Multiple vulnerabilities in Bionic, Focal, Impish, Jammy and Lunar

Bug #1971504 reported by Luís Infante da Câmara
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
varnish (Debian)
Fix Released
Unknown
varnish (Ubuntu)
Fix Released
Medium
Unassigned
Bionic
Fix Released
Medium
Unassigned
Focal
Fix Released
Medium
Unassigned
Impish
Fix Released
Medium
Unassigned
Jammy
Fix Released
Medium
Unassigned

Bug Description

The version in Bionic is vulnerable to CVE-2019-20637 and CVE-2022-23959.

The version in Focal is vulnerable to CVE-2019-20637, CVE-2020-11653, CVE-2021-36740 (bug #1939281) and CVE-2022-23959.

The versions in Impish and Jammy are vulnerable to CVE-2022-23959.

The version in Kinetic is vulnerable to CVE-2022-23959 and CVE-2022-38150.

Please release patched versions.

Debian released an advisory on March 3.

information type: Private Security → Public Security
description: updated
Changed in varnish (Ubuntu):
status: New → In Progress
assignee: nobody → Luís Cunha dos Reis Infante da Câmara (luis220413)
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

Debian believes that CVE-2019-20637 is a minor issue in Stretch and Buster, that have versions 5.0.0 and 6.1.1, respectively. In addition, when I run the new test f00004.vtc in the source tree for Bionic, I get an error. Therefore, I am not patching this CVE for Bionic.

Revision history for this message
Luís Infante da Câmara (luis220413) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Patch for Bionic" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

This patch has a mistake. A corrected patch will be added in a few minutes.

Revision history for this message
Luís Infante da Câmara (luis220413) wrote :
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :
Changed in varnish (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Luís, thanks; I just glanced at the debdiffs quickly, and noticed this one appears to missing the quilt series changes:

+varnish (6.6.1-1ubuntu0.1) jammy-security; urgency=medium

Please also report back how you've tested the patches.

Thanks

Changed in varnish (Debian):
status: Unknown → New
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

Corrected patch for Jammy.

Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

I have only tested that each patch compiles on a Ubuntu VM with the corresponding release and tried to test that the patched version in Bionic is not affected by CVE-2019-20637 but failed: https://bugs.launchpad.net/ubuntu/+source/varnish/+bug/1971504/comments/1

Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

Hello Luís, thanks for the debdiffs. I've changed the changelog a little bit in order to follow the security format and fit the patches into the DEP-3 guidelines (some of them were missing some header elements). I uploaded the packages into our security-proposed ppa and, if possible, please test using them. My plan is to push to archive next week. The link for the ppa is: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

Paulo Flabiano Smorigo, please upload a patched version for Bionic to the Ubuntu Security Proposed PPA.

Revision history for this message
Luís Infante da Câmara (luis220413) wrote (last edit ):

I have run the upstream test suite on Focal, Impish and Jammy as follows:

$ git clone https://github.com/varnishcache/varnish-cache.git
$ cd varnish-cache
$ git checkout varnish-$UPSTREAM_VERSION
$ cd bin/varnishtest
$ for i in tests/*; do if [ "$i" != tests/README ]; then varnishtest "$i"; fi; done

In Focal all tests pass or are skipped. In Impish and Jammy the same happens but varnishd crashes twice in the first run, but no crashes occur on the second run.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hi Luis,

I just uploaded your bionic debdiff to the security team PPA, with similar changelog changes as the other releases.

Could you please test it? Thanks!

Changed in varnish (Ubuntu Bionic):
status: New → In Progress
Changed in varnish (Ubuntu Focal):
status: New → In Progress
Changed in varnish (Ubuntu Impish):
status: New → In Progress
Changed in varnish (Ubuntu Jammy):
status: New → In Progress
Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

Hello Luis, did you manage to test the bionic package?

Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote (last edit ):

Hello Luis, did you see my last comment? Meanwhile I ran varnishtest for bionic/focal/impish and the results where the same before and after applying your updates. Can you show me which of the vtc tests are you seeing those crashes?

Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

I did not test the package in Bionic, but thanks for your testing.

