!89 [sync] PR-83: Update to 7.4.3 for fix CVE-2024-30156

From: @openeuler-sync-bot 
Reviewed-by: @wu-leilei 
Signed-off-by: @wu-leilei

CVE-2022-23959.patch

@@ -1,28 +0,0 @@
-From fceaefd4d59a3b5d5a4903a3f420e35eb430d0d4 Mon Sep 17 00:00:00 2001
-From: Martin Blix Grydeland <martin@varnish-software.com>
-Date: Fri, 17 Dec 2021 22:10:16 +0100
-Subject: [PATCH] Mark req doclose when failing to ignore req body
-
-Previously we would ignore errors to iterate the request body into
-oblivion in VRB_Ignore(), keeping the connection open. This opens an
-out-of-sync vulnerability on H/1 connections.
-
-This patch tests the status of the request body in VRB_Ignore(), marking
-the request failed and that it should be closed on errors.
----
- bin/varnishd/cache/cache_req_body.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/bin/varnishd/cache/cache_req_body.c b/bin/varnishd/cache/cache_req_body.c
-index 6391f928d6..5ffd08b77d 100644
---- a/bin/varnishd/cache/cache_req_body.c
-+++ b/bin/varnishd/cache/cache_req_body.c
-@@ -254,6 +254,8 @@ VRB_Ignore(struct req *req)
- 	if (req->req_body_status->avail > 0)
- 		(void)VRB_Iterate(req->wrk, req->vsl, req,
- 		    httpq_req_body_discard, NULL);
-+	if (req->req_body_status == BS_ERROR)
-+		req->doclose = SC_RX_BODY;
- 	return (0);
- }
- 

CVE-2022-38150.patch

@@ -1,72 +0,0 @@
-From c5fd097e5cce8b461c6443af02b3448baef2491d Mon Sep 17 00:00:00 2001
-From: Martin Blix Grydeland <martin@varnish-software.com>
-Date: Thu, 4 Aug 2022 10:59:33 +0200
-Subject: [PATCH] Do not call http_hdr_flags() on pseudo-headers
-
-In http_EstimateWS(), all headers are passed to the http_isfiltered()
-function to calculate how many bytes is needed to serialize the entire
-struct http. http_isfiltered() will check the headers for whether they are
-going to be filtered out later and if so skip them.
-
-However http_isfiltered() would attempt to treat all elements of struct
-http as regular headers with an implicit structure. That does not hold for
-the first three pseudo-header entries, which would lead to asserts in
-later steps.
-
-This patch skips the filter step for pseudo-headers.
-
-Fixes: #3830
----
- bin/varnishd/cache/cache_http.c  |  2 ++
- bin/varnishtest/tests/r03830.vtc | 29 +++++++++++++++++++++++++++++
- 2 files changed, 31 insertions(+)
- create mode 100644 bin/varnishtest/tests/r03830.vtc
-
-diff --git a/bin/varnishd/cache/cache_http.c b/bin/varnishd/cache/cache_http.c
-index ed15e07f9e..d48c0bb366 100644
---- a/bin/varnishd/cache/cache_http.c
-+++ b/bin/varnishd/cache/cache_http.c
-@@ -1147,6 +1147,8 @@ http_isfiltered(const struct http *fm, unsigned u, unsigned how)
- 
- 	if (fm->hdf[u] & HDF_FILTER)
- 		return (1);
-+	if (u < HTTP_HDR_FIRST)
-+		return (0);
- 	e = strchr(fm->hd[u].b, ':');
- 	if (e == NULL)
- 		return (0);
-diff --git a/bin/varnishtest/tests/r03830.vtc b/bin/varnishtest/tests/r03830.vtc
-new file mode 100644
-index 0000000000..5155981923
---- /dev/null
-+++ b/bin/varnishtest/tests/r03830.vtc
-@@ -0,0 +1,29 @@
-+varnishtest "3830: Do not call http_hdr_flags() on pseudo-headers"
-+
-+server s1 {
-+	rxreq
-+	txresp -reason ":x"
-+
-+	rxreq
-+	txresp
-+} -start
-+
-+varnish v1 -vcl+backend {
-+	sub vcl_recv {
-+		return (hash);
-+	}
-+} -start
-+
-+client c1 {
-+	txreq
-+	rxresp
-+	expect resp.status == 200
-+} -run
-+
-+client c2 {
-+	txreq -url :x -method :x
-+	rxresp
-+	expect resp.status == 200
-+} -run
-+
-+varnish v1 -vsl_catchup

