squid: Fix two security issues.
authorMichael Tremer <michael.tremer@ipfire.org>
Wed, 7 Aug 2013 20:15:31 +0000 (22:15 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Wed, 7 Aug 2013 20:15:31 +0000 (22:15 +0200)
* CVE-2013-4115
* CVE-2013-4123

http://www.squid-cache.org/Versions/v3/3.1/changesets/

config/rootfiles/core/72/filelists/squid [new symlink]
lfs/squid
src/patches/squid-3.1-10486.patch [new file with mode: 0644]
src/patches/squid-3.1-10487.patch [new file with mode: 0644]

diff --git a/config/rootfiles/core/72/filelists/squid b/config/rootfiles/core/72/filelists/squid
new file mode 120000 (symlink)
index 0000000..2dc8372
--- /dev/null
@@ -0,0 +1 @@
+../../../common/squid
\ No newline at end of file
index fde8606db23c874a023072d783ba11e929efd67b..81118c2c39663bb2cdf5280b316a3c47ead22124 100644 (file)
--- a/lfs/squid
+++ b/lfs/squid
@@ -71,6 +71,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @$(PREBUILD)
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xjf $(DIR_DL)/$(DL_FILE)
 
+       cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.1-10486.patch
+       cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.1-10487.patch
+
        cd $(DIR_APP) && ./configure --prefix=/usr --disable-nls \
           --datadir=/usr/lib/squid \
           --mandir=/usr/share/man --libexecdir=/usr/lib/squid \
diff --git a/src/patches/squid-3.1-10486.patch b/src/patches/squid-3.1-10486.patch
new file mode 100644 (file)
index 0000000..6a0388e
--- /dev/null
@@ -0,0 +1,54 @@
+------------------------------------------------------------
+revno: 10486
+revision-id: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h
+parent: squid3@treenet.co.nz-20130109021503-hqg7ufldrudpzr9l
+fixes bug(s): http://bugs.squid-cache.org/show_bug.cgi?id=3790
+author: Reinhard Sojka <reinhard.sojka@parlament.gv.at>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: SQUID_3_1
+timestamp: Fri 2013-02-22 04:13:25 -0700
+message:
+  Bug 3790: cachemgr.cgi crash with authentication
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
+#   /SQUID_3_1
+# testament_sha1: 121adf68a9c3b2eca766cfb768256b6b57d9816b
+# timestamp: 2013-02-22 11:17:18 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
+#   /SQUID_3_1
+# base_revision_id: squid3@treenet.co.nz-20130109021503-\
+#   hqg7ufldrudpzr9l
+# 
+# Begin patch
+=== modified file 'tools/cachemgr.cc'
+--- tools/cachemgr.cc  2013-01-08 23:11:51 +0000
++++ tools/cachemgr.cc  2013-02-22 11:13:25 +0000
+@@ -1162,7 +1162,6 @@
+ {
+     static char buf[1024];
+     size_t stringLength = 0;
+-    const char *str64;
+     if (!req->passwd)
+         return "";
+@@ -1171,15 +1170,12 @@
+              req->user_name ? req->user_name : "",
+              req->passwd);
+-    str64 = base64_encode(buf);
+-
+-    stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", str64);
++    stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", base64_encode(buf));
+     assert(stringLength < sizeof(buf));
+-    snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", str64);
++    snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", base64_encode(buf));
+-    xxfree(str64);
+     return buf;
+ }
+
diff --git a/src/patches/squid-3.1-10487.patch b/src/patches/squid-3.1-10487.patch
new file mode 100644 (file)
index 0000000..2ca4848
--- /dev/null
@@ -0,0 +1,73 @@
+------------------------------------------------------------
+revno: 10487
+revision-id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx
+parent: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h
+author: Nathan Hoad <nathan@getoffmalawn.com>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: SQUID_3_1
+timestamp: Wed 2013-07-10 06:47:48 -0600
+message:
+  Protect against buffer overrun in DNS query generation
+  
+  see SQUID-2013:2.
+  
+  This bug has been present as long as the internal DNS component however
+  most code reaching this point is passing through URL validation first.
+  With Squid-3.2 Host header verification using DNS directly we may have
+  problems.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
+#   /SQUID_3_1
+# testament_sha1: b5be85c8876ce15ec8fa173845e61755b6942fe0
+# timestamp: 2013-07-10 12:48:57 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
+#   /SQUID_3_1
+# base_revision_id: squid3@treenet.co.nz-20130222111325-\
+#   zizr296kq3te4g7h
+# 
+# Begin patch
+=== modified file 'src/dns_internal.cc'
+--- src/dns_internal.cc        2011-10-11 02:12:56 +0000
++++ src/dns_internal.cc        2013-07-10 12:47:48 +0000
+@@ -1532,22 +1532,26 @@
+ void
+ idnsALookup(const char *name, IDNSCB * callback, void *data)
+ {
+-    unsigned int i;
++    size_t nameLength = strlen(name);
++
++    // Prevent buffer overflow on q->name
++    if (nameLength > NS_MAXDNAME) {
++        debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details.");
++        callback(data, NULL, 0, "Internal error");
++        return;
++    }
++
++    if (idnsCachedLookup(name, callback, data))
++        return;
++
++    idns_query *q = cbdataAlloc(idns_query);
++    q->id = idnsQueryID();
+     int nd = 0;
+-    idns_query *q;
+-
+-    if (idnsCachedLookup(name, callback, data))
+-        return;
+-
+-    q = cbdataAlloc(idns_query);
+-
+-    q->id = idnsQueryID();
+-
+-    for (i = 0; i < strlen(name); i++)
++    for (unsigned int i = 0; i < nameLength; ++i)
+         if (name[i] == '.')
+             nd++;
+-    if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') {
++    if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') {
+         q->do_searchpath = 1;
+     } else {
+         q->do_searchpath = 0;
+