squid: Fix two security issues.

* CVE-2013-4115 * CVE-2013-4123 http://www.squid-cache.org/Versions/v3/3.1/changesets/
2026-04-14 04:52:59 +02:00 · 2013-08-07 22:15:31 +02:00
parent 726a85b8c1
commit 7323724196
4 changed files with 131 additions and 0 deletions
--- a/config/rootfiles/core/72/filelists/squid
+++ b/config/rootfiles/core/72/filelists/squid
@@ -0,0 +1 @@
+../../../common/squid
--- a/lfs/squid
+++ b/lfs/squid
@@ -71,6 +71,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xjf $(DIR_DL)/$(DL_FILE)

+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.1-10486.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.1-10487.patch
+
 	cd $(DIR_APP) && ./configure --prefix=/usr --disable-nls \
 	   --datadir=/usr/lib/squid \
 	   --mandir=/usr/share/man --libexecdir=/usr/lib/squid \
--- a/src/patches/squid-3.1-10486.patch
+++ b/src/patches/squid-3.1-10486.patch
@@ -0,0 +1,54 @@
+------------------------------------------------------------
+revno: 10486
+revision-id: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h
+parent: squid3@treenet.co.nz-20130109021503-hqg7ufldrudpzr9l
+fixes bug(s): http://bugs.squid-cache.org/show_bug.cgi?id=3790
+author: Reinhard Sojka <reinhard.sojka@parlament.gv.at>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: SQUID_3_1
+timestamp: Fri 2013-02-22 04:13:25 -0700
+message:
+  Bug 3790: cachemgr.cgi crash with authentication
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
+#   /SQUID_3_1
+# testament_sha1: 121adf68a9c3b2eca766cfb768256b6b57d9816b
+# timestamp: 2013-02-22 11:17:18 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
+#   /SQUID_3_1
+# base_revision_id: squid3@treenet.co.nz-20130109021503-\
+#   hqg7ufldrudpzr9l
+# 
+# Begin patch
+=== modified file 'tools/cachemgr.cc'
+--- tools/cachemgr.cc	2013-01-08 23:11:51 +0000
+++ tools/cachemgr.cc	2013-02-22 11:13:25 +0000
+@@ -1162,7 +1162,6 @@
+ {
+     static char buf[1024];
+     size_t stringLength = 0;
+-    const char *str64;
+ 
+     if (!req->passwd)
+         return "";
+@@ -1171,15 +1170,12 @@
+              req->user_name ? req->user_name : "",
+              req->passwd);
+ 
+-    str64 = base64_encode(buf);
+-
+-    stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", str64);
+    stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", base64_encode(buf));
+ 
+     assert(stringLength < sizeof(buf));
+ 
+-    snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", str64);
+    snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", base64_encode(buf));
+ 
+-    xxfree(str64);
+     return buf;
+ }
+ 
+
--- a/src/patches/squid-3.1-10487.patch
+++ b/src/patches/squid-3.1-10487.patch
@@ -0,0 +1,73 @@
+------------------------------------------------------------
+revno: 10487
+revision-id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx
+parent: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h
+author: Nathan Hoad <nathan@getoffmalawn.com>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: SQUID_3_1
+timestamp: Wed 2013-07-10 06:47:48 -0600
+message:
+  Protect against buffer overrun in DNS query generation
+  
+  see SQUID-2013:2.
+  
+  This bug has been present as long as the internal DNS component however
+  most code reaching this point is passing through URL validation first.
+  With Squid-3.2 Host header verification using DNS directly we may have
+  problems.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
+#   /SQUID_3_1
+# testament_sha1: b5be85c8876ce15ec8fa173845e61755b6942fe0
+# timestamp: 2013-07-10 12:48:57 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
+#   /SQUID_3_1
+# base_revision_id: squid3@treenet.co.nz-20130222111325-\
+#   zizr296kq3te4g7h
+# 
+# Begin patch
+=== modified file 'src/dns_internal.cc'
+--- src/dns_internal.cc	2011-10-11 02:12:56 +0000
+++ src/dns_internal.cc	2013-07-10 12:47:48 +0000
+@@ -1532,22 +1532,26 @@
+ void
+ idnsALookup(const char *name, IDNSCB * callback, void *data)
+ {
+-    unsigned int i;
+    size_t nameLength = strlen(name);
+
+    // Prevent buffer overflow on q->name
+    if (nameLength > NS_MAXDNAME) {
+        debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details.");
+        callback(data, NULL, 0, "Internal error");
+        return;
+    }
+
+    if (idnsCachedLookup(name, callback, data))
+        return;
+
+    idns_query *q = cbdataAlloc(idns_query);
+    q->id = idnsQueryID();
+     int nd = 0;
+-    idns_query *q;
+-
+-    if (idnsCachedLookup(name, callback, data))
+-        return;
+-
+-    q = cbdataAlloc(idns_query);
+-
+-    q->id = idnsQueryID();
+-
+-    for (i = 0; i < strlen(name); i++)
+    for (unsigned int i = 0; i < nameLength; ++i)
+         if (name[i] == '.')
+             nd++;
+ 
+-    if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') {
+    if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') {
+         q->do_searchpath = 1;
+     } else {
+         q->do_searchpath = 0;
+