From 421e0477220b9d03ec750cd5011501e004793d0c Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Tue, 26 Apr 2022 17:42:26 +0800
Subject: [PATCH] Fix CVE-2022-23959

---
 CVE-2022-23959.patch | 28 ++++++++++++++++++++++++++++
 varnish.spec         |  7 ++++++-
 2 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2022-23959.patch

diff --git a/CVE-2022-23959.patch b/CVE-2022-23959.patch
new file mode 100644
index 0000000..bf73e06
--- /dev/null
+++ b/CVE-2022-23959.patch
@@ -0,0 +1,28 @@
+From fceaefd4d59a3b5d5a4903a3f420e35eb430d0d4 Mon Sep 17 00:00:00 2001
+From: Martin Blix Grydeland <martin@varnish-software.com>
+Date: Fri, 17 Dec 2021 22:10:16 +0100
+Subject: [PATCH] Mark req doclose when failing to ignore req body
+
+Previously we would ignore errors to iterate the request body into
+oblivion in VRB_Ignore(), keeping the connection open. This opens an
+out-of-sync vulnerability on H/1 connections.
+
+This patch tests the status of the request body in VRB_Ignore(), marking
+the request failed and that it should be closed on errors.
+---
+ bin/varnishd/cache/cache_req_body.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/bin/varnishd/cache/cache_req_body.c b/bin/varnishd/cache/cache_req_body.c
+index 6391f928d6..5ffd08b77d 100644
+--- a/bin/varnishd/cache/cache_req_body.c
++++ b/bin/varnishd/cache/cache_req_body.c
+@@ -254,6 +254,8 @@ VRB_Ignore(struct req *req)
+ 	if (req->req_body_status->avail > 0)
+ 		(void)VRB_Iterate(req->wrk, req->vsl, req,
+ 		    httpq_req_body_discard, NULL);
++	if (req->req_body_status == BS_ERROR)
++		req->doclose = SC_RX_BODY;
+ 	return (0);
+ }
+ 
diff --git a/varnish.spec b/varnish.spec
index 154058f..9762e2e 100644
--- a/varnish.spec
+++ b/varnish.spec
@@ -1,7 +1,7 @@
 Name:             varnish
 Summary:          A web application accelerator
 Version:          7.0.1
-Release:          4
+Release:          5
 License:          BSD
 URL:              https://www.varnish-cache.org/
 Source0:          http://varnish-cache.org/_downloads/varnish-%{version}.tgz
@@ -10,6 +10,8 @@ Source0:          http://varnish-cache.org/_downloads/varnish-%{version}.tgz
 Source1:          https://github.com/varnishcache/pkg-varnish-cache/archive/0ad2f22629c4a368959c423a19e352c9c6c79682/pkg-varnish-cache-0ad2f22.tar.gz
 Patch0001:        fix-varnish-devel-installation-failure.patch
 Patch0002:        fix-varnish.service-reload-failed.patch
+#https://github.com/varnishcache/varnish-cache/commit/fceaefd4d59a3b5d5a4903a3f420e35eb430d0d4
+Patch0003:        CVE-2022-23959.patch
 
 BuildRequires:    python3-sphinx python3-docutils pkgconfig make graphviz nghttp2 systemd-units
 BuildRequires:    ncurses-devel pcre2-devel libedit-devel gcc
@@ -158,6 +160,9 @@ test -f /etc/varnish/secret || (uuidgen > /etc/varnish/secret && chmod 0600 /etc
 %{_mandir}/man7/*.7*
 
 %changelog
+* Tue Apr 26 2022 yaoxin <yaoxin30@h-partners.com> - 7.0.1-5
+- Fix CVE-2022-23959
+
 * Fri Mar 04 2022 houyingchao <houyingchao@huawei.com> - 7.0.1-4
 - Strip binary files
 
-- 
Gitee