Debian Bug report logs - #728989
varnish: CVE-2013-4484

version graph

Package: varnish; Maintainer for varnish is Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>; Source for varnish is src:varnish.

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 7 Nov 2013 16:18:02 UTC

Severity: important

Tags: fixed-upstream, patch, security, upstream

Found in versions varnish/3.0.2-2, varnish/2.1.3-8

Fixed in versions varnish/3.0.5-1, varnish/3.0.2-2+deb7u1, varnish/2.1.3-8+deb6u2

Done: Raphael Geissert <geissert@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://www.varnish-cache.org/trac/ticket/1367

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>:
Bug#728989; Package varnish. (Thu, 07 Nov 2013 16:18:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>. (Thu, 07 Nov 2013 16:18:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: varnish: CVE-2013-4484
Date: Thu, 07 Nov 2013 17:16:21 +0100
Package: varnish
Severity: important
Tags: security upstream patch fixed-upstream

Hi,

Know you are already aware, opening bugreport to keep track of this
issue.

the following vulnerability was published for varnish.

CVE-2013-4484[0]:
| Varnish before 3.0.5 allows remote attackers to cause a denial of
| service (child-process crash and temporary caching outage) via a GET
| request with trailing whitespace characters and no URI.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

[0] http://security-tracker.debian.org/tracker/CVE-2013-4484

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>:
Bug#728989; Package varnish. (Thu, 07 Nov 2013 19:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stig Sandbeck Mathisen <ssm@debian.org>:
Extra info received and forwarded to list. Copy sent to Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>. (Thu, 07 Nov 2013 19:45:04 GMT) Full text and rfc822 format available.

Message #10 received at 728989@bugs.debian.org (full text, mbox):

From: Stig Sandbeck Mathisen <ssm@debian.org>
To: 728989@bugs.debian.org, 728989-submitter@bugs.debian.org
Subject: Re: [Pkg-varnish-devel] Bug#728989: varnish: CVE-2013-4484
Date: Thu, 07 Nov 2013 20:31:46 +0100
Salvatore Bonaccorso <carnil@debian.org> writes:

> Know you are already aware, opening bugreport to keep track of this
> issue.

Thanks.

> the following vulnerability was published for varnish.
>
> CVE-2013-4484[0]:
> | Varnish before 3.0.5 allows remote attackers to cause a denial of
> | service (child-process crash and temporary caching outage) via a GET
> | request with trailing whitespace characters and no URI.

Just to add some information about this issue:

Varnish is not vulnerable in its default configuration.

To be vulnerable, varnish must be configured with "return(restart)"
inside the "vcl_error" sub. Example:

    sub vcl_error {
        return(restart);
    }

A workaround for people with matching configurations: Ensure that
vcl_error does "return(deliver)" for status codes 400 and 413, before
any "return(restart)". Example:

    sub vcl_error {
        if (obj.status == 400 || obj.status == 413) {
            return(deliver);
        }
    }

-- 
Stig Sandbeck Mathisen <ssm@debian.org>



Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#728989. (Thu, 07 Nov 2013 19:45:14 GMT) Full text and rfc822 format available.

Set Bug forwarded-to-address to 'https://www.varnish-cache.org/trac/ticket/1367'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 30 Nov 2013 06:12:14 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>:
Bug#728989; Package varnish. (Mon, 02 Dec 2013 19:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>. (Mon, 02 Dec 2013 19:06:04 GMT) Full text and rfc822 format available.

Message #20 received at 728989@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Stig Sandbeck Mathisen <ssm@debian.org>, 728989@bugs.debian.org
Subject: Re: Bug#728989: [Pkg-varnish-devel] Bug#728989: varnish: CVE-2013-4484
Date: Mon, 2 Dec 2013 20:03:56 +0100
[Message part 1 (text/plain, inline)]
Hi 

On Thu, Nov 07, 2013 at 08:31:46PM +0100, Stig Sandbeck Mathisen wrote:
> Salvatore Bonaccorso <carnil@debian.org> writes:
> 
> > Know you are already aware, opening bugreport to keep track of this
> > issue.
> 
> Thanks.
> 
> > the following vulnerability was published for varnish.
> >
> > CVE-2013-4484[0]:
> > | Varnish before 3.0.5 allows remote attackers to cause a denial of
> > | service (child-process crash and temporary caching outage) via a GET
> > | request with trailing whitespace characters and no URI.
> 
> Just to add some information about this issue:
> 
> Varnish is not vulnerable in its default configuration.
> 
> To be vulnerable, varnish must be configured with "return(restart)"
> inside the "vcl_error" sub. Example:
> 
>     sub vcl_error {
>         return(restart);
>     }
> 
> A workaround for people with matching configurations: Ensure that
> vcl_error does "return(deliver)" for status codes 400 and 413, before
> any "return(restart)". Example:
> 
>     sub vcl_error {
>         if (obj.status == 400 || obj.status == 413) {
>             return(deliver);
>         }
>     }

Thanks for fixing this with the 3.0.5-1 upload. Could you please also
prepare packages for squeeze-security and wheezy-security? I did
already had a look at wheezy today, attached is proposed debdiff (but
not yet tested apart the testsuite).

Regards,
Salvatore
[varnish_3.0.2-2+deb7u1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Mon, 02 Dec 2013 19:06:23 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Mon, 02 Dec 2013 19:06:23 GMT) Full text and rfc822 format available.

Message #25 received at 728989-done@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Stig Sandbeck Mathisen <ssm@debian.org>, 728989-done@bugs.debian.org
Subject: Re: Bug#728989: [Pkg-varnish-devel] Bug#728989: varnish: CVE-2013-4484
Date: Mon, 2 Dec 2013 20:05:06 +0100
Source: varnish
Source-Version: 3.0.5-1

Hi,

Closing the bug with version 3.0.5-1 (containing the fix for
CVE-2013-4484).

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>:
Bug#728989; Package varnish. (Mon, 02 Dec 2013 20:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stig Sandbeck Mathisen <ssm@debian.org>:
Extra info received and forwarded to list. Copy sent to Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>. (Mon, 02 Dec 2013 20:03:04 GMT) Full text and rfc822 format available.

Message #30 received at 728989@bugs.debian.org (full text, mbox):

From: Stig Sandbeck Mathisen <ssm@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: Stig Sandbeck Mathisen <ssm@debian.org>, 728989@bugs.debian.org
Subject: Re: Bug#728989: [Pkg-varnish-devel] Bug#728989: varnish: CVE-2013-4484
Date: Mon, 02 Dec 2013 21:52:01 +0100
[Message part 1 (text/plain, inline)]
Salvatore Bonaccorso <carnil@debian.org> writes:

> Thanks for fixing this with the 3.0.5-1 upload. Could you please also
> prepare packages for squeeze-security and wheezy-security? I did
> already had a look at wheezy today, attached is proposed debdiff (but
> not yet tested apart the testsuite).

Thanks for the debdiff. I'll take a look at it.

Do you, by any chance, have this as a git commit available somewhere?

-- 
Stig Sandbeck Mathisen
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>:
Bug#728989; Package varnish. (Mon, 02 Dec 2013 20:51:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>. (Mon, 02 Dec 2013 20:51:09 GMT) Full text and rfc822 format available.

