Version in base suite: 6.5.1-1+deb11u2 Base version: varnish_6.5.1-1+deb11u2 Target version: varnish_6.5.1-1+deb11u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/v/varnish/varnish_6.5.1-1+deb11u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/v/varnish/varnish_6.5.1-1+deb11u3.dsc changelog | 8 ++++ patches/debian-changes | 94 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 102 insertions(+) diff -Nru varnish-6.5.1/debian/changelog varnish-6.5.1/debian/changelog --- varnish-6.5.1/debian/changelog 2022-02-13 13:45:59.000000000 +0000 +++ varnish-6.5.1/debian/changelog 2023-01-10 21:33:45.000000000 +0000 @@ -1,3 +1,11 @@ +varnish (6.5.1-1+deb11u3) bullseye-security; urgency=high + + * Non-maintainer upload by the Security Team. + * h2: Polish duplicate pseudo-header error + * hpack: fix pseudo-headers handling (CVE-2022-45060) (Closes: #1023751) + + -- Salvatore Bonaccorso Tue, 10 Jan 2023 22:33:45 +0100 + varnish (6.5.1-1+deb11u2) bullseye-security; urgency=medium * Apply upstream patch to fix: VSV00008 Varnish HTTP/1 Request Smuggling diff -Nru varnish-6.5.1/debian/patches/debian-changes varnish-6.5.1/debian/patches/debian-changes --- varnish-6.5.1/debian/patches/debian-changes 2022-02-13 13:45:59.000000000 +0000 +++ varnish-6.5.1/debian/patches/debian-changes 2023-01-10 21:33:45.000000000 +0000 @@ -149,3 +149,97 @@ h2->mailcall = NULL; AZ(pthread_cond_signal(h2->cond)); } +--- varnish-6.5.1.orig/bin/varnishd/http2/cache_http2_hpack.c ++++ varnish-6.5.1/bin/varnishd/http2/cache_http2_hpack.c +@@ -95,18 +95,25 @@ static h2_error + h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) + { + /* XXX: This might belong in cache/cache_http.c */ ++ const char *b0; ++ int disallow_empty; + unsigned n; ++ char *p; ++ int i; + + CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC); + AN(b); + assert(namelen >= 2); /* 2 chars from the ': ' that we added */ + assert(namelen <= len); + ++ disallow_empty = 0; ++ + if (len > UINT_MAX) { /* XXX: cache_param max header size */ + VSLb(hp->vsl, SLT_BogoHeader, "Header too large: %.20s", b); + return (H2SE_ENHANCE_YOUR_CALM); + } + ++ b0 = b; + if (b[0] == ':') { + /* Match H/2 pseudo headers */ + /* XXX: Should probably have some include tbl for +@@ -115,10 +122,24 @@ h2h_addhdr(struct http *hp, char *b, siz + b += namelen; + len -= namelen; + n = HTTP_HDR_METHOD; ++ disallow_empty = 1; ++ ++ /* First field cannot contain SP or CTL */ ++ for (p = b, i = 0; i < len; p++, i++) { ++ if (vct_issp(*p) || vct_isctl(*p)) ++ return (H2SE_PROTOCOL_ERROR); ++ } + } else if (!strncmp(b, ":path: ", namelen)) { + b += namelen; + len -= namelen; + n = HTTP_HDR_URL; ++ disallow_empty = 1; ++ ++ /* Second field cannot contain LWS or CTL */ ++ for (p = b, i = 0; i < len; p++, i++) { ++ if (vct_islws(*p) || vct_isctl(*p)) ++ return (H2SE_PROTOCOL_ERROR); ++ } + } else if (!strncmp(b, ":scheme: ", namelen)) { + /* XXX: What to do about this one? (typically + "http" or "https"). For now set it as a normal +@@ -126,6 +147,15 @@ h2h_addhdr(struct http *hp, char *b, siz + b++; + len-=1; + n = hp->nhd; ++ ++ for (p = b + namelen, i = 0; i < len-namelen; ++ p++, i++) { ++ if (vct_issp(*p) || vct_isctl(*p)) ++ return (H2SE_PROTOCOL_ERROR); ++ } ++ ++ if (!i) ++ return (H2SE_PROTOCOL_ERROR); + } else if (!strncmp(b, ":authority: ", namelen)) { + b+=6; + len-=6; +@@ -145,8 +175,8 @@ h2h_addhdr(struct http *hp, char *b, siz + /* Check for duplicate pseudo-header */ + if (hp->hd[n].b != NULL) { + VSLb(hp->vsl, SLT_BogoHeader, +- "Duplicate pseudo-header: %.*s", +- (int)(len > 20 ? 20 : len), b); ++ "Duplicate pseudo-header %.*s%.*s", ++ (int)namelen, b0, (int)(len > 20 ? 20 : len), b); + return (H2SE_PROTOCOL_ERROR); // rfc7540,l,3158,3162 + } + } else { +@@ -162,6 +192,13 @@ h2h_addhdr(struct http *hp, char *b, siz + hp->hd[n].b = b; + hp->hd[n].e = b + len; + ++ if (disallow_empty && !Tlen(hp->hd[n])) { ++ VSLb(hp->vsl, SLT_BogoHeader, ++ "Empty pseudo-header %.*s", ++ (int)namelen, b0); ++ return (H2SE_PROTOCOL_ERROR); ++ } ++ + return (0); + } +