!94 [sync] PR-93: Fix CVE-2025-30346

From: @openeuler-sync-bot 
Reviewed-by: @cherry530 
Signed-off-by: @cherry530

CVE-2022-23959.patch

@@ -1,28 +0,0 @@
-From fceaefd4d59a3b5d5a4903a3f420e35eb430d0d4 Mon Sep 17 00:00:00 2001
-From: Martin Blix Grydeland <martin@varnish-software.com>
-Date: Fri, 17 Dec 2021 22:10:16 +0100
-Subject: [PATCH] Mark req doclose when failing to ignore req body
-
-Previously we would ignore errors to iterate the request body into
-oblivion in VRB_Ignore(), keeping the connection open. This opens an
-out-of-sync vulnerability on H/1 connections.
-
-This patch tests the status of the request body in VRB_Ignore(), marking
-the request failed and that it should be closed on errors.
----
- bin/varnishd/cache/cache_req_body.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/bin/varnishd/cache/cache_req_body.c b/bin/varnishd/cache/cache_req_body.c
-index 6391f928d6..5ffd08b77d 100644
---- a/bin/varnishd/cache/cache_req_body.c
-+++ b/bin/varnishd/cache/cache_req_body.c
-@@ -254,6 +254,8 @@ VRB_Ignore(struct req *req)
- 	if (req->req_body_status->avail > 0)
- 		(void)VRB_Iterate(req->wrk, req->vsl, req,
- 		    httpq_req_body_discard, NULL);
-+	if (req->req_body_status == BS_ERROR)
-+		req->doclose = SC_RX_BODY;
- 	return (0);
- }
- 

CVE-2022-38150.patch

@@ -1,72 +0,0 @@
-From c5fd097e5cce8b461c6443af02b3448baef2491d Mon Sep 17 00:00:00 2001
-From: Martin Blix Grydeland <martin@varnish-software.com>
-Date: Thu, 4 Aug 2022 10:59:33 +0200
-Subject: [PATCH] Do not call http_hdr_flags() on pseudo-headers
-
-In http_EstimateWS(), all headers are passed to the http_isfiltered()
-function to calculate how many bytes is needed to serialize the entire
-struct http. http_isfiltered() will check the headers for whether they are
-going to be filtered out later and if so skip them.
-
-However http_isfiltered() would attempt to treat all elements of struct
-http as regular headers with an implicit structure. That does not hold for
-the first three pseudo-header entries, which would lead to asserts in
-later steps.
-
-This patch skips the filter step for pseudo-headers.
-
-Fixes: #3830
----
- bin/varnishd/cache/cache_http.c  |  2 ++
- bin/varnishtest/tests/r03830.vtc | 29 +++++++++++++++++++++++++++++
- 2 files changed, 31 insertions(+)
- create mode 100644 bin/varnishtest/tests/r03830.vtc
-
-diff --git a/bin/varnishd/cache/cache_http.c b/bin/varnishd/cache/cache_http.c
-index ed15e07f9e..d48c0bb366 100644
---- a/bin/varnishd/cache/cache_http.c
-+++ b/bin/varnishd/cache/cache_http.c
-@@ -1147,6 +1147,8 @@ http_isfiltered(const struct http *fm, unsigned u, unsigned how)
- 
- 	if (fm->hdf[u] & HDF_FILTER)
- 		return (1);
-+	if (u < HTTP_HDR_FIRST)
-+		return (0);
- 	e = strchr(fm->hd[u].b, ':');
- 	if (e == NULL)
- 		return (0);
-diff --git a/bin/varnishtest/tests/r03830.vtc b/bin/varnishtest/tests/r03830.vtc
-new file mode 100644
-index 0000000000..5155981923
---- /dev/null
-+++ b/bin/varnishtest/tests/r03830.vtc
-@@ -0,0 +1,29 @@
-+varnishtest "3830: Do not call http_hdr_flags() on pseudo-headers"
-+
-+server s1 {
-+	rxreq
-+	txresp -reason ":x"
-+
-+	rxreq
-+	txresp
-+} -start
-+
-+varnish v1 -vcl+backend {
-+	sub vcl_recv {
-+		return (hash);
-+	}
-+} -start
-+
-+client c1 {
-+	txreq
-+	rxresp
-+	expect resp.status == 200
-+} -run
-+
-+client c2 {
-+	txreq -url :x -method :x
-+	rxresp
-+	expect resp.status == 200
-+} -run
-+
-+varnish v1 -vsl_catchup