Message #35 received at 728989@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Stig Sandbeck Mathisen <ssm@debian.org>
Cc: 728989@bugs.debian.org
Subject: Re: Bug#728989: [Pkg-varnish-devel] Bug#728989: varnish: CVE-2013-4484
Date: Mon, 2 Dec 2013 21:46:29 +0100
[Message part 1 (text/plain, inline)]
Hi,

On Mon, Dec 02, 2013 at 09:52:01PM +0100, Stig Sandbeck Mathisen wrote:
> Salvatore Bonaccorso <carnil@debian.org> writes:
> 
> > Thanks for fixing this with the 3.0.5-1 upload. Could you please also
> > prepare packages for squeeze-security and wheezy-security? I did
> > already had a look at wheezy today, attached is proposed debdiff (but
> > not yet tested apart the testsuite).
> 
> Thanks for the debdiff. I'll take a look at it.

Thanks.

> Do you, by any chance, have this as a git commit available somewhere?

Yes, sure. Attaching a format-patch from my local copy.

Regards,
Salvatore
[0001-Add-CVE-2013-4484.patch-patch.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>:
Bug#728989; Package varnish. (Sat, 07 Dec 2013 22:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>. (Sat, 07 Dec 2013 22:51:04 GMT) Full text and rfc822 format available.

Message #40 received at 728989@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 728989@bugs.debian.org, Stig Sandbeck Mathisen <ssm@debian.org>
Cc: team@security.debian.org
Subject: Re: Bug#728989: [Pkg-varnish-devel] Bug#728989: varnish: CVE-2013-4484
Date: Sat, 7 Dec 2013 23:49:36 +0100
[Message part 1 (text/plain, inline)]
Hi Stig,

On Mon, Dec 02, 2013 at 09:46:29PM +0100, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Mon, Dec 02, 2013 at 09:52:01PM +0100, Stig Sandbeck Mathisen wrote:
> > Salvatore Bonaccorso <carnil@debian.org> writes:
> > 
> > > Thanks for fixing this with the 3.0.5-1 upload. Could you please also
> > > prepare packages for squeeze-security and wheezy-security? I did
> > > already had a look at wheezy today, attached is proposed debdiff (but
> > > not yet tested apart the testsuite).
> > 
> > Thanks for the debdiff. I'll take a look at it.
> 
> Thanks.
> 
> > Do you, by any chance, have this as a git commit available somewhere?
> 
> Yes, sure. Attaching a format-patch from my local copy.

And attached also the one for squeeze-security. Unless something
obvious broken or regression with these, I plan to prepare a DSA for
these.

(It passes all the testsuite so far).

Regards,
Salvatore
[0001-Add-CVE-2013-4484.patch-patch.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>:
Bug#728989; Package varnish. (Mon, 09 Dec 2013 00:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stig Sandbeck Mathisen <ssm@debian.org>:
Extra info received and forwarded to list. Copy sent to Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>. (Mon, 09 Dec 2013 00:33:04 GMT) Full text and rfc822 format available.

Message #45 received at 728989@bugs.debian.org (full text, mbox):

From: Stig Sandbeck Mathisen <ssm@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: Stig Sandbeck Mathisen <ssm@debian.org>, 728989@bugs.debian.org
Subject: Re: [Pkg-varnish-devel] Bug#728989: Bug#728989: varnish: CVE-2013-4484
Date: Mon, 09 Dec 2013 01:22:49 +0100
[Message part 1 (text/plain, inline)]
Salvatore Bonaccorso <carnil@debian.org> writes:

> Thanks for fixing this with the 3.0.5-1 upload. Could you please also
> prepare packages for squeeze-security and wheezy-security? I did
> already had a look at wheezy today, attached is proposed debdiff (but
> not yet tested apart the testsuite).

I've prepared:

 * varnish_2.1.3-8+deb6u1 for squeeze-security

 * varnish_3.0.2-2+deb7u1 for wheezy-security

Debdiffs attached:

[varnish_3.0.2-2+deb7u1.dsc.debdiff (text/x-diff, inline)]
diff -Nru varnish-3.0.2/debian/changelog varnish-3.0.2/debian/changelog
--- varnish-3.0.2/debian/changelog	2012-05-01 16:22:42.000000000 +0200
+++ varnish-3.0.2/debian/changelog	2013-12-09 00:48:01.000000000 +0100
@@ -1,3 +1,11 @@
+varnish (3.0.2-2+deb7u1) wheezy-security; urgency=high
+
+  * Import upstream security patch.
+    A malformed request could in some configurations lead to Varnish
+    crashing.  CVE-2013-4484 (Closes: #728989)
+
+ -- Stig Sandbeck Mathisen <ssm@debian.org>  Sun, 08 Dec 2013 23:36:59 +0100
+
 varnish (3.0.2-2) unstable; urgency=low
 
