Bug 1200034 - varnish: heap-based buffer overflow in backend server HTTP response parsing
varnish: heap-based buffer overflow in backend server HTTP response parsing
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20150309,repo...
: Security
Depends On: 1200035 1200036
Blocks:
  Show dependency treegraph
 
Reported: 2015-03-09 10:56 EDT by Martin Prpic
Modified: 2015-05-26 05:11 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-05-20 10:19:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Prpic 2015-03-09 10:56:58 EDT
A heap-based buffer overflow flaw was reported (including a reproducer) in varnish, a high-performance HTTP accelerator:

http://seclists.org/oss-sec/2015/q1/776
Comment 1 Martin Prpic 2015-03-09 10:57:28 EDT
Created varnish tracking bugs for this issue:

Affects: fedora-all [bug 1200035]
Affects: epel-all [bug 1200036]
Comment 2 Ingvar Hagelund 2015-03-11 06:03:49 EDT
* I have contacted upstream, and talked to Poul-Henning Kamp. His preliminary response:

  "I don't consider this a security issue.  Two reasons:  1. it's the backend, 
  2. I cannot see any way to exploit it. It's just a crash that shouldn't 
  happen IMO."

  That varnish trusts the backends has been discussed several times on the 
  oss-sec mailing list. I think that is out of scope for this bug.

  He has also had a look at the code that provokes the actual crash, and
  may eventually produce a patch fixing it.


* I have not been able to reproduce the crash locally.


* I have contacted the reporter. He is not able to reproduce the crash at 
  will. The bug is trigged with "magic numbers" as done in the reproducing 
  script, but the actual numbers to use may depend on the VM layout on the 
  specific machine. He should try to make a more predictable way to trig the 
  bug, and come back to me if he manages.


Based on this, I let this bug rest as NEW until I get more information.


Ingvar
Comment 3 Ingvar Hagelund 2015-03-16 12:25:55 EDT
Patch based on upstream commit 9d61ea4d722549a984d912603902fccfac473824 added. varnish-4.0.3-3 pushed to testing f21, f22, and epel7.

Ingvar
Comment 4 Fedora Update System 2015-03-23 03:09:04 EDT
varnish-4.0.3-3.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Ingvar Hagelund 2015-05-20 10:19:36 EDT
varnish-4.0.3-3 updates have had status stable in fc21, fc22, el7, for 64 days. I'm closing this now.

Note You need to log in before you can comment on or make changes to this bug.