CVE-2022-45060.patch

@@ -1,207 +0,0 @@
-From 515a93df894430767073ccd8265497b6b25b54b5 Mon Sep 17 00:00:00 2001
-From: Asad Sajjad Ahmed <asadsa@varnish-software.com>
-Date: Fri, 30 Sep 2022 14:42:53 +0200
-Subject: [PATCH] hpack: fix pseudo-headers handling
-
-We should apply the same restrictions on the list of allowed characters inside
-H/2 pseudo-headers as we do for H/1. This error is translated into the
-headers we send to a backend over H/1.
-
-Failure to do so could permit various exploits against a backend not handling
-malformed H/1 requests.
-
-Signed-off-by: Asad Sajjad Ahmed <asadsa@varnish-software.com>
----
- bin/varnishd/http2/cache_http2_hpack.c | 35 +++++++++++++++++++
- bin/varnishtest/tests/t02023.vtc       | 48 ++++++++++++++++++++++++++
- bin/varnishtest/tests/t02024.vtc       | 48 ++++++++++++++++++++++++++
- 3 files changed, 131 insertions(+)
- create mode 100644 bin/varnishtest/tests/t02023.vtc
- create mode 100644 bin/varnishtest/tests/t02024.vtc
-
-diff --git a/bin/varnishd/http2/cache_http2_hpack.c b/bin/varnishd/http2/cache_http2_hpack.c
-index 6e67b55c50..f58788b126 100644
---- a/bin/varnishd/http2/cache_http2_hpack.c
-+++ b/bin/varnishd/http2/cache_http2_hpack.c
-@@ -96,13 +96,18 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
- {
- 	/* XXX: This might belong in cache/cache_http.c */
- 	const char *b0;
-+	int disallow_empty;
- 	unsigned n;
-+	char *p;
-+	int i;
- 
- 	CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC);
- 	AN(b);
- 	assert(namelen >= 2);	/* 2 chars from the ': ' that we added */
- 	assert(namelen <= len);
- 
-+	disallow_empty = 0;
-+
- 	if (len > UINT_MAX) {	/* XXX: cache_param max header size */
- 		VSLb(hp->vsl, SLT_BogoHeader, "Header too large: %.20s", b);
- 		return (H2SE_ENHANCE_YOUR_CALM);
-@@ -117,10 +122,24 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
- 			b += namelen;
- 			len -= namelen;
- 			n = HTTP_HDR_METHOD;
-+			disallow_empty = 1;
-+
-+			/* First field cannot contain SP or CTL */
-+			for (p = b, i = 0; i < len; p++, i++) {
-+				if (vct_issp(*p) || vct_isctl(*p))
-+					return (H2SE_PROTOCOL_ERROR);
-+			}
- 		} else if (!strncmp(b, ":path: ", namelen)) {
- 			b += namelen;
- 			len -= namelen;
- 			n = HTTP_HDR_URL;
-+			disallow_empty = 1;
-+
-+			/* Second field cannot contain LWS or CTL */
-+			for (p = b, i = 0; i < len; p++, i++) {
-+				if (vct_islws(*p) || vct_isctl(*p))
-+					return (H2SE_PROTOCOL_ERROR);
-+			}
- 		} else if (!strncmp(b, ":scheme: ", namelen)) {