   [ Knut Arne Bjørndal ]
diff -Nru varnish-3.0.2/debian/patches/0001-Make-up-our-mind-Any-req.-we-receive-from-the-client.patch varnish-3.0.2/debian/patches/0001-Make-up-our-mind-Any-req.-we-receive-from-the-client.patch
--- varnish-3.0.2/debian/patches/0001-Make-up-our-mind-Any-req.-we-receive-from-the-client.patch	1970-01-01 01:00:00.000000000 +0100
+++ varnish-3.0.2/debian/patches/0001-Make-up-our-mind-Any-req.-we-receive-from-the-client.patch	2013-12-09 00:48:30.000000000 +0100
@@ -0,0 +1,133 @@
+From 6de534b7096879890ac152537c87551fda204944 Mon Sep 17 00:00:00 2001
+From: Martin Blix Grydeland <martin@varnish-software.com>
+Date: Wed, 30 Oct 2013 13:48:20 +0100
+Subject: [PATCH] Make up our mind:  Any req.* we receive from the client with
+ fundamental trouble gets failed back without VCL involvement.
+
+Fixes	#1367
+---
+ bin/varnishd/cache_center.c      | 28 +++++++++++++++-------------
+ bin/varnishd/cache_http.c        |  2 +-
+ bin/varnishtest/tests/r01367.vtc | 30 ++++++++++++++++++++++++++++++
+ 3 files changed, 46 insertions(+), 14 deletions(-)
+ create mode 100644 bin/varnishtest/tests/r01367.vtc
+
+diff --git a/bin/varnishd/cache_center.c b/bin/varnishd/cache_center.c
+index 4d94d88..190aeaf 100644
+--- a/bin/varnishd/cache_center.c
++++ b/bin/varnishd/cache_center.c
+@@ -1453,9 +1453,12 @@ DOT start -> recv [style=bold,color=green]
+ static int
+ cnt_start(struct sess *sp)
+ {
+-	uint16_t done;
++	uint16_t err_code;
+ 	char *p;
+-	const char *r = "HTTP/1.1 100 Continue\r\n\r\n";
++	const char *r_100 = "HTTP/1.1 100 Continue\r\n\r\n";
++	const char *r_400 = "HTTP/1.1 400 Bad Request\r\n\r\n";
++	const char *r_413 = "HTTP/1.1 413 Request Entity Too Large\r\n\r\n";
++	const char *r_417 = "HTTP/1.1 417 Expectation Failed\r\n\r\n";
+ 
+ 	CHECK_OBJ_NOTNULL(sp, SESS_MAGIC);
+ 	AZ(sp->restarts);
+@@ -1478,10 +1481,14 @@ cnt_start(struct sess *sp)
+ 	sp->wrk->vcl = NULL;
+ 
+ 	http_Setup(sp->http, sp->ws);
+-	done = http_DissectRequest(sp);
++	err_code = http_DissectRequest(sp);
+ 
+ 	/* If we could not even parse the request, just close */
+-	if (done == 400) {
++	if (err_code == 400)
++		(void)write(sp->fd, r_400, strlen(r_400));
++	else if (err_code == 413)
++		(void)write(sp->fd, r_413, strlen(r_413));
++	if (err_code != 0) {
+ 		sp->step = STP_DONE;
+ 		vca_close_session(sp, "junk");
+ 		return (0);
+@@ -1493,12 +1500,6 @@ cnt_start(struct sess *sp)
+ 	/* Catch original request, before modification */
+ 	HTTP_Copy(sp->http0, sp->http);
+ 
+-	if (done != 0) {
+-		sp->err_code = done;
+-		sp->step = STP_ERROR;
+-		return (0);
+-	}
+-
+ 	sp->doclose = http_DoConnection(sp->http);
+ 
+ 	/* XXX: Handle TRACE & OPTIONS of Max-Forwards = 0 */
+@@ -1508,13 +1509,14 @@ cnt_start(struct sess *sp)
+ 	 */
+ 	if (http_GetHdr(sp->http, H_Expect, &p)) {
+ 		if (strcasecmp(p, "100-continue")) {
+-			sp->err_code = 417;
+-			sp->step = STP_ERROR;
++			(void)write(sp->fd, r_417, strlen(r_417));
++			sp->step = STP_DONE;
++			vca_close_session(sp, "junk");
+ 			return (0);
+ 		}
+ 
+ 		/* XXX: Don't bother with write failures for now */
+-		(void)write(sp->fd, r, strlen(r));
++		(void)write(sp->fd, r_100, strlen(r_100));
+ 		/* XXX: When we do ESI includes, this is not removed
+ 		 * XXX: because we use http0 as our basis.  Believed
+ 		 * XXX: safe, but potentially confusing.
+diff --git a/bin/varnishd/cache_http.c b/bin/varnishd/cache_http.c
+index 844e71b..b96fb22 100644
+--- a/bin/varnishd/cache_http.c
++++ b/bin/varnishd/cache_http.c
+@@ -601,7 +601,7 @@ http_splitline(struct worker *w, int fd, struct http *hp,
+ 	hp->hd[h2].e = p;
+ 
+ 	if (!Tlen(hp->hd[h2]))
+-		return (413);
++		return (400);
+ 
+ 	/* Skip SP */
+ 	for (; vct_issp(*p); p++) {
+diff --git a/bin/varnishtest/tests/r01367.vtc b/bin/varnishtest/tests/r01367.vtc
+new file mode 100644
+index 0000000..e1de20a
+--- /dev/null
++++ b/bin/varnishtest/tests/r01367.vtc
+@@ -0,0 +1,30 @@
++varnishtest "blank GET"
++
++server s1 {
++	rxreq
++	txresp
++} -start
++
++varnish v1 -vcl+backend { 
++	sub vcl_error {
++		return (restart);
++	}
++} -start
++
++client c1 {
++	send "GET    \nHost: example.com\n\n"
++	rxresp
++	expect resp.status == 400
++} -run
++
++client c1 {
++	txreq -hdr "Expect: Santa-Claus"
++	rxresp
++	expect resp.status == 417
++} -run
++
++client c1 {
++	txreq
++	rxresp
++	expect resp.status == 200
++} -run
+-- 
+1.8.4.rc3
+
diff -Nru varnish-3.0.2/debian/patches/series varnish-3.0.2/debian/patches/series
--- varnish-3.0.2/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ varnish-3.0.2/debian/patches/series	2013-12-09 00:48:30.000000000 +0100
@@ -0,0 +1,2 @@
+# debian/source/git-patches exported from git by quilt-patches-deb-export-hook
+0001-Make-up-our-mind-Any-req.-we-receive-from-the-client.patch
diff -Nru varnish-3.0.2/debian/source/git-patches varnish-3.0.2/debian/source/git-patches
--- varnish-3.0.2/debian/source/git-patches	1970-01-01 01:00:00.000000000 +0100
+++ varnish-3.0.2/debian/source/git-patches	2013-12-09 00:48:01.000000000 +0100
@@ -0,0 +1,4 @@
+# Security patch for varnish 3.0.2 cherry-picked from 3.0.5
+# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=728989
+
+upstream/3.0.2...patches/3.0.2-CVE-2013-4484
[varnish_2.1.3-8+deb6u1.dsc.debdiff (text/x-diff, inline)]
diff -Nru varnish-2.1.3/debian/changelog varnish-2.1.3/debian/changelog
--- varnish-2.1.3/debian/changelog	2013-12-09 00:40:13.000000000 +0100
+++ varnish-2.1.3/debian/changelog	2013-12-09 01:19:57.000000000 +0100
@@ -1,3 +1,12 @@
+varnish (2.1.3-8+deb6u1) squeeze-security; urgency=high
+
+  [ Salvatore Bonaccorso ]
+  * Backport upstream security patch.
+    A malformed request could in some configurations lead to Varnish
+    crashing.  CVE-2013-4484 (Closes: #728989)
+
+ -- Stig Sandbeck Mathisen <ssm@debian.org>  Mon, 09 Dec 2013 01:19:45 +0100
+
 varnish (2.1.3-8) unstable; urgency=high
 
