From 7323724196db7b63d83bea9774e2b1356b1854aa Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 7 Aug 2013 22:15:31 +0200 Subject: [PATCH 1/1] squid: Fix two security issues. * CVE-2013-4115 * CVE-2013-4123 http://www.squid-cache.org/Versions/v3/3.1/changesets/ --- config/rootfiles/core/72/filelists/squid | 1 + lfs/squid | 3 + src/patches/squid-3.1-10486.patch | 54 ++++++++++++++++++ src/patches/squid-3.1-10487.patch | 73 ++++++++++++++++++++++++ 4 files changed, 131 insertions(+) create mode 120000 config/rootfiles/core/72/filelists/squid create mode 100644 src/patches/squid-3.1-10486.patch create mode 100644 src/patches/squid-3.1-10487.patch diff --git a/config/rootfiles/core/72/filelists/squid b/config/rootfiles/core/72/filelists/squid new file mode 120000 index 000000000..2dc8372a0 --- /dev/null +++ b/config/rootfiles/core/72/filelists/squid @@ -0,0 +1 @@ +../../../common/squid \ No newline at end of file diff --git a/lfs/squid b/lfs/squid index fde8606db..81118c2c3 100644 --- a/lfs/squid +++ b/lfs/squid @@ -71,6 +71,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xjf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.1-10486.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.1-10487.patch + cd $(DIR_APP) && ./configure --prefix=/usr --disable-nls \ --datadir=/usr/lib/squid \ --mandir=/usr/share/man --libexecdir=/usr/lib/squid \ diff --git a/src/patches/squid-3.1-10486.patch b/src/patches/squid-3.1-10486.patch new file mode 100644 index 000000000..6a0388e5b --- /dev/null +++ b/src/patches/squid-3.1-10486.patch @@ -0,0 +1,54 @@ +------------------------------------------------------------ +revno: 10486 +revision-id: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h +parent: squid3@treenet.co.nz-20130109021503-hqg7ufldrudpzr9l +fixes bug(s): http://bugs.squid-cache.org/show_bug.cgi?id=3790 +author: Reinhard Sojka +committer: Amos Jeffries +branch nick: SQUID_3_1 +timestamp: Fri 2013-02-22 04:13:25 -0700 +message: + Bug 3790: cachemgr.cgi crash with authentication +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h +# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\ +# /SQUID_3_1 +# testament_sha1: 121adf68a9c3b2eca766cfb768256b6b57d9816b +# timestamp: 2013-02-22 11:17:18 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\ +# /SQUID_3_1 +# base_revision_id: squid3@treenet.co.nz-20130109021503-\ +# hqg7ufldrudpzr9l +# +# Begin patch +=== modified file 'tools/cachemgr.cc' +--- tools/cachemgr.cc 2013-01-08 23:11:51 +0000 ++++ tools/cachemgr.cc 2013-02-22 11:13:25 +0000 +@@ -1162,7 +1162,6 @@ + { + static char buf[1024]; + size_t stringLength = 0; +- const char *str64; + + if (!req->passwd) + return ""; +@@ -1171,15 +1170,12 @@ + req->user_name ? req->user_name : "", + req->passwd); + +- str64 = base64_encode(buf); +- +- stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", str64); ++ stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", base64_encode(buf)); + + assert(stringLength < sizeof(buf)); + +- snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", str64); ++ snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", base64_encode(buf)); + +- xxfree(str64); + return buf; + } + + diff --git a/src/patches/squid-3.1-10487.patch b/src/patches/squid-3.1-10487.patch new file mode 100644 index 000000000..2ca4848c2 --- /dev/null +++ b/src/patches/squid-3.1-10487.patch @@ -0,0 +1,73 @@ +------------------------------------------------------------ +revno: 10487 +revision-id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx +parent: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h +author: Nathan Hoad +committer: Amos Jeffries +branch nick: SQUID_3_1 +timestamp: Wed 2013-07-10 06:47:48 -0600 +message: + Protect against buffer overrun in DNS query generation + + see SQUID-2013:2. + + This bug has been present as long as the internal DNS component however + most code reaching this point is passing through URL validation first. + With Squid-3.2 Host header verification using DNS directly we may have + problems. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx +# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\ +# /SQUID_3_1 +# testament_sha1: b5be85c8876ce15ec8fa173845e61755b6942fe0 +# timestamp: 2013-07-10 12:48:57 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\ +# /SQUID_3_1 +# base_revision_id: squid3@treenet.co.nz-20130222111325-\ +# zizr296kq3te4g7h +# +# Begin patch +=== modified file 'src/dns_internal.cc' +--- src/dns_internal.cc 2011-10-11 02:12:56 +0000 ++++ src/dns_internal.cc 2013-07-10 12:47:48 +0000 +@@ -1532,22 +1532,26 @@ + void + idnsALookup(const char *name, IDNSCB * callback, void *data) + { +- unsigned int i; ++ size_t nameLength = strlen(name); ++ ++ // Prevent buffer overflow on q->name ++ if (nameLength > NS_MAXDNAME) { ++ debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details."); ++ callback(data, NULL, 0, "Internal error"); ++ return; ++ } ++ ++ if (idnsCachedLookup(name, callback, data)) ++ return; ++ ++ idns_query *q = cbdataAlloc(idns_query); ++ q->id = idnsQueryID(); + int nd = 0; +- idns_query *q; +- +- if (idnsCachedLookup(name, callback, data)) +- return; +- +- q = cbdataAlloc(idns_query); +- +- q->id = idnsQueryID(); +- +- for (i = 0; i < strlen(name); i++) ++ for (unsigned int i = 0; i < nameLength; ++i) + if (name[i] == '.') + nd++; + +- if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') { ++ if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') { + q->do_searchpath = 1; + } else { + q->do_searchpath = 0; + -- 2.39.2