import varnish-6.6.2-3.el9

2 years ago · 03a640b871
commit 03a640b871
4 changed files with 1182 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
+SOURCES/pkg-varnish-cache-ec7ad9e.tar.gz
+SOURCES/varnish-6.6.2.tgz
--- a/.varnish.metadata
+++ b/.varnish.metadata
@ -0,0 +1,2 @@
+d15a2afe52d546c45b46875b656ec3542c69e2f2 SOURCES/pkg-varnish-cache-ec7ad9e.tar.gz
+d2423c88186f5d409c72870199c8b46d489fdb48 SOURCES/varnish-6.6.2.tgz
--- a/SOURCES/varnish-6.6.2-CVE-2022-45060.patch
+++ b/SOURCES/varnish-6.6.2-CVE-2022-45060.patch
@ -0,0 +1,76 @@
+diff --git a/bin/varnishd/http2/cache_http2_hpack.c b/bin/varnishd/http2/cache_http2_hpack.c
+index 6bc062e..570b871 100644
+--- a/bin/varnishd/http2/cache_http2_hpack.c
+++ b/bin/varnishd/http2/cache_http2_hpack.c
+@@ -97,11 +97,16 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
+ 	/* XXX: This might belong in cache/cache_http.c */
+ 	const char *b0;
+ 	unsigned n;
+	int disallow_empty;
+	char *p;
+	int i;
+ 
+ 	CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC);
+ 	AN(b);
+ 	assert(namelen >= 2);	/* 2 chars from the ': ' that we added */
+ 	assert(namelen <= len);
+	
+	disallow_empty = 0;
+ 
+ 	if (len > UINT_MAX) {	/* XXX: cache_param max header size */
+ 		VSLb(hp->vsl, SLT_BogoHeader, "Header too large: %.20s", b);
+@@ -117,10 +122,24 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
+ 			b += namelen;
+ 			len -= namelen;
+ 			n = HTTP_HDR_METHOD;
+			disallow_empty = 1;
+
+			/* First field cannot contain SP or CTL */
+			for (p = b, i = 0; i < len; p++, i++) {
+				if (vct_issp(*p) || vct_isctl(*p))
+					return (H2SE_PROTOCOL_ERROR);
+			}
+ 		} else if (!strncmp(b, ":path: ", namelen)) {
+ 			b += namelen;
+ 			len -= namelen;
+ 			n = HTTP_HDR_URL;
+			disallow_empty = 1;
+
+			/* Second field cannot contain LWS or CTL */
+			for (p = b, i = 0; i < len; p++, i++) {
+				if (vct_islws(*p) || vct_isctl(*p))
+					return (H2SE_PROTOCOL_ERROR);
+			}
+ 		} else if (!strncmp(b, ":scheme: ", namelen)) {
+ 			/* XXX: What to do about this one? (typically
+ 			   "http" or "https"). For now set it as a normal
+@@ -128,6 +147,15 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
+ 			b++;
+ 			len-=1;
+ 			n = hp->nhd;
+
+			for (p = b + namelen, i = 0; i < len-namelen;
+			    p++, i++) {
+				if (vct_issp(*p) || vct_isctl(*p))
+					return (H2SE_PROTOCOL_ERROR);
+			}
+
+			if (!i)
+				return (H2SE_PROTOCOL_ERROR);
+ 		} else if (!strncmp(b, ":authority: ", namelen)) {
+ 			b+=6;
+ 			len-=6;
+@@ -164,6 +192,13 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
+ 	hp->hd[n].b = b;
+ 	hp->hd[n].e = b + len;
+ 
+	if (disallow_empty && !Tlen(hp->hd[n])) {
+		VSLb(hp->vsl, SLT_BogoHeader,
+		    "Empty pseudo-header %.*s",
+		    (int)namelen, b0);
+		return (H2SE_PROTOCOL_ERROR);
+	}
+
+ 	return (0);
+ }
+ 
--- a/SPECS/varnish.spec
+++ b/SPECS/varnish.spec