   * Fix random secret creation on non-Linux kernels (Closes: #596373)
diff -Nru varnish-2.1.3/debian/patches/debian-changes-2.1.3-8 varnish-2.1.3/debian/patches/debian-changes-2.1.3-8
--- varnish-2.1.3/debian/patches/debian-changes-2.1.3-8	2013-12-09 00:42:11.000000000 +0100
+++ varnish-2.1.3/debian/patches/debian-changes-2.1.3-8	1970-01-01 01:00:00.000000000 +0100
@@ -1,206 +0,0 @@
-Description: Upstream changes introduced in version 2.1.3-8
- This patch has been created by dpkg-source during the package build.
- Here's the last changelog entry, hopefully it gives details on why
- those changes were made:
- .
- varnish (2.1.3-8) unstable; urgency=high
- .
-   * Fix random secret creation on non-Linux kernels (Closes: #596373)
-   * Urgency "high" due to FTBFS RC bug during squeeze freeze
- .
- The person named in the Author field signed this changelog entry.
-Author: Stig Sandbeck Mathisen <ssm@debian.org>
-Bug-Debian: http://bugs.debian.org/596373
-
----
-The information above should follow the Patch Tagging Guidelines, please
-checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
-are templates for supplementary fields that you might want to add:
-
-Origin: <vendor|upstream|other>, <url of original patch>
-Bug: <url in upstream bugtracker>
-Bug-Debian: http://bugs.debian.org/<bugnumber>
-Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
-Forwarded: <no|not-needed|url proving that it has been forwarded>
-Reviewed-By: <name and email of someone who approved the patch>
-Last-Update: <YYYY-MM-DD>
-
---- varnish-2.1.3.orig/bin/varnishd/cache_center.c
-+++ varnish-2.1.3/bin/varnishd/cache_center.c
-@@ -1096,9 +1096,11 @@ DOT start -> recv [style=bold,color=gree
- static int
- cnt_start(struct sess *sp)
- {
--	int done;
-+	uint16_t err_code;
- 	char *p;
--	const char *r = "HTTP/1.1 100 Continue\r\n\r\n";
-+	const char *r_100 = "HTTP/1.1 100 Continue\r\n\r\n";
-+	const char *r_400 = "HTTP/1.1 400 Bad Request\r\n\r\n";
-+	const char *r_417 = "HTTP/1.1 417 Expectation Failed\r\n\r\n";
- 
- 	CHECK_OBJ_NOTNULL(sp, SESS_MAGIC);
- 	AZ(sp->restarts);
-@@ -1121,10 +1123,12 @@ cnt_start(struct sess *sp)
- 	sp->wrk->vcl = NULL;
- 
- 	http_Setup(sp->http, sp->ws);
--	done = http_DissectRequest(sp);
-+	err_code = http_DissectRequest(sp);
- 
- 	/* If we could not even parse the request, just close */
--	if (done < 0) {
-+	if (err_code == 400)
-+		(void)write(sp->fd, r_400, strlen(r_400));
-+	if (err_code != 0) {
- 		sp->step = STP_DONE;
- 		vca_close_session(sp, "junk");
- 		return (0);
-@@ -1136,12 +1140,6 @@ cnt_start(struct sess *sp)
- 	/* Catch original request, before modification */
- 	HTTP_Copy(sp->http0, sp->http);
- 
--	if (done != 0) {
--		sp->err_code = done;
--		sp->step = STP_ERROR;
--		return (0);
--	}
--
- 	sp->doclose = http_DoConnection(sp->http);
- 
- 	/* XXX: Handle TRACE & OPTIONS of Max-Forwards = 0 */
-@@ -1151,13 +1149,14 @@ cnt_start(struct sess *sp)
- 	 */
- 	if (http_GetHdr(sp->http, H_Expect, &p)) {
- 		if (strcasecmp(p, "100-continue")) {
--			sp->err_code = 417;
--			sp->step = STP_ERROR;
-+			(void)write(sp->fd, r_417, strlen(r_417));
-+			sp->step = STP_DONE;
-+			vca_close_session(sp, "junk");
- 			return (0);
- 		}
- 
- 		/* XXX: Don't bother with write failures for now */
--		(void)write(sp->fd, r, strlen(r));
-+		(void)write(sp->fd, r_100, strlen(r_100));
- 		/* XXX: When we do ESI includes, this is not removed
- 		 * XXX: because we use http0 as our basis.  Believed
- 		 * XXX: safe, but potentially confusing.
---- varnish-2.1.3.orig/bin/varnishtest/tests/v00014.vtc
-+++ varnish-2.1.3/bin/varnishtest/tests/v00014.vtc
-@@ -2,6 +2,7 @@
- 
- test "Check req.backend.healthy"
- 
-+# probe will hit this to check healthiness
- server s1 {
- 	rxreq
- 	expect req.url == "/"
-@@ -16,8 +17,8 @@ varnish v1 -vcl {
- 		.max_connections = 1;
- 		.probe = {
- 			.url = "/";
--			.timeout = 1s;
--			.interval = 1s;
-+			.timeout = 0.1s;
-+			.interval = 0.1s;
- 			.window = 3;
- 			.threshold = 2;
- 			.initial = 0;
-@@ -33,25 +34,33 @@ varnish v1 -vcl {
- 	}
- } -start
- 
-+# probe runs every 0.1s and needs 2 (threshold) out of the latest 3 (window) to
-+# be successful. Make sure this does *not* happen: the first probe would be
-+# successful (s1 was started and finished), but let the next one or two to fail
-+# (and hence making the backend unhealthy) by idling.
-+server s1 -wait
-+delay 0.3
-+
-+# verify that backend is unhealthy as expected
- client c1 {
- 	txreq
- 	rxresp
- 	expect resp.status == 500
- } -run
- 
--server s1 {
--	rxreq
--	expect req.url == "/"
--	txresp -body "slash"
--} -start
-+# now let three consecutive probe checks to succeed by starting them and
-+# waiting for them to finish. This will lead varnish to believe that the
-+# backend is healthly. (note that s1 ports are reused)
-+server s1 -repeat 3 -start -wait
- 
--server s1 {
-+# do an actual check with a healthy backend, expecting to get a 200 back
-+server s2 {
- 	rxreq
- 	expect req.url == "/foo"
- 	txresp -body "foobar"
- } -start
- 
--client c1 {
-+client c2 {
- 	txreq -url "/foo"
- 	rxresp
- 	expect resp.status == 200
---- /dev/null
-+++ varnish-2.1.3/bin/varnishtest/tests/r01367.vtc
-@@ -0,0 +1,30 @@
-+varnishtest "blank GET"
-+
-+server s1 {
-+	rxreq
-+	txresp
-+} -start
-+
-+varnish v1 -vcl+backend { 
-+	sub vcl_error {
-+		return (restart);
-+	}
-+} -start
-+
-+client c1 {
-+	send "GET    \nHost: example.com\n\n"
-+	rxresp
-+	expect resp.status == 400
-+} -run
-+
-+client c1 {
-+	txreq -hdr "Expect: Santa-Claus"
-+	rxresp
-+	expect resp.status == 417
-+} -run
-+
-+client c1 {
-+	txreq
-+	rxresp
-+	expect resp.status == 200
-+} -run
---- varnish-2.1.3.orig/doc/changes-2.1.0-2.1.1.xml
-+++ varnish-2.1.3/doc/changes-2.1.0-2.1.1.xml
-@@ -86,7 +86,7 @@
- 
-     <change type="enh">
-       <para><code>varnishsizes</code>, which is
--      like <code>varnishhost</code>, but for the length of objects,
-+      like <code>varnishhist</code>, but for the length of objects,
-       has been added..</para>
-     </change>
-   </subsystem>
---- varnish-2.1.3.orig/doc/changes-2.1.1.html
-+++ varnish-2.1.3/doc/changes-2.1.1.html
-@@ -74,7 +74,7 @@
-     <ul>
-       <li>
-         <p><span class="code">varnishsizes</span>, which is
--      like <span class="code">varnishhost</span>, but for the length of objects,
-+      like <span class="code">varnishhist</span>, but for the length of objects,
-       has been added..</p>
-       </li>
-     </ul>
diff -Nru varnish-2.1.3/debian/patches/debian-changes-2.1.3-8+deb6u1 varnish-2.1.3/debian/patches/debian-changes-2.1.3-8+deb6u1
