[3.7] varnish: Data leak - ‘-sfile’ Stevedore transient objects (CVE-2017-8807)
A wrong if statement in the varnishd source code means that synthetic
objects in stevedores which over-allocate, may leak up to page size of
data from a malloc(3) memory allocation.
In a unpredictable percentage of the cases where this condition arises,
a segmentation fault will happen instead. All the following conditions
are required to trigger the problem:
A -sfile or -spersistent stevedore must be configured
A synthetic object must be created in vcl_backend_error{}
The synthetic object ends up in the file or persistent stevedore.
Affected Versions:
4.1.0 to 5.2.0
Fixed In:
varnish 4.1.9, varnish 5.2.1
References:
http://varnish-cache.org/security/VSV00002.html
Patch:
https://github.com/varnishcache/varnish-cache/commit/176f8a075a
(from redmine: issue id 8164, created on 2017-11-17, closed on 2017-11-22)
- Relations:
- parent #8163 (closed)
- Changesets:
- Revision 95bf3911 by Natanael Copa on 2017-11-21T11:01:29Z:
main/varnish: security upgrade to 5.2.1 (CVE-2017-8807)
fixes #8164