!49 Fix CVE-2022-38150

From: @peng2285 Reviewed-by: @gitee-cmd Signed-off-by: @gitee-cmd
2022-08-24 02:54:31 +00:00 · 2022-08-24 02:54:31 +00:00 · 08d27cfac5
commit 08d27cfac5
parent 59bcd8523f d05ea05cf6
2 changed files with 77 additions and 1 deletions
--- a/CVE-2022-38150.patch
+++ b/CVE-2022-38150.patch
@ -0,0 +1,72 @@
+From c5fd097e5cce8b461c6443af02b3448baef2491d Mon Sep 17 00:00:00 2001
+From: Martin Blix Grydeland <martin@varnish-software.com>
+Date: Thu, 4 Aug 2022 10:59:33 +0200
+Subject: [PATCH] Do not call http_hdr_flags() on pseudo-headers
+
+In http_EstimateWS(), all headers are passed to the http_isfiltered()
+function to calculate how many bytes is needed to serialize the entire
+struct http. http_isfiltered() will check the headers for whether they are
+going to be filtered out later and if so skip them.
+
+However http_isfiltered() would attempt to treat all elements of struct
+http as regular headers with an implicit structure. That does not hold for
+the first three pseudo-header entries, which would lead to asserts in
+later steps.
+
+This patch skips the filter step for pseudo-headers.
+
+Fixes: #3830
+---
+ bin/varnishd/cache/cache_http.c  |  2 ++
+ bin/varnishtest/tests/r03830.vtc | 29 +++++++++++++++++++++++++++++
+ 2 files changed, 31 insertions(+)
+ create mode 100644 bin/varnishtest/tests/r03830.vtc
+
+diff --git a/bin/varnishd/cache/cache_http.c b/bin/varnishd/cache/cache_http.c
+index ed15e07f9e..d48c0bb366 100644
+--- a/bin/varnishd/cache/cache_http.c
+++ b/bin/varnishd/cache/cache_http.c
+@@ -1147,6 +1147,8 @@ http_isfiltered(const struct http *fm, unsigned u, unsigned how)
+ 
+ 	if (fm->hdf[u] & HDF_FILTER)
+ 		return (1);
+	if (u < HTTP_HDR_FIRST)
+		return (0);
+ 	e = strchr(fm->hd[u].b, ':');
+ 	if (e == NULL)
+ 		return (0);
+diff --git a/bin/varnishtest/tests/r03830.vtc b/bin/varnishtest/tests/r03830.vtc
+new file mode 100644
+index 0000000000..5155981923
+--- /dev/null
+++ b/bin/varnishtest/tests/r03830.vtc
+@@ -0,0 +1,29 @@
+varnishtest "3830: Do not call http_hdr_flags() on pseudo-headers"
+
+server s1 {
+	rxreq
+	txresp -reason ":x"
+
+	rxreq
+	txresp
+} -start
+
+varnish v1 -vcl+backend {
+	sub vcl_recv {
+		return (hash);
+	}
+} -start
+
+client c1 {
+	txreq
+	rxresp
+	expect resp.status == 200
+} -run
+
+client c2 {
+	txreq -url :x -method :x
+	rxresp
+	expect resp.status == 200
+} -run
+
+varnish v1 -vsl_catchup
--- a/varnish.spec
+++ b/varnish.spec
@ -3,7 +3,7 @@
 Name:             varnish
 Summary:          A web application accelerator
 Version:          7.0.1
-Release:          3
+Release:          4
 License:          BSD
 URL:              https://www.varnish-cache.org/
 Source0:          http://varnish-cache.org/_downloads/varnish-%{version}.tgz
@ -13,6 +13,7 @@ Source1:          https://github.com/varnishcache/pkg-varnish-cache/archive/0ad2
 Patch0001:        fix-varnish-devel-installation-failure.patch
 #https://github.com/varnishcache/varnish-cache/commit/fceaefd4d59a3b5d5a4903a3f420e35eb430d0d4
 Patch0002:        CVE-2022-23959.patch
+Patch0003:        CVE-2022-38150.patch

 BuildRequires:    python3-sphinx python3-docutils pkgconfig make graphviz nghttp2 systemd-units
 BuildRequires:    ncurses-devel pcre2-devel libedit-devel gcc
@ -160,6 +161,9 @@ test -f /etc/varnish/secret || (uuidgen > /etc/varnish/secret && chmod 0600 /etc
 %{_mandir}/man7/*.7*

 %changelog
+* Tue Aug 23 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 7.0.1-4
+- Fix CVE-2022-38150
+
 * Tue Apr 26 2022 yaoxin <yaoxin30@h-partners.com> - 7.0.1-3
 - Fix CVE-2022-23959