From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 5 Apr 2016 21:52:54 +0000 (+0100)
Subject: squid: Patch SQUID-2016:3/CVE-2016-3947
X-Git-Tag: v2.19-core101~30
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bdb319c0ca21c0540a7f2a652c0c431c6f894593;p=people%2Fpmueller%2Fipfire-2.x.git

squid: Patch SQUID-2016:3/CVE-2016-3947

http://www.squid-cache.org/Advisories/SQUID-2016_3.txt

 Due to a buffer overrun Squid pinger binary is vulnerable to
 denial of service or information leak attack when processing
 ICMPv6 packets.

 This bug also permits the server response to manipulate other
 ICMP and ICMPv6 queries processing to cause information leak.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/lfs/squid b/lfs/squid
index 997c660bb0..8446bf3968 100644
--- a/lfs/squid
+++ b/lfs/squid
@@ -73,6 +73,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.4-13228.patch
 	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.4.14-fix-max-file-descriptors.patch
 	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.4-13230.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.4-13232.patch
 	cd $(DIR_APP) && autoreconf -vfi
 	cd $(DIR_APP)/libltdl && autoreconf -vfi
 
diff --git a/src/patches/squid-3.4-13232.patch b/src/patches/squid-3.4-13232.patch
new file mode 100644
index 0000000000..442c34b16f
--- /dev/null
+++ b/src/patches/squid-3.4-13232.patch
@@ -0,0 +1,51 @@
+------------------------------------------------------------
+revno: 13232
+revision-id: squid3@treenet.co.nz-20160330141410-t6p2dhzr8ri36fap
+parent: squid3@treenet.co.nz-20160220150859-3unryicod1rcx9rm
+author: Yuriy M. Kaminskiy <yumkam@gmail.com>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.4
+timestamp: Thu 2016-03-31 03:14:10 +1300
+message:
+  pinger: Fix buffer overflow in Icmp6::Recv
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160330141410-t6p2dhzr8ri36fap
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# testament_sha1: e404755509c03ec58c0c293552a7f2a579810fd3
+# timestamp: 2016-03-30 14:51:02 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# base_revision_id: squid3@treenet.co.nz-20160220150859-\
+#   3unryicod1rcx9rm
+# 
+# Begin patch
+=== modified file 'src/icmp/Icmp6.cc'
+--- src/icmp/Icmp6.cc	2014-09-15 05:06:14 +0000
++++ src/icmp/Icmp6.cc	2016-03-30 14:14:10 +0000
+@@ -277,7 +277,7 @@
+     #define ip6_hops	// HOPS!!!  (can it be true??)
+ 
+         ip = (struct ip6_hdr *) pkt;
+-        pkt += sizeof(ip6_hdr);
++        NP: echo size needs to +sizeof(ip6_hdr);
+ 
+     debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt <<
+     		", ip6_plen=" << ip->ip6_plen <<
+@@ -288,7 +288,6 @@
+     */
+ 
+     icmp6header = (struct icmp6_hdr *) pkt;
+-    pkt += sizeof(icmp6_hdr);
+ 
+     if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) {
+ 
+@@ -313,7 +312,7 @@
+         return;
+     }
+ 
+-    echo = (icmpEchoData *) pkt;
++    echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr));
+ 
+     preply.opcode = echo->opcode;
+ 
+