- 			/* XXX: What to do about this one? (typically
- 			   "http" or "https"). For now set it as a normal
-@@ -128,6 +147,15 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
- 			b++;
- 			len-=1;
- 			n = hp->nhd;
-+
-+			for (p = b + namelen, i = 0; i < len-namelen;
-+			    p++, i++) {
-+				if (vct_issp(*p) || vct_isctl(*p))
-+					return (H2SE_PROTOCOL_ERROR);
-+			}
-+
-+			if (!i)
-+				return (H2SE_PROTOCOL_ERROR);
- 		} else if (!strncmp(b, ":authority: ", namelen)) {
- 			b+=6;
- 			len-=6;
-@@ -164,6 +192,13 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
- 	hp->hd[n].b = b;
- 	hp->hd[n].e = b + len;
- 
-+	if (disallow_empty && !Tlen(hp->hd[n])) {
-+		VSLb(hp->vsl, SLT_BogoHeader,
-+		    "Empty pseudo-header %.*s",
-+		    (int)namelen, b0);
-+		return (H2SE_PROTOCOL_ERROR);
-+	}
-+
- 	return (0);
- }
- 
-diff --git a/bin/varnishtest/tests/t02023.vtc b/bin/varnishtest/tests/t02023.vtc
-new file mode 100644
-index 0000000000..cfd843da3e
---- /dev/null
-+++ b/bin/varnishtest/tests/t02023.vtc
-@@ -0,0 +1,48 @@
-+varnishtest "Empty pseudo-headers"
-+
-+server s1 {
-+	rxreq
-+	txresp
-+} -start
-+
-+varnish v1 -arg "-p feature=+http2" -vcl+backend {
-+} -start
-+
-+client c1 {
-+	txreq -url ""
-+	rxresp
-+	expect resp.status == 400
-+} -run
-+
-+client c1 {
-+	txreq -req ""
-+	rxresp
-+	expect resp.status == 400
-+} -run
-+
-+client c1 {
-+	txreq -proto ""
-+	rxresp
-+	expect resp.status == 400
-+} -run
-+
-+client c1 {
-+	stream 1 {
-+		txreq -url ""
-+		rxrst
-+	} -run
-+} -run
-+
-+client c1 {
-+	stream 1 {
-+		txreq -scheme ""
-+		rxrst
-+	} -run
-+} -run
-+
-+client c1 {
-+	stream 1 {
-+		txreq -req ""
-+		rxrst
-+	} -run
-+} -run
-diff --git a/bin/varnishtest/tests/t02024.vtc b/bin/varnishtest/tests/t02024.vtc
-new file mode 100644
-index 0000000000..0d0a1abc5d
---- /dev/null
-+++ b/bin/varnishtest/tests/t02024.vtc
-@@ -0,0 +1,48 @@
-+varnishtest "Garbage pseudo-headers"
-+
-+server s1 {
-+	rxreq
-+	txresp
-+} -start
-+
-+varnish v1 -arg "-p feature=+http2" -vcl+backend {
-+} -start
-+
-+client c1 {
-+	txreq -url " "
-+	rxresp
-+	expect resp.status == 400
-+} -run
-+
-+client c1 {
-+	txreq -req " "
-+	rxresp
-+	expect resp.status == 400
-+} -run
-+
-+client c1 {
-+	txreq -proto " "
-+	rxresp
-+	expect resp.status == 400
-+} -run
-+
-+client c1 {
-+	stream 1 {
-+		txreq -url " "
-+		rxrst
-+	} -run
-+} -run
-+
-+client c1 {
-+	stream 1 {
-+		txreq -scheme " "
-+		rxrst
-+	} -run
-+} -run
-+
-+client c1 {
-+	stream 1 {
-+		txreq -req " "
-+		rxrst
-+	} -run
-+} -run

