7 changed files with 116 additions and 71 deletions
--- a/CVE-2022-23959.patch
+++ b/CVE-2022-23959.patch
@ -0,0 +1,28 @@
 From fceaefd4d59a3b5d5a4903a3f420e35eb430d0d4 Mon Sep 17 00:00:00 2001
 From: Martin Blix Grydeland <martin@varnish-software.com>
 Date: Fri, 17 Dec 2021 22:10:16 +0100
 Subject: [PATCH] Mark req doclose when failing to ignore req body
 Previously we would ignore errors to iterate the request body into
 oblivion in VRB_Ignore(), keeping the connection open. This opens an
 out-of-sync vulnerability on H/1 connections.
 This patch tests the status of the request body in VRB_Ignore(), marking
 the request failed and that it should be closed on errors.
 ---
 bin/varnishd/cache/cache_req_body.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/bin/varnishd/cache/cache_req_body.c b/bin/varnishd/cache/cache_req_body.c
 index 6391f928d6..5ffd08b77d 100644
 --- a/bin/varnishd/cache/cache_req_body.c
 +++ b/bin/varnishd/cache/cache_req_body.c
@@ -254,6 +254,8 @@ VRB_Ignore(struct req *req)
 	if (req->req_body_status->avail > 0)
 		(void)VRB_Iterate(req->wrk, req->vsl, req,
 		    httpq_req_body_discard, NULL);
 +	if (req->req_body_status == BS_ERROR)
 +		req->doclose = SC_RX_BODY;
 	return (0);
 }
--- a/CVE-2022-38150.patch
+++ b/CVE-2022-38150.patch
@ -0,0 +1,72 @@
 From c5fd097e5cce8b461c6443af02b3448baef2491d Mon Sep 17 00:00:00 2001
 From: Martin Blix Grydeland <martin@varnish-software.com>
 Date: Thu, 4 Aug 2022 10:59:33 +0200
 Subject: [PATCH] Do not call http_hdr_flags() on pseudo-headers
 In http_EstimateWS(), all headers are passed to the http_isfiltered()
 function to calculate how many bytes is needed to serialize the entire
 struct http. http_isfiltered() will check the headers for whether they are
 going to be filtered out later and if so skip them.
 However http_isfiltered() would attempt to treat all elements of struct
 http as regular headers with an implicit structure. That does not hold for
 the first three pseudo-header entries, which would lead to asserts in
 later steps.
 This patch skips the filter step for pseudo-headers.
 Fixes: #3830
 ---
 bin/varnishd/cache/cache_http.c  |  2 ++
 bin/varnishtest/tests/r03830.vtc | 29 +++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 bin/varnishtest/tests/r03830.vtc
 diff --git a/bin/varnishd/cache/cache_http.c b/bin/varnishd/cache/cache_http.c
 index ed15e07f9e..d48c0bb366 100644
 --- a/bin/varnishd/cache/cache_http.c
 +++ b/bin/varnishd/cache/cache_http.c
@@ -1147,6 +1147,8 @@ http_isfiltered(const struct http *fm, unsigned u, unsigned how)
 	if (fm->hdf[u] & HDF_FILTER)
 		return (1);
 +	if (u < HTTP_HDR_FIRST)
 +		return (0);
 	e = strchr(fm->hd[u].b, ':');
 	if (e == NULL)
 		return (0);
 diff --git a/bin/varnishtest/tests/r03830.vtc b/bin/varnishtest/tests/r03830.vtc
 new file mode 100644
 index 0000000000..5155981923
 --- /dev/null
 +++ b/bin/varnishtest/tests/r03830.vtc
@@ -0,0 +1,29 @@
 +varnishtest "3830: Do not call http_hdr_flags() on pseudo-headers"
 +
 +server s1 {
 +	rxreq
 +	txresp -reason ":x"
 +
 +	rxreq
 +	txresp
 +} -start
 +
 +varnish v1 -vcl+backend {
 +	sub vcl_recv {
 +		return (hash);
 +	}
 +} -start
 +
 +client c1 {
 +	txreq
 +	rxresp
 +	expect resp.status == 200
 +} -run
 +
 +client c2 {
 +	txreq -url :x -method :x
 +	rxresp
 +	expect resp.status == 200
 +} -run
 +
 +varnish v1 -vsl_catchup
--- a/CVE-2025-30346.patch
+++ b/CVE-2025-30346.patch
@ -1,50 +0,0 @@
 From 8ef69a03b36aeac5f364c01eb20f821860e47f14 Mon Sep 17 00:00:00 2001
 From: Dag Haavi Finstad <daghf@varnish-software.com>
 Date: Fri, 10 Jan 2025 13:07:54 +0100
 Subject: [PATCH] req_fsm: Close the connection on a malformed request
 ---
 bin/varnishd/cache/cache_req_fsm.c | 2 ++
 bin/varnishtest/tests/b00037.vtc   | 2 ++
 2 files changed, 4 insertions(+)
 diff --git a/bin/varnishd/cache/cache_req_fsm.c b/bin/varnishd/cache/cache_req_fsm.c
 index 1004cbc5f47..803810210ef 100644
 --- a/bin/varnishd/cache/cache_req_fsm.c
 +++ b/bin/varnishd/cache/cache_req_fsm.c
@@ -962,6 +962,7 @@ cnt_recv(struct worker *wrk, struct req *req)