--- varnish-2.1.3/debian/patches/debian-changes-2.1.3-8+deb6u1	1970-01-01 01:00:00.000000000 +0100
+++ varnish-2.1.3/debian/patches/debian-changes-2.1.3-8+deb6u1	2013-12-09 01:20:46.000000000 +0100
@@ -0,0 +1,208 @@
+Description: Upstream changes introduced in version 2.1.3-8+deb6u1
+ This patch has been created by dpkg-source during the package build.
+ Here's the last changelog entry, hopefully it gives details on why
+ those changes were made:
+ .
+ varnish (2.1.3-8+deb6u1) squeeze-security; urgency=high
+ .
+   [ Salvatore Bonaccorso ]
+   * Backport upstream security patch.
+     A malformed request could in some configurations lead to Varnish
+     crashing.  CVE-2013-4484 (Closes: #728989)
+ .
+ The person named in the Author field signed this changelog entry.
+Author: Stig Sandbeck Mathisen <ssm@debian.org>
+Bug-Debian: http://bugs.debian.org/728989
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: http://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- varnish-2.1.3.orig/bin/varnishd/cache_center.c
++++ varnish-2.1.3/bin/varnishd/cache_center.c
+@@ -1096,9 +1096,11 @@ DOT start -> recv [style=bold,color=gree
+ static int
+ cnt_start(struct sess *sp)
+ {
+-	int done;
++	uint16_t err_code;
+ 	char *p;
+-	const char *r = "HTTP/1.1 100 Continue\r\n\r\n";
++	const char *r_100 = "HTTP/1.1 100 Continue\r\n\r\n";
++	const char *r_400 = "HTTP/1.1 400 Bad Request\r\n\r\n";
++	const char *r_417 = "HTTP/1.1 417 Expectation Failed\r\n\r\n";
+ 
+ 	CHECK_OBJ_NOTNULL(sp, SESS_MAGIC);
+ 	AZ(sp->restarts);
+@@ -1121,10 +1123,12 @@ cnt_start(struct sess *sp)
+ 	sp->wrk->vcl = NULL;
+ 
+ 	http_Setup(sp->http, sp->ws);
+-	done = http_DissectRequest(sp);
++	err_code = http_DissectRequest(sp);
+ 
+ 	/* If we could not even parse the request, just close */
+-	if (done < 0) {
++	if (err_code == 400)
++		(void)write(sp->fd, r_400, strlen(r_400));
++	if (err_code != 0) {
+ 		sp->step = STP_DONE;
+ 		vca_close_session(sp, "junk");
+ 		return (0);
+@@ -1136,12 +1140,6 @@ cnt_start(struct sess *sp)
+ 	/* Catch original request, before modification */
+ 	HTTP_Copy(sp->http0, sp->http);
+ 
+-	if (done != 0) {
+-		sp->err_code = done;
+-		sp->step = STP_ERROR;
+-		return (0);
+-	}
+-
+ 	sp->doclose = http_DoConnection(sp->http);
+ 
+ 	/* XXX: Handle TRACE & OPTIONS of Max-Forwards = 0 */
+@@ -1151,13 +1149,14 @@ cnt_start(struct sess *sp)
+ 	 */
+ 	if (http_GetHdr(sp->http, H_Expect, &p)) {
+ 		if (strcasecmp(p, "100-continue")) {
+-			sp->err_code = 417;
+-			sp->step = STP_ERROR;
++			(void)write(sp->fd, r_417, strlen(r_417));
++			sp->step = STP_DONE;
++			vca_close_session(sp, "junk");
+ 			return (0);
+ 		}
+ 
+ 		/* XXX: Don't bother with write failures for now */
+-		(void)write(sp->fd, r, strlen(r));
++		(void)write(sp->fd, r_100, strlen(r_100));
+ 		/* XXX: When we do ESI includes, this is not removed
+ 		 * XXX: because we use http0 as our basis.  Believed
+ 		 * XXX: safe, but potentially confusing.
+--- varnish-2.1.3.orig/bin/varnishtest/tests/v00014.vtc
++++ varnish-2.1.3/bin/varnishtest/tests/v00014.vtc
+@@ -2,6 +2,7 @@
+ 
+ test "Check req.backend.healthy"
+ 
++# probe will hit this to check healthiness
+ server s1 {
+ 	rxreq
+ 	expect req.url == "/"
+@@ -16,8 +17,8 @@ varnish v1 -vcl {
+ 		.max_connections = 1;
+ 		.probe = {
+ 			.url = "/";
+-			.timeout = 1s;
+-			.interval = 1s;
++			.timeout = 0.1s;
++			.interval = 0.1s;
+ 			.window = 3;
+ 			.threshold = 2;
+ 			.initial = 0;
+@@ -33,25 +34,33 @@ varnish v1 -vcl {
+ 	}
+ } -start
+ 
++# probe runs every 0.1s and needs 2 (threshold) out of the latest 3 (window) to
++# be successful. Make sure this does *not* happen: the first probe would be
++# successful (s1 was started and finished), but let the next one or two to fail
++# (and hence making the backend unhealthy) by idling.
++server s1 -wait
++delay 0.3
++
++# verify that backend is unhealthy as expected
+ client c1 {
+ 	txreq
+ 	rxresp
+ 	expect resp.status == 500
+ } -run
+ 
+-server s1 {
+-	rxreq
+-	expect req.url == "/"
+-	txresp -body "slash"
+-} -start
++# now let three consecutive probe checks to succeed by starting them and
++# waiting for them to finish. This will lead varnish to believe that the
++# backend is healthly. (note that s1 ports are reused)
++server s1 -repeat 3 -start -wait
+ 
+-server s1 {
++# do an actual check with a healthy backend, expecting to get a 200 back
++server s2 {
+ 	rxreq
+ 	expect req.url == "/foo"
+ 	txresp -body "foobar"
+ } -start
+ 
+-client c1 {
++client c2 {
+ 	txreq -url "/foo"
+ 	rxresp
+ 	expect resp.status == 200
+--- /dev/null
++++ varnish-2.1.3/bin/varnishtest/tests/r01367.vtc
+@@ -0,0 +1,30 @@
++test "blank GET"
++
++server s1 {
++	rxreq
++	txresp
++} -start
++
++varnish v1 -vcl+backend { 
++	sub vcl_error {
++		return (restart);
++	}
++} -start
++
++client c1 {
++	send "GET    \nHost: example.com\n\n"
++	rxresp
++	expect resp.status == 400
++} -run
++
++client c1 {
++	txreq -hdr "Expect: Santa-Claus"
++	rxresp
++	expect resp.status == 417
++} -run
++
++client c1 {
++	txreq
++	rxresp
++	expect resp.status == 200
++} -run
+--- varnish-2.1.3.orig/doc/changes-2.1.0-2.1.1.xml
++++ varnish-2.1.3/doc/changes-2.1.0-2.1.1.xml
+@@ -86,7 +86,7 @@
+ 
+     <change type="enh">
+       <para><code>varnishsizes</code>, which is
+-      like <code>varnishhost</code>, but for the length of objects,
++      like <code>varnishhist</code>, but for the length of objects,
+       has been added..</para>
+     </change>
+   </subsystem>
+--- varnish-2.1.3.orig/doc/changes-2.1.1.html
++++ varnish-2.1.3/doc/changes-2.1.1.html
+@@ -74,7 +74,7 @@
+     <ul>
+       <li>
+         <p><span class="code">varnishsizes</span>, which is
+-      like <span class="code">varnishhost</span>, but for the length of objects,
++      like <span class="code">varnishhist</span>, but for the length of objects,
+       has been added..</p>
+       </li>
+     </ul>
diff -Nru varnish-2.1.3/debian/patches/series varnish-2.1.3/debian/patches/series
--- varnish-2.1.3/debian/patches/series	2013-12-09 00:42:11.000000000 +0100
+++ varnish-2.1.3/debian/patches/series	2013-12-09 01:20:46.000000000 +0100
@@ -1 +1 @@
-debian-changes-2.1.3-8
+debian-changes-2.1.3-8+deb6u1
[Message part 4 (text/plain, inline)]
-- 
Stig Sandbeck Mathisen
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>:
Bug#728989; Package varnish. (Mon, 09 Dec 2013 05:36:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>. (Mon, 09 Dec 2013 05:36:05 GMT) Full text and rfc822 format available.

