diff -Nru varnish-4.1.1/debian/changelog varnish-4.1.1/debian/changelog --- varnish-4.1.1/debian/changelog 2016-01-28 14:22:16.000000000 -0600 +++ varnish-4.1.1/debian/changelog 2017-08-07 13:15:51.000000000 -0500 @@ -1,3 +1,11 @@ +varnish (4.1.1-1ubuntu0.1) xenial-security; urgency=medium + + * SECURITY UPDATE: Correctly handle bogusly large chunk sizes (LP: #1708354) + - 4.1-Correctly-handle-bogusly-large-chunk-sizes.patch + - CVE-2017-12425 + + -- Simon Quigley Mon, 07 Aug 2017 13:15:51 -0500 + varnish (4.1.1-1) unstable; urgency=medium * Imported upstream release 4.1.1 diff -Nru varnish-4.1.1/debian/control varnish-4.1.1/debian/control --- varnish-4.1.1/debian/control 2016-01-28 14:05:42.000000000 -0600 +++ varnish-4.1.1/debian/control 2017-08-07 13:15:51.000000000 -0500 @@ -1,7 +1,8 @@ Source: varnish Section: web Priority: optional -Maintainer: Varnish Package Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Varnish Package Maintainers Uploaders: Jan Wagner , Lars Bahner , diff -Nru varnish-4.1.1/debian/patches/4.1-Correctly-handle-bogusly-large-chunk-sizes.patch varnish-4.1.1/debian/patches/4.1-Correctly-handle-bogusly-large-chunk-sizes.patch --- varnish-4.1.1/debian/patches/4.1-Correctly-handle-bogusly-large-chunk-sizes.patch 1969-12-31 18:00:00.000000000 -0600 +++ varnish-4.1.1/debian/patches/4.1-Correctly-handle-bogusly-large-chunk-sizes.patch 2017-08-07 13:15:51.000000000 -0500 @@ -0,0 +1,82 @@ +Description: Correctly handle bogusly large chunk sizes. + This fixes a denial of service attack vector where bogusly large chunk + sizes in requests could be used to force restarts of the Varnish + server. + . + This is Varnish Security Vulnerability VSV00001. + . + This also includes a fix for a bug when building on i386 that was introduced + by this patch (commit 54b5a09). + . + This fixes CVE-2017-12425. +Author: Martin Blix Grydeland +Origin: upstream +Bug: https://varnish-cache.org/security/VSV00001 +Bug-Ubuntu: https://pad.lv/1708354 +Applied-Upstream: c37821d, 54b5a09 +Last-Update: 2017-08-11 +--- /dev/null ++++ b/bin/varnishtest/tests/f00001.vtc +@@ -0,0 +1,40 @@ ++varnishtest "Check that we handle bogusly large chunks correctly" ++ ++# Check that the bug has been fixed ++ ++server s1 { ++ rxreq ++ txresp ++} -start ++ ++varnish v1 -vcl+backend { ++} -start ++ ++client c1 { ++ send "POST / HTTP/1.1\r\n" ++ send "Transfer-Encoding: chunked\r\n\r\n" ++ send "FFFFFFFFFFFFFFED\r\n" ++ send "0\r\n\r\n" ++ ++ rxresp ++ expect resp.status == 503 ++} -run ++ ++# Check that the published workaround does not cause harm ++ ++varnish v1 -vcl+backend { ++ sub vcl_recv { ++ if (req.http.transfer-encoding ~ "(?i)chunked") { ++ return (fail); ++ } ++ } ++} ++ ++client c1 { ++ send "POST / HTTP/1.1\r\n" ++ send "Transfer-Encoding: chunked\r\n\r\n" ++ send "FFFFFFFFFFFFFFED\r\n" ++ ++ rxresp ++ expect resp.status == 503 ++} -run +--- a/bin/varnishd/http1/cache_http1_vfp.c ++++ b/bin/varnishd/http1/cache_http1_vfp.c +@@ -155,7 +155,7 @@ v1f_pull_chunked(struct vfp_ctx *vc, str + if (q == NULL || *q != '\0') + return (VFP_Error(vc, "chunked header number syntax")); + cl = (ssize_t)cll; +- if((uintmax_t)cl != cll) ++ if (cl < 0 || (uintmax_t)cl != cll) + return (VFP_Error(vc, "bogusly large chunk size")); + + vfe->priv2 = cl; +--- a/bin/varnishd/mgt/mgt_param_tweak.c ++++ b/bin/varnishd/mgt/mgt_param_tweak.c +@@ -53,7 +53,7 @@ static int + tweak_generic_double(struct vsb *vsb, volatile double *dest, + const char *arg, const char *min, const char *max, const char *fmt) + { +- double u, minv = 0, maxv = 0; ++ volatile double u, minv = 0, maxv = 0; + + if (arg != NULL) { + if (min != NULL) { diff -Nru varnish-4.1.1/debian/patches/series varnish-4.1.1/debian/patches/series --- varnish-4.1.1/debian/patches/series 1969-12-31 18:00:00.000000000 -0600 +++ varnish-4.1.1/debian/patches/series 2017-08-07 13:15:51.000000000 -0500 @@ -0,0 +1 @@ +4.1-Correctly-handle-bogusly-large-chunk-sizes.patch