CVE-2025-30346.patch

@@ -0,0 +1,50 @@
+From 8ef69a03b36aeac5f364c01eb20f821860e47f14 Mon Sep 17 00:00:00 2001
+From: Dag Haavi Finstad <daghf@varnish-software.com>
+Date: Fri, 10 Jan 2025 13:07:54 +0100
+Subject: [PATCH] req_fsm: Close the connection on a malformed request
+
+---
+ bin/varnishd/cache/cache_req_fsm.c | 2 ++
+ bin/varnishtest/tests/b00037.vtc   | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/bin/varnishd/cache/cache_req_fsm.c b/bin/varnishd/cache/cache_req_fsm.c
+index 1004cbc5f47..803810210ef 100644
+--- a/bin/varnishd/cache/cache_req_fsm.c
++++ b/bin/varnishd/cache/cache_req_fsm.c
+@@ -962,6 +962,7 @@ cnt_recv(struct worker *wrk, struct req *req)
+ 	if (http_CountHdr(req->http0, H_Host) > 1) {
+ 		VSLb(req->vsl, SLT_BogoHeader, "Multiple Host: headers");
+ 		wrk->stats->client_req_400++;
++		req->doclose = SC_RX_BAD;
+ 		(void)req->transport->minimal_response(req, 400);
+ 		return (REQ_FSM_DONE);
+ 	}
+@@ -969,6 +970,7 @@ cnt_recv(struct worker *wrk, struct req *req)
+ 	if (http_CountHdr(req->http0, H_Content_Length) > 1) {
+ 		VSLb(req->vsl, SLT_BogoHeader, "Multiple Content-Length: headers");
+ 		wrk->stats->client_req_400++;
++		req->doclose = SC_RX_BAD;
+ 		(void)req->transport->minimal_response(req, 400);
+ 		return (REQ_FSM_DONE);
+ 	}
+diff --git a/bin/varnishtest/tests/b00037.vtc b/bin/varnishtest/tests/b00037.vtc
+index ce0e841123e..e6185bd0764 100644
+--- a/bin/varnishtest/tests/b00037.vtc
++++ b/bin/varnishtest/tests/b00037.vtc
+@@ -11,6 +11,7 @@ client c1 {
+ 
+ varnish v1 -vsl_catchup
+ varnish v1 -expect client_req_400 == 1
++varnish v1 -expect sc_rx_bad == 1
+ 
+ client c1 {
+ 	txreq -method POST -hdr "Content-Length: 12" -hdr "Content-Length: 12" -bodylen 12
+@@ -20,6 +21,7 @@ client c1 {
+ 
+ varnish v1 -vsl_catchup
+ varnish v1 -expect client_req_400 == 2
++varnish v1 -expect sc_rx_bad == 2
+ 
+ varnish v1 -cliok "param.set feature +http2"
+ 

fix-varnish-devel-installation-failure.patch

@@ -63,16 +63,6 @@ index 0eb77c5..6b3af4d 100755
  #
  # Copyright (c) 2010-2016 Varnish Software
  # All rights reserved.
-diff --git a/lib/libvcc/vsctool.py b/lib/libvcc/vsctool.py
-index 9df1dc4..82c8f33 100755
---- a/lib/libvcc/vsctool.py
-+++ b/lib/libvcc/vsctool.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/env python3
-+#!/usr/bin/python3
- # -*- encoding: utf-8 -*-
- #
- # Copyright (c) 2017 Varnish Software AS
 diff --git a/wflags.py b/wflags.py
 index 9e9e4e9..90605a2 100644
 --- a/wflags.py

varnish.spec

@@ -1,7 +1,9 @@
+%global vendor %{?_vendor:%{_vendor}}%{!?_vendor:openEuler}
+
 Name:             varnish
 Summary:          A web application accelerator
-Version:          7.0.1
+Version:          7.4.3
-Release:          4
+Release:          2
 License:          BSD-2-Clause
 URL:              https://www.varnish-cache.org/
 Source0:          http://varnish-cache.org/_downloads/varnish-%{version}.tgz
@@ -10,13 +12,11 @@ Source0:          http://varnish-cache.org/_downloads/varnish-%{version}.tgz
 Source1:          https://github.com/varnishcache/pkg-varnish-cache/archive/0ad2f22629c4a368959c423a19e352c9c6c79682/pkg-varnish-cache-0ad2f22.tar.gz
 Patch0001:        fix-varnish-devel-installation-failure.patch
 Patch0002:        fix-varnish.service-reload-failed.patch
-##https://github.com/varnishcache/varnish-cache/commit/fceaefd4d59a3b5d5a4903a3f420e35eb430d0d4
+Patch0003:        CVE-2025-30346.patch
-Patch0003:        CVE-2022-23959.patch
-Patch0004:        CVE-2022-38150.patch
 
 BuildRequires:    python3-sphinx python3-docutils pkgconfig make graphviz nghttp2 systemd-units
 BuildRequires:    ncurses-devel pcre2-devel libedit-devel gcc
-Requires:         logrotate ncurses pcre2 jemalloc openEuler-rpm-config gcc
+Requires:         logrotate ncurses pcre2 jemalloc %{vendor}-rpm-config gcc
 Requires(pre):    shadow-utils
 Requires(post):   /usr/bin/uuidgen systemd-units systemd-sysv
 Requires(preun):  systemd-units
@@ -161,6 +161,21 @@ test -f /etc/varnish/secret || (uuidgen > /etc/varnish/secret && chmod 0600 /etc
 %{_mandir}/man7/*.7*
 
 %changelog
+* Mon Mar 24 2025 yaoxin <1024769339@qq.com> - 7.4.3-2
+- Fix CVE-2025-30346
+
+* Mon Mar 25 2024 zhangxingrong <zhangxingrong@uniontech.com> - 7.4.3-1
+- Update to 7.4.3 for fix CVE-2024-30156
+
+* Sat Feb 17 2024 wangkai <13474090681@163.com> - 7.4.2-1
+- Update to 7.4.2 for fix CVE-2023-44487
+
+* Tue Oct 10 2023 xu_ping <707078654@qq.com> - 7.4.1-1
+- Upgrade version to 7.4.1
+
+* Tue Nov 22 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 7.0.1-5
+- Fix CVE-2022-45060
+
 * Tue Aug 23 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 7.0.1-4
 - Fix CVE-2022-38150