Message #50 received at 728989@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Stig Sandbeck Mathisen <ssm@debian.org>
Cc: 728989@bugs.debian.org, team@security.debian.org
Subject: Re: [Pkg-varnish-devel] Bug#728989: Bug#728989: varnish: CVE-2013-4484
Date: Mon, 9 Dec 2013 06:33:31 +0100
[Message part 1 (text/plain, inline)]
Hi Stig,

On Mon, Dec 09, 2013 at 01:22:49AM +0100, Stig Sandbeck Mathisen wrote:
> Salvatore Bonaccorso <carnil@debian.org> writes:
> 
> > Thanks for fixing this with the 3.0.5-1 upload. Could you please also
> > prepare packages for squeeze-security and wheezy-security? I did
> > already had a look at wheezy today, attached is proposed debdiff (but
> > not yet tested apart the testsuite).
> 
> I've prepared:
> 
>  * varnish_2.1.3-8+deb6u1 for squeeze-security
> 
>  * varnish_3.0.2-2+deb7u1 for wheezy-security

Thanks! Could you please upload them to security-master (needs to be
built with -sa as it's the first upload for varnish for both
squeeze-security and wheezy-security).

Btw, I would have prefered for review if the patch could be applied
separately via debian/patches/series (I think also Stable Release
Managers would prefer that way when it will hit pu-NEW ;-)).

The debdiff for squeeze-security does not apply cleanly here on top of
2.1.3-8, due to same changes removed as added; but the diff part for
#728989 for debian-changes-2.1.3-8+deb6u1 looks good.

Thanks for your work on this.

Regards,
Salvatore
[signature.asc (application/pgp-signature, inline)]

Marked as found in versions varnish/2.1.3-8. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 09 Dec 2013 05:36:08 GMT) Full text and rfc822 format available.

Marked as found in versions varnish/3.0.2-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 09 Dec 2013 05:36:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>:
Bug#728989; Package varnish. (Mon, 09 Dec 2013 09:15:19 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stig Sandbeck Mathisen <ssm@debian.org>:
Extra info received and forwarded to list. Copy sent to Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>. (Mon, 09 Dec 2013 09:15:19 GMT) Full text and rfc822 format available.

Message #59 received at 728989@bugs.debian.org (full text, mbox):

From: Stig Sandbeck Mathisen <ssm@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: Stig Sandbeck Mathisen <ssm@debian.org>, 728989@bugs.debian.org, team@security.debian.org
Subject: Re: [Pkg-varnish-devel] Bug#728989: Bug#728989: Bug#728989: varnish: CVE-2013-4484
Date: Mon, 09 Dec 2013 10:12:01 +0100
[Message part 1 (text/plain, inline)]
Salvatore Bonaccorso <carnil@debian.org> writes:

> Thanks! Could you please upload them to security-master (needs to be
> built with -sa as it's the first upload for varnish for both
> squeeze-security and wheezy-security).

It will be done.

> Btw, I would have prefered for review if the patch could be applied
> separately via debian/patches/series (I think also Stable Release
> Managers would prefer that way when it will hit pu-NEW ;-)).
>
> The debdiff for squeeze-security does not apply cleanly here on top of
> 2.1.3-8, due to same changes removed as added; but the diff part for
> #728989 for debian-changes-2.1.3-8+deb6u1 looks good.

Handling upstream changes in git, either directly on the packaging
branch or as a patch branch used by debian/source/git-changes, helps
keep this package maintainer sane.

However, I see that it makes the package much harder to review when
looking at debdiffs to verify changes.

Is there anything else I can do to help review changes, when uploading
new changes to *-security?

For example:

* Adding links to the packaging repository:

  Packaging changes for the 2.1.3-8+deb6u1 release in the repository is:

  http://anonscm.debian.org/gitweb/?p=pkg-varnish/pkg-varnish.git;a=patch;h=c610c398ee802cf83a2bd7bcd91ac3614b3a08b3;hp=2660cfd2b8871766545e8dc6b5676e352dadf94b

  (or, with HTML markup)
  http://anonscm.debian.org/gitweb/?p=pkg-varnish/pkg-varnish.git;a=commitdiff;h=c610c398ee802cf83a2bd7bcd91ac3614b3a08b3;hp=2660cfd2b8871766545e8dc6b5676e352dadf94b

* Attaching the output of tag differences from the packaging repository:

    "git log -p debian/2.1.3-8...debian/2.1.3-8+deb6u1"

as a patch instead of, or in addition to, the .dsc debdiff (example
patch attached)?

[varnish_2.1.3-8_to_2.1.3-8+deb6u1.diff (text/x-diff, inline)]
commit c610c398ee802cf83a2bd7bcd91ac3614b3a08b3
Author: Stig Sandbeck Mathisen <ssm@debian.org>
Date:   Mon Dec 9 01:11:13 2013 +0100

    releasing package varnish version 2.1.3-8+deb6u1

diff --git a/debian/changelog b/debian/changelog
index 7f8e103..24348a6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+varnish (2.1.3-8+deb6u1) squeeze-security; urgency=high
+
+  [ Salvatore Bonaccorso ]
+  * Backport upstream security patch.
+    A malformed request could in some configurations lead to Varnish
+    crashing.  CVE-2013-4484 (Closes: #728989)
+
+ -- Stig Sandbeck Mathisen <ssm@debian.org>  Mon, 09 Dec 2013 01:19:45 +0100
+
 varnish (2.1.3-8) unstable; urgency=high
 
   * Fix random secret creation on non-Linux kernels (Closes: #596373)

commit 5455860bcb2d945c44a43c98026ec2ec77e9b29e
Author: Salvatore Bonaccorso <carnil@debian.org>
Date:   Wed Oct 30 13:48:20 2013 +0100

    Import upstream security patch
    
    A malformed request could in some configurations lead to Varnish
    crashing.  CVE-2013-4484
    
    Git-Dch: Full
    Closes: #728989

diff --git a/bin/varnishd/cache_center.c b/bin/varnishd/cache_center.c
index 3100c42..4407a01 100644
--- a/bin/varnishd/cache_center.c
+++ b/bin/varnishd/cache_center.c
@@ -1096,9 +1096,11 @@ DOT start -> recv [style=bold,color=green,weight=4]
 static int
 cnt_start(struct sess *sp)
 {
-	int done;
+	uint16_t err_code;
 	char *p;
-	const char *r = "HTTP/1.1 100 Continue\r\n\r\n";
+	const char *r_100 = "HTTP/1.1 100 Continue\r\n\r\n";
+	const char *r_400 = "HTTP/1.1 400 Bad Request\r\n\r\n";
+	const char *r_417 = "HTTP/1.1 417 Expectation Failed\r\n\r\n";
 
 	CHECK_OBJ_NOTNULL(sp, SESS_MAGIC);
 	AZ(sp->restarts);
@@ -1121,10 +1123,12 @@ cnt_start(struct sess *sp)
 	sp->wrk->vcl = NULL;
 
 	http_Setup(sp->http, sp->ws);
-	done = http_DissectRequest(sp);
+	err_code = http_DissectRequest(sp);
 
