ae3b30bcab --- /dev/null +++ b/CVE-2022-38150.patch @@ -0,0 +1,72 @@ +From c5fd097e5cce8b461c6443af02b3448baef2491d Mon Sep 17 00:00:00 2001 +From: Martin Blix Grydeland +Date: Thu, 4 Aug 2022 10:59:33 +0200 +Subject: [PATCH] Do not call http_hdr_flags() on pseudo-headers + +In http_EstimateWS(), all headers are passed to the http_isfiltered() +function to calculate how many bytes is needed to serialize the entire +struct http. http_isfiltered() will check the headers for whether they are +going to be filtered out later and if so skip them. + +However http_isfiltered() would attempt to treat all elements of struct +http as regular headers with an implicit structure. That does not hold for +the first three pseudo-header entries, which would lead to asserts in +later steps. + +This patch skips the filter step for pseudo-headers. + +Fixes: #3830 +--- + bin/varnishd/cache/cache_http.c | 2 ++ + bin/varnishtest/tests/r03830.vtc | 29 +++++++++++++++++++++++++++++ + 2 files changed, 31 insertions(+) + create mode 100644 bin/varnishtest/tests/r03830.vtc + +diff --git a/bin/varnishd/cache/cache_http.c b/bin/varnishd/cache/cache_http.c +index ed15e07f9e..d48c0bb366 100644 +--- a/bin/varnishd/cache/cache_http.c ++++ b/bin/varnishd/cache/cache_http.c +@@ -1147,6 +1147,8 @@ http_isfiltered(const struct http *fm, unsigned u, unsigned how) + + if (fm->hdf[u] & HDF_FILTER) + return (1); ++ if (u < HTTP_HDR_FIRST) ++ return (0); + e = strchr(fm->hd[u].b, ':'); + if (e == NULL) + return (0); +diff --git a/bin/varnishtest/tests/r03830.vtc b/bin/varnishtest/tests/r03830.vtc +new file mode 100644 +index 0000000000..5155981923 +--- /dev/null ++++ b/bin/varnishtest/tests/r03830.vtc +@@ -0,0 +1,29 @@ ++varnishtest "3830: Do not call http_hdr_flags() on pseudo-headers" ++ ++server s1 { ++ rxreq ++ txresp -reason ":x" ++ ++ rxreq ++ txresp ++} -start ++ ++varnish v1 -vcl+backend { ++ sub vcl_recv { ++ return (hash); ++ } ++} -start ++ ++client c1 { ++ txreq ++ rxresp ++ expect resp.status == 200 ++} -run ++ ++client c2 { ++ txreq -url :x -method :x ++ rxresp ++ expect resp.status == 200 ++} -run ++ ++varnish v1 -vsl_catchup diff --git a/varnish.spec b/varnish.spec index 0c7954ec5216c8d54c78d10e08a105ab439ccf45..462ceff4e9e69d8c5ac12b44a7f944a4a3cb2653 100644 --- a/varnish.spec +++ b/varnish.spec @@ -3,7 +3,7 @@ Name: varnish Summary: A web application accelerator Version: 7.0.1 -Release: 3 +Release: 4 License: BSD URL: https://www.varnish-cache.org/ Source0: http://varnish-cache.org/_downloads/varnish-%{version}.tgz @@ -13,6 +13,7 @@ Source1: https://github.com/varnishcache/pkg-varnish-cache/archive/0ad2 Patch0001: fix-varnish-devel-installation-failure.patch #https://github.com/varnishcache/varnish-cache/commit/fceaefd4d59a3b5d5a4903a3f420e35eb430d0d4 Patch0002: CVE-2022-23959.patch +Patch0003: CVE-2022-38150.patch BuildRequires: python3-sphinx python3-docutils pkgconfig make graphviz nghttp2 systemd-units BuildRequires: ncurses-devel pcre2-devel libedit-devel gcc @@ -160,6 +161,9 @@ test -f /etc/varnish/secret || (uuidgen > /etc/varnish/secret && chmod 0600 /etc %{_mandir}/man7/*.7* %changelog +* Tue Aug 23 2022 jiangpeng - 7.0.1-4 +- Fix CVE-2022-38150 + * Tue Apr 26 2022 yaoxin - 7.0.1-3 - Fix CVE-2022-23959