squid 3.5.28: latest patches (01-02)
authorMatthias Fischer <matthias.fischer@ipfire.org>
Thu, 1 Nov 2018 08:24:24 +0000 (09:24 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Thu, 1 Nov 2018 10:29:05 +0000 (10:29 +0000)
For details see:
http://www.squid-cache.org/Versions/v3/3.5/changesets/

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
lfs/squid
src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch [new file with mode: 0644]
src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch [new file with mode: 0644]

index cae5640..11b84d7 100644 (file)
--- a/lfs/squid
+++ b/lfs/squid
@@ -72,6 +72,8 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @$(PREBUILD)
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
+       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch
+       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
        cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5.28-fix-max-file-descriptors.patch
 
        cd $(DIR_APP) && autoreconf -vfi
diff --git a/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch b/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch
new file mode 100644 (file)
index 0000000..fadb1d4
--- /dev/null
@@ -0,0 +1,72 @@
+commit f1657a9decc820f748fa3aff68168d3145258031
+Author: Christos Tsantilas <christos@chtsanti.net>
+Date:   2018-10-17 15:14:07 +0000
+
+    Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306)
+    
+    %ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL template. This bug affects all
+    ERR_SECURE_CONNECT_FAIL page templates containing %D, including the default template.
+    
+    Other error pages are not vulnerable because Squid does not populate %D with certificate details in other contexts (yet).
+    
+    Thanks to Nikolas Lohmann [eBlocker] for identifying the problem.
+    
+    TODO: If those certificate details become needed for ACL checks or other non-HTML purposes, make their HTML-escaping conditional.
+    
+    This is a Measurement Factory project.
+
+diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc
+index b5030e3..314e998 100644
+--- a/src/ssl/ErrorDetail.cc
++++ b/src/ssl/ErrorDetail.cc
+@@ -8,6 +8,8 @@
+ #include "squid.h"
+ #include "errorpage.h"
++#include "fatal.h"
++#include "html_quote.h"
+ #include "ssl/ErrorDetail.h"
+ #include <climits>
+@@ -432,8 +434,11 @@ const char  *Ssl::ErrorDetail::subject() const
+ {
+     if (broken_cert.get()) {
+         static char tmpBuffer[256]; // A temporary buffer
+-        if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer)))
+-            return tmpBuffer;
++        if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) {
++            // quote to avoid possible html code injection through
++            // certificate subject
++            return html_quote(tmpBuffer);
++        }
+     }
+     return "[Not available]";
+ }
+@@ -461,8 +466,11 @@ const char *Ssl::ErrorDetail::cn() const
+         static String tmpStr;  ///< A temporary string buffer
+         tmpStr.clean();
+         Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn);
+-        if (tmpStr.size())
+-            return tmpStr.termedBuf();
++        if (tmpStr.size()) {
++            // quote to avoid possible html code injection through
++            // certificate subject
++            return html_quote(tmpStr.termedBuf());
++        }
+     }
+     return "[Not available]";
+ }
+@@ -474,8 +482,11 @@ const char *Ssl::ErrorDetail::ca_name() const
+ {
+     if (broken_cert.get()) {
+         static char tmpBuffer[256]; // A temporary buffer
+-        if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer)))
+-            return tmpBuffer;
++        if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) {
++            // quote to avoid possible html code injection through
++            // certificate issuer subject
++            return html_quote(tmpBuffer);
++        }
+     }
+     return "[Not available]";
+ }
diff --git a/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch b/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
new file mode 100644 (file)
index 0000000..2ae034c
--- /dev/null
@@ -0,0 +1,22 @@
+commit bc9786119f058a76ddf0625424bc33d36460b9a2 (refs/remotes/origin/v3.5)
+Author: flozilla <fishyflow@gmail.com>
+Date:   2018-10-24 14:12:01 +0200
+
+    Fix memory leak when parsing SNMP packet (#313)
+    
+    SNMP queries denied by snmp_access rules and queries with certain
+    unsupported SNMPv2 commands were leaking a few hundred bytes each. Such
+    queries trigger "SNMP agent query DENIED from..." WARNINGs in cache.log.
+
+diff --git a/src/snmp_core.cc b/src/snmp_core.cc
+index c4d21c1..16c2993 100644
+--- a/src/snmp_core.cc
++++ b/src/snmp_core.cc
+@@ -409,6 +409,7 @@ snmpDecodePacket(SnmpRequest * rq)
+             snmpConstructReponse(rq);
+         } else {
+             debugs(49, DBG_IMPORTANT, "WARNING: SNMP agent query DENIED from : " << rq->from);
++            snmp_free_pdu(PDU);
+         }
+         xfree(Community);