squid: Patch SQUID-2016:3/CVE-2016-3947

http://www.squid-cache.org/Advisories/SQUID-2016_3.txt Due to a buffer overrun Squid pinger binary is vulnerable to denial of service or information leak attack when processing ICMPv6 packets. This bug also permits the server response to manipulate other ICMP and ICMPv6 queries processing to cause information leak. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-27 03:07:43 +02:00 · 2016-04-05 22:52:54 +01:00
parent 52b08bc1ea
commit bdb319c0ca
2 changed files with 52 additions and 0 deletions
--- a/src/patches/squid-3.4-13232.patch
+++ b/src/patches/squid-3.4-13232.patch
@@ -0,0 +1,51 @@
+------------------------------------------------------------
+revno: 13232
+revision-id: squid3@treenet.co.nz-20160330141410-t6p2dhzr8ri36fap
+parent: squid3@treenet.co.nz-20160220150859-3unryicod1rcx9rm
+author: Yuriy M. Kaminskiy <yumkam@gmail.com>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.4
+timestamp: Thu 2016-03-31 03:14:10 +1300
+message:
+  pinger: Fix buffer overflow in Icmp6::Recv
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160330141410-t6p2dhzr8ri36fap
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# testament_sha1: e404755509c03ec58c0c293552a7f2a579810fd3
+# timestamp: 2016-03-30 14:51:02 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# base_revision_id: squid3@treenet.co.nz-20160220150859-\
+#   3unryicod1rcx9rm
+# 
+# Begin patch
+=== modified file 'src/icmp/Icmp6.cc'
+--- src/icmp/Icmp6.cc	2014-09-15 05:06:14 +0000
+++ src/icmp/Icmp6.cc	2016-03-30 14:14:10 +0000
+@@ -277,7 +277,7 @@
+     #define ip6_hops	// HOPS!!!  (can it be true??)
+ 
+         ip = (struct ip6_hdr *) pkt;
+-        pkt += sizeof(ip6_hdr);
+        NP: echo size needs to +sizeof(ip6_hdr);
+ 
+     debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt <<
+     		", ip6_plen=" << ip->ip6_plen <<
+@@ -288,7 +288,6 @@
+     */
+ 
+     icmp6header = (struct icmp6_hdr *) pkt;
+-    pkt += sizeof(icmp6_hdr);
+ 
+     if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) {
+ 
+@@ -313,7 +312,7 @@
+         return;
+     }
+ 
+-    echo = (icmpEchoData *) pkt;
+    echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr));
+ 
+     preply.opcode = echo->opcode;
+ 
+