Hi Ola
(thanks for the ping, I almost missed it)
On 10/06/24 10:35 PM, Ola Lundqvist wrote:
> Hi Abhijith
>
> I had a brief look at varnish that you have worked on to figure out
> what the state of the package is.
>
> In buster I can see the following CVEs.
> CVE-2024-30156 - ignored in bullseye and bookworm because it is too
> intrusive to backport
> CVE-2023-44487 - ignored in bullseye and bookworm because it is too
> intrusive to backport
> CVE-2019-20637 - looks like it can be backported
>
> My question to you is which issue you have tried to address? Is it
> CVE-2019-20637?
> Only?
>
> If only that, is there any particular reason why CVE-2024-30156 and
> CVE-44487 have not been ignored for buster as well?
If I remember correctly, CVE-2024-30156 was very intrusive. But I
didn't marked likewise as I wanted to give a try after other fixes.
CVE-2023-44487, I did ported upstream fixes. But tests was failing.
https://people.debian.org/~abhijith/reports/LTS_ELTS-Decemeber-2023.txt
CVE-2019-20637, I have a patch locally in my machine. But I am not
sure whether its complete and atm not access to a proper machine to
build. Patch attached in the mail.
--abhijith
Description: CVE-2019-20637
Origin: https://github.com/varnishcache/varnish-cache/commit/bd7b3d6d47ccbb5e1747126f8e2a297f38e56b8c
Forwarded: not-needed
Last-Update: 2023-11-29
--- varnish-6.1.1.orig/bin/varnishd/cache/cache_req_fsm.c
+++ varnish-6.1.1/bin/varnishd/cache/cache_req_fsm.c
@@ -819,6 +819,8 @@ cnt_recv_prep(struct req *req, const cha
req->vdc->retval = 0;
req->is_hit = 0;
+ req->err_code = 0;
+ req->err_reason = NULL;
}
/*--------------------------------------------------------------------
* We have a complete request, set everything up and start it.
--- /dev/null
+++ varnish-6.1.1/bin/varnishtest/tests/f00004.vtc
@@ -0,0 +1,98 @@
+varnishtest "VSV00004"
+
+server s1 {
+ rxreq
+ expect req.url == /test1
+ txresp
+
+ rxreq
+ expect req.url == /test2
+ send "bogus\r\n\r\n"
+ expect_close
+
+ accept
+ rxreq
+ expect req.url == /test3
+ txresp
+} -start
+
+varnish v1 -arg "-p debug=+syncvsl" -arg "-p max_restarts=0" -vcl+backend {
+ import vtc;
+
+ sub vcl_recv {
+ if (req.url == "/prime") {
+ # Avoid allocations at start of workspace so
+ # that test string is not overwritten
+ vtc.workspace_alloc(client, 1024);
+
+ set req.http.temp = "super";
+ set req.http.secret = req.http.temp + "secret";
+ return (synth(200, req.http.secret));
+ }
+ }
+ sub vcl_deliver {
+ if (req.url == "/test1") {
+ return (restart);
+ }
+ }
+ sub vcl_backend_error {
+ return (abandon);
+ }
+} -start
+
+# Case 1
+client c1 {
+ txreq -url /prime
+ rxresp
+ expect resp.status == 200
+ expect resp.reason == supersecret
+
+ txreq -url /test1
+ rxresp
+ expect resp.status == 503
+ expect resp.reason != supersecret
+ expect resp.reason == "Service Unavailable"
+} -run
+
+# Case 2
+client c2 {
+ txreq -url /prime
+ rxresp
+ expect resp.status == 200
+ expect resp.reason == supersecret
+
+ txreq -url /test2
+ rxresp
+ expect resp.status == 503
+ expect resp.reason != supersecret
+ expect resp.reason == "Service Unavailable"
+} -run
+
+# Case 3
+varnish v1 -cliok "vcl.label label1 vcl1"
+varnish v1 -cliok "param.reset max_restarts"
+varnish v1 -vcl+backend {
+ sub vcl_recv {
+ if (req.url == "/prime") {
+ return (vcl(label1));
+ }
+ if (req.restarts > 0) {
+ return (vcl(label1));
+ }
+ }
+ sub vcl_deliver {
+ return (restart);
+ }
+}
+client c3 {
+ txreq -url /prime
+ rxresp
+ expect resp.status == 200
+ expect resp.reason == supersecret
+
+ txreq -url /test3
+ rxresp
+ expect resp.status == 503
+ expect resp.reason != supersecret
+ expect resp.reason == "Service Unavailable"
+} -run
\ No newline at end of file