 	/* If we could not even parse the request, just close */
-	if (done < 0) {
+	if (err_code == 400)
+		(void)write(sp->fd, r_400, strlen(r_400));
+	if (err_code != 0) {
 		sp->step = STP_DONE;
 		vca_close_session(sp, "junk");
 		return (0);
@@ -1136,12 +1140,6 @@ cnt_start(struct sess *sp)
 	/* Catch original request, before modification */
 	HTTP_Copy(sp->http0, sp->http);
 
-	if (done != 0) {
-		sp->err_code = done;
-		sp->step = STP_ERROR;
-		return (0);
-	}
-
 	sp->doclose = http_DoConnection(sp->http);
 
 	/* XXX: Handle TRACE & OPTIONS of Max-Forwards = 0 */
@@ -1151,13 +1149,14 @@ cnt_start(struct sess *sp)
 	 */
 	if (http_GetHdr(sp->http, H_Expect, &p)) {
 		if (strcasecmp(p, "100-continue")) {
-			sp->err_code = 417;
-			sp->step = STP_ERROR;
+			(void)write(sp->fd, r_417, strlen(r_417));
+			sp->step = STP_DONE;
+			vca_close_session(sp, "junk");
 			return (0);
 		}
 
 		/* XXX: Don't bother with write failures for now */
-		(void)write(sp->fd, r, strlen(r));
+		(void)write(sp->fd, r_100, strlen(r_100));
 		/* XXX: When we do ESI includes, this is not removed
 		 * XXX: because we use http0 as our basis.  Believed
 		 * XXX: safe, but potentially confusing.
diff --git a/bin/varnishtest/tests/r01367.vtc b/bin/varnishtest/tests/r01367.vtc
new file mode 100644
index 0000000..c576e0b
--- /dev/null
+++ b/bin/varnishtest/tests/r01367.vtc
@@ -0,0 +1,30 @@
+test "blank GET"
+
+server s1 {
+	rxreq
+	txresp
+} -start
+
+varnish v1 -vcl+backend { 
+	sub vcl_error {
+		return (restart);
+	}
+} -start
+
+client c1 {
+	send "GET    \nHost: example.com\n\n"
+	rxresp
+	expect resp.status == 400
+} -run
+
+client c1 {
+	txreq -hdr "Expect: Santa-Claus"
+	rxresp
+	expect resp.status == 417
+} -run
+
+client c1 {
+	txreq
+	rxresp
+	expect resp.status == 200
+} -run
[Message part 3 (text/plain, inline)]
-- 
Stig Sandbeck Mathisen
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>:
Bug#728989; Package varnish. (Mon, 09 Dec 2013 10:09:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>. (Mon, 09 Dec 2013 10:09:05 GMT) Full text and rfc822 format available.

Message #64 received at 728989@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Stig Sandbeck Mathisen <ssm@debian.org>
Cc: 728989@bugs.debian.org, team@security.debian.org
Subject: Re: [Pkg-varnish-devel] Bug#728989: Bug#728989: Bug#728989: varnish: CVE-2013-4484
Date: Mon, 9 Dec 2013 11:04:52 +0100
Hi,

On Mon, Dec 09, 2013 at 10:12:01AM +0100, Stig Sandbeck Mathisen wrote:
> Salvatore Bonaccorso <carnil@debian.org> writes:
> 
> > Thanks! Could you please upload them to security-master (needs to be
> > built with -sa as it's the first upload for varnish for both
> > squeeze-security and wheezy-security).
> 
> It will be done.

Thanks! (will release the DSA later hopefully when all builds are
done).

> > Btw, I would have prefered for review if the patch could be applied
> > separately via debian/patches/series (I think also Stable Release
> > Managers would prefer that way when it will hit pu-NEW ;-)).
> >
> > The debdiff for squeeze-security does not apply cleanly here on top of
> > 2.1.3-8, due to same changes removed as added; but the diff part for
> > #728989 for debian-changes-2.1.3-8+deb6u1 looks good.
> 
> Handling upstream changes in git, either directly on the packaging
> branch or as a patch branch used by debian/source/git-changes, helps
> keep this package maintainer sane.
> 
> However, I see that it makes the package much harder to review when
> looking at debdiffs to verify changes.
> 
> Is there anything else I can do to help review changes, when uploading
> new changes to *-security?

Yes understand that. I think there is simply the problem here as the
package uses 3.0 (quilt) source package format, but unifies the whole
diff in a single debian-changes-$version (and this changes it's name
for each version).

Don't worry tough. If you can also add the relevant patches in
addition to the debdiff this will help.

My problem with the above was also primarly as the debdiff sent did
not apply on top of 2.1.3-8, when unpacking the source and applying
the debdiff.

Regards,
Salvatore



Reply sent to Stig Sandbeck Mathisen <ssm@debian.org>:
You have taken responsibility. (Sat, 14 Dec 2013 12:51:10 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 14 Dec 2013 12:51:11 GMT) Full text and rfc822 format available.

Message #69 received at 728989-close@bugs.debian.org (full text, mbox):

From: Stig Sandbeck Mathisen <ssm@debian.org>
To: 728989-close@bugs.debian.org
Subject: Bug#728989: fixed in varnish 3.0.2-2+deb7u1
Date: Sat, 14 Dec 2013 12:49:45 +0000
Source: varnish
Source-Version: 3.0.2-2+deb7u1

