From bdb319c0ca21c0540a7f2a652c0c431c6f894593 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 5 Apr 2016 22:52:54 +0100 Subject: [PATCH] squid: Patch SQUID-2016:3/CVE-2016-3947 http://www.squid-cache.org/Advisories/SQUID-2016_3.txt Due to a buffer overrun Squid pinger binary is vulnerable to denial of service or information leak attack when processing ICMPv6 packets. This bug also permits the server response to manipulate other ICMP and ICMPv6 queries processing to cause information leak. Signed-off-by: Michael Tremer --- lfs/squid | 1 + src/patches/squid-3.4-13232.patch | 51 +++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 src/patches/squid-3.4-13232.patch diff --git a/lfs/squid b/lfs/squid index 997c660bb0..8446bf3968 100644 --- a/lfs/squid +++ b/lfs/squid @@ -73,6 +73,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.4-13228.patch cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.4.14-fix-max-file-descriptors.patch cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.4-13230.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.4-13232.patch cd $(DIR_APP) && autoreconf -vfi cd $(DIR_APP)/libltdl && autoreconf -vfi diff --git a/src/patches/squid-3.4-13232.patch b/src/patches/squid-3.4-13232.patch new file mode 100644 index 0000000000..442c34b16f --- /dev/null +++ b/src/patches/squid-3.4-13232.patch @@ -0,0 +1,51 @@ +------------------------------------------------------------ +revno: 13232 +revision-id: squid3@treenet.co.nz-20160330141410-t6p2dhzr8ri36fap +parent: squid3@treenet.co.nz-20160220150859-3unryicod1rcx9rm +author: Yuriy M. Kaminskiy +committer: Amos Jeffries +branch nick: 3.4 +timestamp: Thu 2016-03-31 03:14:10 +1300 +message: + pinger: Fix buffer overflow in Icmp6::Recv +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20160330141410-t6p2dhzr8ri36fap +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 +# testament_sha1: e404755509c03ec58c0c293552a7f2a579810fd3 +# timestamp: 2016-03-30 14:51:02 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 +# base_revision_id: squid3@treenet.co.nz-20160220150859-\ +# 3unryicod1rcx9rm +# +# Begin patch +=== modified file 'src/icmp/Icmp6.cc' +--- src/icmp/Icmp6.cc 2014-09-15 05:06:14 +0000 ++++ src/icmp/Icmp6.cc 2016-03-30 14:14:10 +0000 +@@ -277,7 +277,7 @@ + #define ip6_hops // HOPS!!! (can it be true??) + + ip = (struct ip6_hdr *) pkt; +- pkt += sizeof(ip6_hdr); ++ NP: echo size needs to +sizeof(ip6_hdr); + + debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt << + ", ip6_plen=" << ip->ip6_plen << +@@ -288,7 +288,6 @@ + */ + + icmp6header = (struct icmp6_hdr *) pkt; +- pkt += sizeof(icmp6_hdr); + + if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) { + +@@ -313,7 +312,7 @@ + return; + } + +- echo = (icmpEchoData *) pkt; ++ echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr)); + + preply.opcode = echo->opcode; + + -- 2.39.2