squid: Patch SQUID-2016:3/CVE-2016-3947

http://www.squid-cache.org/Advisories/SQUID-2016_3.txt

 Due to a buffer overrun Squid pinger binary is vulnerable to
 denial of service or information leak attack when processing
 ICMPv6 packets.

 This bug also permits the server response to manipulate other
 ICMP and ICMPv6 queries processing to cause information leak.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/lfs/squid b/lfs/squid
index 997c660bb01af888cbe1f19d1b223c21cc893533..8446bf3968c2a207df46a141d13a8c8f6d811f76 100644 (file)
--- a/lfs/squid
+++ b/lfs/squid
@@ -73,6 +73,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.4-13228.patch
        cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.4.14-fix-max-file-descriptors.patch
        cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.4-13230.patch
+       cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.4-13232.patch
        cd $(DIR_APP) && autoreconf -vfi
        cd $(DIR_APP)/libltdl && autoreconf -vfi
 

diff --git a/src/patches/squid-3.4-13232.patch b/src/patches/squid-3.4-13232.patch
new file mode 100644 (file)
index 0000000..442c34b
--- /dev/null
+++ b/src/patches/squid-3.4-13232.patch
@@ -0,0 +1,51 @@
+------------------------------------------------------------
+revno: 13232
+revision-id: squid3@treenet.co.nz-20160330141410-t6p2dhzr8ri36fap
+parent: squid3@treenet.co.nz-20160220150859-3unryicod1rcx9rm
+author: Yuriy M. Kaminskiy <yumkam@gmail.com>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.4
+timestamp: Thu 2016-03-31 03:14:10 +1300
+message:
+  pinger: Fix buffer overflow in Icmp6::Recv
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160330141410-t6p2dhzr8ri36fap
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# testament_sha1: e404755509c03ec58c0c293552a7f2a579810fd3
+# timestamp: 2016-03-30 14:51:02 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# base_revision_id: squid3@treenet.co.nz-20160220150859-\
+#   3unryicod1rcx9rm
+# 
+# Begin patch
+=== modified file 'src/icmp/Icmp6.cc'
+--- src/icmp/Icmp6.cc  2014-09-15 05:06:14 +0000
++++ src/icmp/Icmp6.cc  2016-03-30 14:14:10 +0000
+@@ -277,7 +277,7 @@
+     #define ip6_hops  // HOPS!!!  (can it be true??)
+ 
+         ip = (struct ip6_hdr *) pkt;
+-        pkt += sizeof(ip6_hdr);
++        NP: echo size needs to +sizeof(ip6_hdr);
+ 
+     debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt <<
+               ", ip6_plen=" << ip->ip6_plen <<
+@@ -288,7 +288,6 @@
+     */
+ 
+     icmp6header = (struct icmp6_hdr *) pkt;
+-    pkt += sizeof(icmp6_hdr);
+ 
+     if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) {
+ 
+@@ -313,7 +312,7 @@
+         return;
+     }
+ 
+-    echo = (icmpEchoData *) pkt;
++    echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr));
+ 
+     preply.opcode = echo->opcode;
+ 
+