I am now testing the patched package in Impish.

Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

For the patched package in Impish, all tests pass or are skipped without any crashes.

I will test the patched package in Jammy at 17:00 UTC.

Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

In Jammy, all tests pass or are skipped without any crashes.

Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

Ok so it seems that there were no regressions, right? If so, I'll go ahead and publish them.

Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

Yes, there were no regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package varnish - 6.6.1-1ubuntu0.2

---------------
varnish (6.6.1-1ubuntu0.2) jammy-security; urgency=medium

  * SECURITY UPDATE: HTTP Request Smuggling
    - debian/patches/CVE-2022-23959.patch: Mark req doclose when failing
      to ignore req body. (LP: #1971504)
      CVE-2022-23959

 -- Luís Infante da Câmara <email address hidden> Wed, 04 May 2022 23:19:23 +0100

Changed in varnish (Ubuntu Jammy):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package varnish - 6.5.2-1ubuntu0.2

---------------
varnish (6.5.2-1ubuntu0.2) impish-security; urgency=medium

  * SECURITY UPDATE: HTTP Request Smuggling
    - debian/patches/CVE-2022-23959.patch: Mark req doclose when failing
      to ignore req body. (LP: #1971504)
      CVE-2022-23959

 -- Luís Infante da Câmara <email address hidden> Wed, 04 May 2022 23:10:18 +0100

Changed in varnish (Ubuntu Impish):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package varnish - 6.2.1-2ubuntu0.1

---------------
varnish (6.2.1-2ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: Sensitive Information Disclosure
    - debian/patches/CVE-2019-20637.patch: Clear err_code and err_reason at
      start of request handling. (LP: #1971504, LP: #1939281)
      CVE-2019-20637
  * SECURITY UPDATE: Assertion failure
    - debian/patches/CVE-2020-11653.patch: Take sizeof pool_task into account
      when reserving WS in SES_Wait. (LP: #1971504, LP: #1939281)
      CVE-2020-11653
  * SECURITY UPDATE: HTTP Request Smuggling
    - debian/patches/CVE-2021-36740.patch: Take content length into
      account on H/2 request bodies. (LP: #1971504, LP: #1939281)
    - debian/patches/CVE-2022-23959.patch: Mark req doclose when failing
      to ignore req body. (LP: #1971504, LP: #1939281)
      CVE-2021-36740
      CVE-2022-23959
  * Additions fixes
    - debian/patches/WS_ReserveAll.patch: Add WS_ReserveAll to replace
      WS_Reserve(ws, 0).
    - debian/patches/WS_ReserveSize.patch: Deprecate WS_Reserve() and replace
      it with WS_ReserveSize().

 -- Luís Infante da Câmara <email address hidden> Wed, 04 May 2022 21:16:37 +0100

Changed in varnish (Ubuntu Focal):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package varnish - 5.2.1-1ubuntu0.1

---------------
varnish (5.2.1-1ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: HTTP Request Smuggling
    - debian/patches/CVE-2022-23959.patch: Mark req doclose when failing
      to ignore req body. (LP: #1971504, LP: #1939281)
      CVE-2022-23959

 -- Luís Infante da Câmara <email address hidden> Wed, 04 May 2022 20:12:53 +0100

Changed in varnish (Ubuntu Bionic):
status: In Progress → Fix Released
Changed in varnish (Ubuntu):
status: Fix Committed → In Progress
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

The version in Kinetic is still vulnerable to CVE-2022-23959.

I filed a Debian bug (linked to by this bug) on May 4 for the newest upstream release to be packaged and sent an email to the maintainers just now reminding them of this bug.

Changed in varnish (Ubuntu):
status: In Progress → Confirmed
assignee: Luís Cunha dos Reis Infante da Câmara (luis220413) → nobody
Changed in varnish (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

Version 7.1.0 is now packaged in Debian experimental. After it (or a later version) is uploaded to Debian unstable before Debian Import Freeze (in the week of August 25) it will be automatically synced into Ubuntu Kinetic.

Revision history for this message
Luís Infante da Câmara (luis220413) wrote (last edit ):

Version 7.1.0-5 has been uploaded to Debian unstable at 19:38 UTC.