We believe that the bug you reported is fixed in the latest version of
varnish, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 728989@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stig Sandbeck Mathisen <ssm@debian.org> (supplier of updated varnish package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon,  9 Dec 2013 14:55:33 CET
Source: varnish
Binary: varnish varnish-doc libvarnishapi1 libvarnishapi-dev varnish-dbg
Architecture: source amd64 all
Version: 3.0.2-2+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>
Changed-By: Stig Sandbeck Mathisen <ssm@debian.org>
Description: 
 libvarnishapi-dev - development files for Varnish
 libvarnishapi1 - shared libraries for Varnish
 varnish    - state of the art, high-performance web accelerator
 varnish-dbg - debugging symbols for varnish
 varnish-doc - documentation for Varnish Cache
Closes: 728989
Changes: 
 varnish (3.0.2-2+deb7u1) wheezy-security; urgency=high
 .
   * Import upstream security patch.
     A malformed request could in some configurations lead to Varnish
     crashing.  CVE-2013-4484 (Closes: #728989)
Checksums-Sha256: 
 100c0466199e311322c153206bb2f2ae0a6fef218e1e579794682a116b32297d 1709 varnish_3.0.2-2+deb7u1.dsc
 a608f10e8daeb31f70590c919daf9c34ef0c9658285333af48c6bcdf7cfb65a5 17173 varnish_3.0.2-2+deb7u1.debian.tar.gz
 9546be3e4b8b0f89880b59f967d82f77da8d63bd1a433fa2ca9d0869066ad65d 535776 varnish_3.0.2-2+deb7u1_amd64.deb
 61eae311ae06fceb46f7afc64258e72924eb30eb17777d4cda886132d93a4157 271810 varnish-doc_3.0.2-2+deb7u1_all.deb
 5795b7650e5853940ca3165a1650834910338392846410686d31116509611548 41072 libvarnishapi1_3.0.2-2+deb7u1_amd64.deb
 2b4dd923966e3ffee474a1ff88910d344948f383cf244775d028237fe81289c4 18100 libvarnishapi-dev_3.0.2-2+deb7u1_amd64.deb
 ef9d22293278a84b643c40318a5b2280651dfa8b36d3accc1a896c0db4ccd855 1172634 varnish-dbg_3.0.2-2+deb7u1_amd64.deb
 8ca36c53dfe71f014281a744745cdb07357e83c94f57fb14733a5ad8959e4559 1946449 varnish_3.0.2.orig.tar.gz
Checksums-Sha1: 
 91488812b7b78337a1a8f28c869ad86d2df7703c 1709 varnish_3.0.2-2+deb7u1.dsc
 b9e36fa4f121e5a9481871575c6d9f308309b4d3 17173 varnish_3.0.2-2+deb7u1.debian.tar.gz
 9debde873ee43bea5a181e5f49e986aeb44ac0db 535776 varnish_3.0.2-2+deb7u1_amd64.deb
 9bde0cc6c38acb19f31b957dbdfc19d7f671153c 271810 varnish-doc_3.0.2-2+deb7u1_all.deb
 b2bb079e3ec8ab4f00ee55896b1d98e02b41088c 41072 libvarnishapi1_3.0.2-2+deb7u1_amd64.deb
 60fd2470a7a7a16505db647e690e94fa57a80e7b 18100 libvarnishapi-dev_3.0.2-2+deb7u1_amd64.deb
 653d7fa822c98a7a2e106aad26e1c28081e0f450 1172634 varnish-dbg_3.0.2-2+deb7u1_amd64.deb
 daa3d10c9df81caa3125aada3d479f51e7c3beb8 1946449 varnish_3.0.2.orig.tar.gz
Files: 
 7941c4a7d0d78c03ab3c1e0732ddc300 1709 web optional varnish_3.0.2-2+deb7u1.dsc
 47bad9a097c8d5eb2605a92c783aaf31 17173 web optional varnish_3.0.2-2+deb7u1.debian.tar.gz
 e2cbab4ffc01e5e0a9c475addfbf7579 535776 web optional varnish_3.0.2-2+deb7u1_amd64.deb
 195d3eac3a9df7fce057cf93f95dd84a 271810 doc optional varnish-doc_3.0.2-2+deb7u1_all.deb
 4ffa0b71bad978d36688a90eaecb98cf 41072 libs optional libvarnishapi1_3.0.2-2+deb7u1_amd64.deb
 51f63be8595f1429d411ec323f9c26ff 18100 libdevel optional libvarnishapi-dev_3.0.2-2+deb7u1_amd64.deb
 17ea0e7ba5607a3a7a0fd4ac66f07443 1172634 debug extra varnish-dbg_3.0.2-2+deb7u1_amd64.deb
 16c6e3ac242a175e36a8e6b06758fef3 1946449 web optional varnish_3.0.2.orig.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlKly+MACgkQQONU2fom4u5bCgCglGHzwZXLC0wAV7qNTXWLBM5+
TtIAn37PZxs7Mu6OoKnFbWDGYyOt7Fqn
=vY0u
-----END PGP SIGNATURE-----




Reply sent to Raphael Geissert <geissert@debian.org>:
You have taken responsibility. (Mon, 06 Jan 2014 22:51:09 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Mon, 06 Jan 2014 22:51:09 GMT) Full text and rfc822 format available.

Message #74 received at 728989-close@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: 728989-close@bugs.debian.org
Subject: Bug#728989: fixed in varnish 2.1.3-8+deb6u2
Date: Mon, 06 Jan 2014 22:48:35 +0000
Source: varnish
Source-Version: 2.1.3-8+deb6u2

We believe that the bug you reported is fixed in the latest version of
varnish, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 728989@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphael Geissert <geissert@debian.org> (supplier of updated varnish package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 15 Dec 2013 10:47:47 +0100
Source: varnish
Binary: varnish libvarnish1 libvarnish-dev
Architecture: source i386
Version: 2.1.3-8+deb6u2
Distribution: squeeze
Urgency: high
Maintainer: Varnish Package Maintainers <pkg-varnish-devel@lists.alioth.debian.org>
Changed-By: Raphael Geissert <geissert@debian.org>
Description: 
 libvarnish-dev - development files for Varnish
 libvarnish1 - shared libraries for Varnish
 varnish    - a state-of-the-art, high-performance HTTP accelerator
Closes: 728989
Changes: 
 varnish (2.1.3-8+deb6u2) squeeze; urgency=low
 .
   * Changeless upload to use the .orig tarball as found in ftp-master.
 .
 varnish (2.1.3-8+deb6u1) squeeze-security; urgency=high
 .
   [ Salvatore Bonaccorso ]
   * Backport upstream security patch.
     A malformed request could in some configurations lead to Varnish
     crashing.  CVE-2013-4484 (Closes: #728989)
Checksums-Sha1: 
 b8403fbbf41c73f002966fb7d51bc1e7c6de4dfb 1493 varnish_2.1.3-8+deb6u2.dsc
 c878208d938cfc5201389d56bb8fb067b1fae262 17474 varnish_2.1.3-8+deb6u2.debian.tar.gz
 c9bf122c173a266339d830eda2803f3c7c01b3c8 314156 varnish_2.1.3-8+deb6u2_i386.deb
 6e041b0ecbd9ca1c1d626f5cc0dcb9eefec09107 84434 libvarnish1_2.1.3-8+deb6u2_i386.deb
 4d204493ddfacc90b8411bb6217fef2367f165c7 96498 libvarnish-dev_2.1.3-8+deb6u2_i386.deb
Checksums-Sha256: 
 0d7f11652c21af73e2f46bfe70e6b2fcbfd17c720a62e1db3dc8738cd825306e 1493 varnish_2.1.3-8+deb6u2.dsc
 8b6986777af94ce29f9469882dce3296493d6a2f865bad34354f3ded5c589bf3 17474 varnish_2.1.3-8+deb6u2.debian.tar.gz
 e69d74bb9f321f4611728d4c4416c712ed10e96c87f39bfde6a9514efb44be37 314156 varnish_2.1.3-8+deb6u2_i386.deb
 59d5f90bb86c8c5407a4cd3147f3a8801d40cd93cc854117dfa52af985312cd1 84434 libvarnish1_2.1.3-8+deb6u2_i386.deb
 7745074253996cd4cee2980f85863f93dd4082354700d8814cda3bf56862d472 96498 libvarnish-dev_2.1.3-8+deb6u2_i386.deb
Files: 
 72f490e9d7164cd1d30e6e1f720aef33 1493 web optional varnish_2.1.3-8+deb6u2.dsc
 15a612ec0190bf709540afe4140f3a5c 17474 web optional varnish_2.1.3-8+deb6u2.debian.tar.gz
 c681fc551eb4886c6e6b671d5ea0b838 314156 web optional varnish_2.1.3-8+deb6u2_i386.deb
 56a6c1b23bbbf0c5e1a1691263e5834e 84434 libs optional libvarnish1_2.1.3-8+deb6u2_i386.deb
 4e57704a1bd1960f219de3d06de9d59f 96498 libdevel optional libvarnish-dev_2.1.3-8+deb6u2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iEYEARECAAYFAlKtgS0ACgkQYy49rUbZzlou1wCdHCak98WZ80GE+2x87ur4Lpjh
erEAmgP3LeuWa5Dn3r68Ou1//0OFSPNk
=jxOn
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 04 Feb 2014 07:31:56 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 11:40:30 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.