Ubuntu
varnish package

Incomplete fix for CVE-2020-11653

Bug #1986627 reported by Luís Infante da Câmara on 2022-08-16

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	varnish-cache	Unknown	Unknown	auto-github-varnishcache-varnish-cache #3822
	varnish (Ubuntu)	Fix Released	Undecided	Paulo Flabiano Smorigo

Bug Description

There is an assertion failure in Varnish due to an incomplete fix for CVE-2020-11653, that I provided in bug #1971504.

From the linked GitHub issue (edited):

The Varnish child process dies every few hours, causing Varnish to seemingly dump its cache and start over.

I've been banging my head against this one for a while now. Did a complete reinstall of Varnish from the Focal repo and issue still persists. This was done based on these previous tickets in the belief that some old stuff was still hanging around after an old upgrade. I see this bug as fixed in the 5.1.0 changelog from 2017, which is why I'm a little perplexed on it appearing in 6.2.1-2ubuntu0.1 which I am running.

I have tried commenting out a bunch of rules in defaults.vcl to no avail.

We are running HTTP/2, which these other tickets also reference. Enabled via the varnish unit file (/etc/systemd/system/varnish.service) with "-p feature=+http2" added to "ExecStart=".

Previous tickets mentioned:
https://github.com/varnishcache/varnish-cache/issues/2589
https://github.com/varnishcache/varnish-cache/issues/1834
https://github.com/varnishcache/varnish-cache/issues/2233

Output from varnishadm panic.show:

Panic at: Tue, 05 Jul 2022 09:41:29 GMT
Assert error in WS_Assert(), cache/cache_ws.c line 59:
  Condition(*ws->e == 0x15) not true.
version = varnish-6.2.1 revision 9f8588e4ab785244e06c3446fe09bf9db5dd8753, vrt api = 9.0
ident = Linux,5.4.0-121-generic,x86_64,-junix,-smalloc,-sdefault,-hcritbit,epoll
now = 42737.028027 (mono), 1657014088.897058 (real)
Backtrace:
  0x56462f3adbcf: /usr/sbin/varnishd(+0x50bcf) [0x56462f3adbcf]
  0x56462f419cc8: /usr/sbin/varnishd(VAS_Fail+0x18) [0x56462f419cc8]
  0x56462f3d1f88: /usr/sbin/varnishd(WS_Assert+0x198) [0x56462f3d1f88]
  0x56462f3d2a64: /usr/sbin/varnishd(WS_Release+0x14) [0x56462f3d2a64]
  0x56462f3b7fa0: /usr/sbin/varnishd(+0x5afa0) [0x56462f3b7fa0]
  0x56462f40093d: /usr/sbin/varnishd(+0xa393d) [0x56462f40093d]
  0x7f5559912609: /lib/x86_64-linux-gnu/libpthread.so.0(+0x8609) [0x7f5559912609]
  0x7f5559837133: /lib/x86_64-linux-gnu/libc.so.6(clone+0x43) [0x7f5559837133]
thread = (cache-epoll)
pthread.attr = {
  guard = 4096,
  stack_bottom = 0x7f554a5fe000,
  stack_top = 0x7f554adfe000,
  stack_size = 8388608,
}
thr.req = (nil) {
},
thr.busyobj = (nil) {
},
vmods = {
  std = {Varnish 6.2.1 9f8588e4ab785244e06c3446fe09bf9db5dd8753, 0.0},
  directors = {Varnish 6.2.1 9f8588e4ab785244e06c3446fe09bf9db5dd8753, 0.0},
},

See original description

CVE References

2020-11653

Luís Infante da Câmara (luis220413) on 2022-08-16

information type:	Private Security → Public Security
description:	updated

Revision history for this message

Luís Infante da Câmara (luis220413) wrote on 2022-08-16:

varnish_focal.debdiff Edit (71.3 KiB, text/plain)

Revision history for this message

Luís Infante da Câmara (luis220413) wrote on 2022-08-16:

Lintian does not produce errors or warnings when run on the patched source package.

Revision history for this message

Luís Infante da Câmara (luis220413) wrote on 2022-08-21:

I have run the upstream test suite as follows:

[Add my PPA to the system: https://launchpad.net/~luis220413/+archive/ubuntu/security-updates]
$ sudo apt install varnish
$ sudo systemctl stop varnish.service varnishncsa.service
$ sudo systemctl disable varnish.service varnishncsa.service
$ cd varnish-6.2.1/bin/varnishtest
$ for i in tests/*; do if [ "$i" != tests/README ]; then varnishtest "$i"; fi; done

All tests pass or are skipped.

Luís Infante da Câmara (luis220413) on 2022-08-21

Changed in varnish (Ubuntu):
status:	New → Confirmed
status:	Confirmed → New
status:	New → Confirmed

Paulo Flabiano Smorigo (pfsmorigo) on 2022-08-22

Changed in varnish (Ubuntu):
assignee:	nobody → Paulo Flabiano Smorigo (pfsmorigo)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-08-22:

This bug was fixed in the package varnish - 6.2.1-2ubuntu0.2

---------------
varnish (6.2.1-2ubuntu0.2) focal-security; urgency=medium

  * SECURITY REGRESSION: Incomplete fix for CVE-2020-11653 (LP: #1986627)
    - debian/patches/WS_ReserveAll.patch: Rename to CVE-2020-11653-01.patch.
    - debian/patches/WS_ReserveSize.patch: Rename to CVE-2020-11653-02.patch.
    - debian/patches/CVE-2020-11653-03.patch: Add a facility to test
      WS_ReserveSize().
    - debian/patches/CVE-2020-11653-04.patch: Correct the overflow condition in
      WS_ReserveSize().
    - debian/patches/CVE-2020-11653-05.patch: Fix copy-pasted test description.
    - debian/patches/CVE-2020-11653-06.patch: Add Session Attribute workspace
      overflow handling.
    - debian/patches/CVE-2020-11653-07.patch: Simplify WS allocation in
      tlv_string.
    - debian/patches/CVE-2020-11653-08.patch: Try to make the proxy code session
      workspace overflow test on 32-bit platforms.
    - debian/patches/CVE-2020-11653-09.patch: Adjust the workspace session size
      for 32-bit vtest machines.
    - debian/patches/CVE-2020-11653-10.patch: Handle out of session workspace in
      http1_new_session().
    - debian/patches/CVE-2020-11653-11.patch: Remove extra call to
      SES_Reserve_proto_priv().
    - debian/patches/CVE-2020-11653-12.patch: Remove call to
      SES_Reserve_proto_priv() in h2_init_sess().
    - debian/patches/CVE-2020-11653-13.patch: Handle badly formatted proxy TLVs.
    - debian/patches/CVE-2020-11653-14.patch: Add a missing assertion to
      WS_ReserveAll().
    - debian/patches/CVE-2020-11653-15.patch: Fix WS_ReserveSize calls when
      bytes is equal to free workspace.
    - debian/patches/CVE-2020-11653.patch: Rename to CVE-2020-11653-16.patch.