Changed in varnish (Ubuntu):
status: In Progress → Fix Committed
Mathew Hodson (mhodson)
Changed in varnish (Ubuntu):
importance: Undecided → Medium
Changed in varnish (Ubuntu Bionic):
importance: Undecided → Medium
Changed in varnish (Ubuntu Focal):
importance: Undecided → Medium
Changed in varnish (Ubuntu Impish):
importance: Undecided → Medium
Changed in varnish (Ubuntu Jammy):
importance: Undecided → Medium
Changed in varnish (Debian):
status: New → Fix Released
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

This package is not migrating to the release pocket in Kinetic due to autopkgtest regressions and uninstallable packages, that are discussed in bug #1979893.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Unsubscribing ubuntu-security-sponsors from this bug since there is nothing left to sponsor. Thanks!

Revision history for this message
Ingvar-j (ingvar-j) wrote :

This bug is still visible on Focal. This is quite serious, as it means that everybody using varnish from the default Ubuntu repos in production are still vulnerable from a DOS attack.

Focal has varnish-6.2.1 with patches. varnish-6.2.3 was released with only one fix; this CVE. Which means that most of the code changes between varnish-6.2.2 and 6.2.3 (tests and doc and stuff may be dropped) should be included in the patch set that fixes CVE-2020-11653. The patches included for 6.2.1-2ubuntu0.1 are _not_ sufficient to cover the problems.

We observed this on a live test system last week. Special calls crashed varnish' children and, varnishd asserts and throws away the cache. Which makes this a DOS attack vector.

When varnish-6.2.3 was released, upstream added a regression test for this particular bug. This means that the reproduce is trivial: Just install latest varnish from ubuntu's update repos, and run the test:

focal$ sudo apt install varnish

focal$ dpkg -l varnish | awk '/^ii/ { print $2,$3}'
varnish 6.2.1-2ubuntu0.1

focal$ wget https://raw.githubusercontent.com/varnishcache/varnish-cache/varnish-6.2.3/bin/varnishtest/tests/f00005.vtc

$focal varnishtest f00005.vtc
(...)
# top TEST f00005.vtc FAILED (0.429) exit=2

Upstream referenced mitigation, that is increase the session workspace, still works. For production use, I would recomend using varnish-6.0.x which is the upstream LTS version, and is still updated. The other varnish-6.x branches no longer maintained upstream.

Best regards,
Ingvar Hagelund
(Maintainer of varnish in Fedora)

References:
* Another instance of this particular bug on Focal: https://github.com/varnishcache/varnish-cache/issues/3822
* Upstream answer to CVE-2020-11653, including mitigation: https://varnish-cache.org/security/VSV00005.html

Revision history for this message
Ingvar-j (ingvar-j) wrote :

typo correction:

focal$ varnishtest f00005.vtc

Revision history for this message
Luís Infante da Câmara (luis220413) wrote (last edit ):

Version 7.1.1-1 of this source package fails to build only on ppc64el due to a new warning (-Wmaybe-uninitialized), that is turned into an error by -Werror. The same package builds in Debian on ppc64el successfully, with the same upstream compiler version (GCC 12.1.0).

I will create a debdiff to remove -Werror from the compiler flags.

tags: added: update-excuse
tags: added: ftbfs
Changed in varnish (Ubuntu Focal):
status: Fix Released → In Progress
assignee: nobody → Luís Cunha dos Reis Infante da Câmara (luis220413)
assignee: Luís Cunha dos Reis Infante da Câmara (luis220413) → nobody
description: updated
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

Fixed for Focal in version 6.2.1-2ubuntu0.2.

Changed in varnish (Ubuntu Focal):
status: In Progress → Fix Released
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

Fixed in the development release in version 7.1.1-1.

Changed in varnish (Ubuntu):
status: Fix Committed → Fix Released
summary: - Multiple vulnerabilities in Bionic, Focal, Impish, Jammy and Kinetic
+ Multiple vulnerabilities in Bionic, Focal, Impish, Jammy and Lunar
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.