fix-varnish-devel-installation-failure.patch

@@ -63,16 +63,6 @@ index 0eb77c5..6b3af4d 100755
  #
  # Copyright (c) 2010-2016 Varnish Software
  # All rights reserved.
-diff --git a/lib/libvcc/vsctool.py b/lib/libvcc/vsctool.py
-index 9df1dc4..82c8f33 100755
---- a/lib/libvcc/vsctool.py
-+++ b/lib/libvcc/vsctool.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/env python3
-+#!/usr/bin/python3
- # -*- encoding: utf-8 -*-
- #
- # Copyright (c) 2017 Varnish Software AS
 diff --git a/wflags.py b/wflags.py
 index 9e9e4e9..90605a2 100644
 --- a/wflags.py

fix-varnish.service-reload-failed.patch

@@ -0,0 +1,25 @@
+From eac670ac734d814b466cbbf5e9b68625735438e5 Mon Sep 17 00:00:00 2001
+From: caodongxia <315816521@qq.com>
+Date: Fri, 18 Feb 2022 16:21:18 +0800
+Subject: [PATCH] fix varnish.service reload failed
+
+---
+ .../systemd/varnish.service                                     | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pkg-varnish-cache-0ad2f22629c4a368959c423a19e352c9c6c79682/systemd/varnish.service b/pkg-varnish-cache-0ad2f22629c4a368959c423a19e352c9c6c79682/systemd/varnish.service
+index c06c36b..6c65124 100644
+--- a/pkg-varnish-cache-0ad2f22629c4a368959c423a19e352c9c6c79682/systemd/varnish.service
++++ b/pkg-varnish-cache-0ad2f22629c4a368959c423a19e352c9c6c79682/systemd/varnish.service
+@@ -22,7 +22,7 @@ TasksMax=infinity
+ LimitCORE=infinity
+ 
+ ExecStart=/usr/sbin/varnishd -a :6081 -f /etc/varnish/default.vcl -s malloc,256m
+-ExecReload=/usr/sbin/varnishreload
++ExecReload=/usr/sbin/varnishreload /etc/varnish/default.vcl
+ 
+ [Install]
+ WantedBy=multi-user.target
+-- 
+2.27.0
+

varnish.spec

@@ -1,21 +1,17 @@
-%global debug_package %{nil}
 %global vendor %{?_vendor:%{_vendor}}%{!?_vendor:openEuler}
 
 Name:             varnish
 Summary:          A web application accelerator
-Version:          7.0.1
-Release:          6
-License:          BSD
+Version:          7.4.3
+Release:          1
+License:          BSD-2-Clause
 URL:              https://www.varnish-cache.org/
 Source0:          http://varnish-cache.org/_downloads/varnish-%{version}.tgz
 
 # https://github.com/varnishcache/pkg-varnish-cache
 Source1:          https://github.com/varnishcache/pkg-varnish-cache/archive/0ad2f22629c4a368959c423a19e352c9c6c79682/pkg-varnish-cache-0ad2f22.tar.gz
 Patch0001:        fix-varnish-devel-installation-failure.patch
-#https://github.com/varnishcache/varnish-cache/commit/fceaefd4d59a3b5d5a4903a3f420e35eb430d0d4
-Patch0002:        CVE-2022-23959.patch
-Patch0003:        CVE-2022-38150.patch
-Patch0004:        CVE-2022-45060.patch
+Patch0002:        fix-varnish.service-reload-failed.patch
 
 BuildRequires:    python3-sphinx python3-docutils pkgconfig make graphviz nghttp2 systemd-units
 BuildRequires:    ncurses-devel pcre2-devel libedit-devel gcc
@@ -144,7 +140,8 @@ test -f /etc/varnish/secret || (uuidgen > /etc/varnish/secret && chmod 0600 /etc
 %config(noreplace) %{_sysconfdir}/varnish/default.vcl
 %config(noreplace) %{_sysconfdir}/logrotate.d/varnish
 %config %{_sysconfdir}/ld.so.conf.d/varnish-%{_arch}.conf
-
+%exclude /usr/lib/debug/*
+%exclude /usr/src/debug/*
 %{_unitdir}/varnish.service
 %{_unitdir}/varnishncsa.service
 
@@ -163,6 +160,21 @@ test -f /etc/varnish/secret || (uuidgen > /etc/varnish/secret && chmod 0600 /etc
 %{_mandir}/man7/*.7*
 
 %changelog
+* Mon Mar 25 2024 zhangxingrong <zhangxingrong@uniontech.com> - 7.4.3-1
+- Update to 7.4.3 for fix CVE-2024-30156
+
+* Sat Feb 17 2024 wangkai <13474090681@163.com> - 7.4.2-1
+- Update to 7.4.2 for fix CVE-2023-44487
+
+* Tue Dec 12 2023 wangkai <13474090681@163.com> - 7.0.1-9
+- Fix CVE-2022-45059
+
+* Tue Dec 06 2022 wangkai <wangkai385@h-partners.com> - 7.0.1-8
+- Fix strip safe compile options
+
+* Tue Nov 29 2022 caodongxia <caodongxia@huawei.com> - 7.0.1-7
+- Fix varnish.service reload failed due to miss conf
+
 * Tue Nov 22 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 7.0.1-6
 - Fix CVE-2022-45060