Ubuntu
varnish package

[CVE] Correctly handle bogusly large chunk sizes

Bug #1708354 reported by Poil on 2017-08-03

298

This bug affects 6 people

	Status	Importance	Assigned to
varnish (Ubuntu)	Fix Released	Undecided	Unassigned
Xenial	Fix Released	Medium	Simon Quigley
Zesty	Fix Released	Medium	Simon Quigley

Bug Description

https://varnish-cache.org/security/VSV00001.html

CVE-2017-12425

Date: 2017-08-02

A wrong if statement in the varnishd source code means that particular invalid requests from the client can trigger an assert.

This causes the varnishd worker process to abort and restart, loosing the cached contents in the process.

An attacker can therefore crash the varnishd worker process on demand and effectively keep it from serving content - a Denial-of-Service attack.

Mitigation is possible from VCL or by updating to a fixed version of Varnish Cache.
Versions affected

    4.0.1 to 4.0.4
    4.1.0 to 4.1.7
    5.0.0
    5.1.0 to 5.1.2

See original description

CVE References

2017-12425

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2017-08-03:

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in varnish (Ubuntu):
status:	New → Incomplete

Tyler Hicks (tyhicks) on 2017-08-03

information type:

Private Security → Public Security

Revision history for this message

Poil (poil) wrote on 2017-08-04: Re: VSV00001 DoS vulnerability

The patch is here :
https://github.com/varnishcache/varnish-cache/commit/138015a3a5251da2ce56389435fe046c4b7da135

Ref. https://github.com/varnishcache/varnish-cache/issues/2379

Best regards

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2017-08-04:

Hello! The location of the upstream fix is not sufficient. A member of the community (hopefully yourself) will need to prepare and test Ubuntu security updates for this issue. Please review the UpdateProcedures wiki page linked to in comment #1. Thank you!

Simon Quigley (tsimonq2) on 2017-08-07

Changed in varnish (Ubuntu):
status:	Incomplete → Opinion
status:	Opinion → In Progress
description:	updated

Simon Quigley (tsimonq2) on 2017-08-07

Changed in varnish (Ubuntu):
status:	In Progress → Fix Released
Changed in varnish (Ubuntu Xenial):
status:	New → In Progress
Changed in varnish (Ubuntu Zesty):
status:	New → In Progress
Changed in varnish (Ubuntu Xenial):
assignee:	nobody → Simon Quigley (tsimonq2)
Changed in varnish (Ubuntu Zesty):
assignee:	nobody → Simon Quigley (tsimonq2)

Revision history for this message

Simon Quigley (tsimonq2) wrote on 2017-08-07:

1-5.0.0-7ubuntu0.1.debdiff Edit (4.7 KiB, text/plain)

Attached is a debdiff for Zesty applicable to 5.0.0-7.

summary:

- VSV00001 DoS vulnerability
+ [CVE] Correctly handle bogusly large chunk sizes

Revision history for this message

Simon Quigley (tsimonq2) wrote on 2017-08-07:

1-4.1.1-1ubuntu0.1.debdiff Edit (3.7 KiB, text/plain)

Attached is a debdiff for Xenial applicable to 4.1.1-1.

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2017-08-10:

Packages are building in the security-proposed ppa https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages -- please test. Local builds showed some symbols being removed, which I don't understand:

./usr/lib/x86_64-linux-gnu/libvarnishapi.so.1.0.4:
-__isnan U

./usr/lib/x86_64-linux-gnu/varnish/vmods/libvmod_std.so:
-__finite U
-__isnan U

Thanks

Revision history for this message

Poil (poil) wrote on 2017-08-10:

No need to patch 3.x the code is not exposed.

Best regards

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2017-08-11:

Hi Simon,

The xenial i386 package failed to build in the PPA. I suspect you need to add the following patch:

https://github.com/varnishcache/varnish-cache/commit/54b5a09f00c027da280361b30d32a4ff309ba3ab

See the upstream bug:

https://github.com/varnishcache/varnish-cache/issues/1875

Could you please fix the i386 build and submit a new debdiff?

Thanks!

Revision history for this message

Simon Quigley (tsimonq2) wrote on 2017-08-12:

2-4.1.1-1ubuntu0.1.debdiff Edit (4.1 KiB, text/plain)

Hey Marc, thanks for the tip!

Attached is an updated Xenial debdiff for you.

Thanks!

Revision history for this message

Simon Quigley (tsimonq2) wrote on 2017-08-12:

#10

3-4.1.1-1ubuntu0.1.debdiff Edit (4.8 KiB, text/plain)

09:46:28 PM < sarnold> tsimonq2: I'm sorry to bug you about it immediately, but could you split that out into a second patch in the debdiff? that'll make it easier to revert one or the other if the need should arise in the future
09:47:00 PM < sarnold> if they were squashed from upstream, that'd be fine, but in this case they probably weren't :)

Here's a follow-up debdiff for Xenial addressing that.

Thanks for pointing it out, Seth!

Steve Beattie (sbeattie) on 2017-08-12

Changed in varnish (Ubuntu Xenial):
importance:	Undecided → Medium
Changed in varnish (Ubuntu Zesty):
importance:	Undecided → Medium

Simon Quigley (tsimonq2) on 2017-08-22

Changed in varnish (Ubuntu Zesty):
status:	In Progress → Fix Committed

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2017-08-22:

#11

ACK on the debdiff in comment #10. I uploaded it with the revision number bumped and with the second patch added to the changelog. Thanks!

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-08-22:

#12

This bug was fixed in the package varnish - 5.0.0-7ubuntu0.1

---------------
varnish (5.0.0-7ubuntu0.1) zesty-security; urgency=medium

  * SECURITY UPDATE: Correctly handle bogusly large chunk sizes (LP: #1708354)
    - 5.0-Correctly-handle-bogusly-large-chunk-sizes.patch
    - CVE-2017-12425

-- Simon Quigley <email address hidden> Mon, 07 Aug 2017 12:57:31 -0500

Changed in varnish (Ubuntu Zesty):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-08-22:

#13

This bug was fixed in the package varnish - 4.1.1-1ubuntu0.2

---------------
varnish (4.1.1-1ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Correctly handle bogusly large chunk sizes (LP: #1708354)
    - 4.1-Correctly-handle-bogusly-large-chunk-sizes.patch
    - fix-ftbfs-on-i386-54b5a0.patch
    - CVE-2017-12425

-- Simon Quigley <email address hidden> Mon, 07 Aug 2017 13:15:51 -0500

Changed in varnish (Ubuntu Xenial):
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

auto-github-varnishcache-varnish-cache #1875
[closed] Edit
auto-github-varnishcache-varnish-cache #2379
[closed b=bug c=varnishd r=4.1 r=trunk] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntuvarnish package

[CVE] Correctly handle bogusly large chunk sizes

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Patches

Remote bug watches

Ubuntu
varnish package