 	if (http_CountHdr(req->http0, H_Host) > 1) {
 		VSLb(req->vsl, SLT_BogoHeader, "Multiple Host: headers");
 		wrk->stats->client_req_400++;
 +		req->doclose = SC_RX_BAD;
 		(void)req->transport->minimal_response(req, 400);
 		return (REQ_FSM_DONE);
 	}
@@ -969,6 +970,7 @@ cnt_recv(struct worker *wrk, struct req *req)
 	if (http_CountHdr(req->http0, H_Content_Length) > 1) {
 		VSLb(req->vsl, SLT_BogoHeader, "Multiple Content-Length: headers");
 		wrk->stats->client_req_400++;
 +		req->doclose = SC_RX_BAD;
 		(void)req->transport->minimal_response(req, 400);
 		return (REQ_FSM_DONE);
 	}
 diff --git a/bin/varnishtest/tests/b00037.vtc b/bin/varnishtest/tests/b00037.vtc
 index ce0e841123e..e6185bd0764 100644
 --- a/bin/varnishtest/tests/b00037.vtc
 +++ b/bin/varnishtest/tests/b00037.vtc
@@ -11,6 +11,7 @@ client c1 {
 varnish v1 -vsl_catchup
 varnish v1 -expect client_req_400 == 1
 +varnish v1 -expect sc_rx_bad == 1
 client c1 {
 	txreq -method POST -hdr "Content-Length: 12" -hdr "Content-Length: 12" -bodylen 12
@@ -20,6 +21,7 @@ client c1 {
 varnish v1 -vsl_catchup
 varnish v1 -expect client_req_400 == 2
 +varnish v1 -expect sc_rx_bad == 2
 varnish v1 -cliok "param.set feature +http2"
--- a/fix-varnish-devel-installation-failure.patch
+++ b/fix-varnish-devel-installation-failure.patch
@ -63,6 +63,16 @@ index 0eb77c5..6b3af4d 100755
 #
 # Copyright (c) 2010-2016 Varnish Software
 # All rights reserved.
 diff --git a/lib/libvcc/vsctool.py b/lib/libvcc/vsctool.py
 index 9df1dc4..82c8f33 100755
 --- a/lib/libvcc/vsctool.py
 +++ b/lib/libvcc/vsctool.py
@@ -1,4 +1,4 @@
 -#!/usr/bin/env python3
 +#!/usr/bin/python3
 # -*- encoding: utf-8 -*-
 #
 # Copyright (c) 2017 Varnish Software AS
 diff --git a/wflags.py b/wflags.py
 index 9e9e4e9..90605a2 100644
 --- a/wflags.py
--- a/varnish-7.0.1.tgz
+++ b/varnish-7.0.1.tgz
--- a/varnish-7.4.3.tgz
+++ b/varnish-7.4.3.tgz
--- a/varnish.spec
+++ b/varnish.spec
@ -1,9 +1,7 @@
 %global vendor %{?_vendor:%{_vendor}}%{!?_vendor:openEuler}
 Name:             varnish
 Summary:          A web application accelerator
-Version:          7.4.3
+Version:          7.0.1
-Release:          2
+Release:          4
 License:          BSD-2-Clause
 URL:              https://www.varnish-cache.org/
 Source0:          http://varnish-cache.org/_downloads/varnish-%{version}.tgz
@ -12,11 +10,13 @@ Source0:          http://varnish-cache.org/_downloads/varnish-%{version}.tgz
 Source1:          https://github.com/varnishcache/pkg-varnish-cache/archive/0ad2f22629c4a368959c423a19e352c9c6c79682/pkg-varnish-cache-0ad2f22.tar.gz
 Patch0001:        fix-varnish-devel-installation-failure.patch
 Patch0002:        fix-varnish.service-reload-failed.patch
-Patch0003:        CVE-2025-30346.patch
+##https://github.com/varnishcache/varnish-cache/commit/fceaefd4d59a3b5d5a4903a3f420e35eb430d0d4
 Patch0003:        CVE-2022-23959.patch
 Patch0004:        CVE-2022-38150.patch
 BuildRequires:    python3-sphinx python3-docutils pkgconfig make graphviz nghttp2 systemd-units
 BuildRequires:    ncurses-devel pcre2-devel libedit-devel gcc
-Requires:         logrotate ncurses pcre2 jemalloc %{vendor}-rpm-config gcc
+Requires:         logrotate ncurses pcre2 jemalloc openEuler-rpm-config gcc
 Requires(pre):    shadow-utils
 Requires(post):   /usr/bin/uuidgen systemd-units systemd-sysv
 Requires(preun):  systemd-units
@ -161,21 +161,6 @@ test -f /etc/varnish/secret || (uuidgen > /etc/varnish/secret && chmod 0600 /etc
 %{_mandir}/man7/*.7*
 %changelog
 * Mon Mar 24 2025 yaoxin <1024769339@qq.com> - 7.4.3-2
 - Fix CVE-2025-30346
 * Mon Mar 25 2024 zhangxingrong <zhangxingrong@uniontech.com> - 7.4.3-1
 - Update to 7.4.3 for fix CVE-2024-30156
 * Sat Feb 17 2024 wangkai <13474090681@163.com> - 7.4.2-1
 - Update to 7.4.2 for fix CVE-2023-44487
 * Tue Oct 10 2023 xu_ping <707078654@qq.com> - 7.4.1-1
 - Upgrade version to 7.4.1
 * Tue Nov 22 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 7.0.1-5
 - Fix CVE-2022-45060
 * Tue Aug 23 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 7.0.1-4
 - Fix CVE-2022-38150