~alpine/aports

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch

[alpine-aports] [PATCH v3.1] main/squid: security upgrade - fixes #5216

Sergey Lukin <sergej.lukin@gmail.com>
Details
Message ID
<1481727621-8035-1-git-send-email-sergej.lukin@gmail.com>
Sender timestamp
1481727621
DKIM signature
missing
Download raw message
7 years ago
Patch: +359 -5 
CVE-2016-2571, CVE-2016-2569, CVE-2016-2570
---
 main/squid/APKBUILD                            |  23 ++-
 main/squid/squid-3.5-13990-CVE-2016-2571.patch |  47 ++++++
 main/squid/squid-3.5-13991-CVE-2016-2569.patch | 223 +++++++++++++++++++++++++
 main/squid/squid-3.5-13993-CVE-2016-2570.patch |  71 ++++++++
 4 files changed, 359 insertions(+), 5 deletions(-)
 create mode 100644 main/squid/squid-3.5-13990-CVE-2016-2571.patch
 create mode 100644 main/squid/squid-3.5-13991-CVE-2016-2569.patch
 create mode 100644 main/squid/squid-3.5-13993-CVE-2016-2570.patch

diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD
index a749db7..7624771 100644
--- a/main/squid/APKBUILD
+++ b/main/squid/APKBUILD
@@ -1,8 +1,9 @@
# Contributor: Carlo Landmeter <clandmeter@gmail.com>
# Contributor: Sergey Lukin <sergej.lukin@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=squid
pkgver=3.4.14
pkgrel=2
pkgrel=3
pkgdesc="A full-featured Web proxy cache server."
url="http://www.squid-cache.org"
install="squid.pre-install squid.pre-upgrade"
@@ -26,6 +27,9 @@ source="http://www.squid-cache.org/Versions/v3/${pkgver%.*}/squid-${pkgver}.tar.
	squid-3.4-13235.patch
	SQUID-2016_8.patch
	SQUID-2016_9.patch
	squid-3.5-13990-CVE-2016-2571.patch
	squid-3.5-13991-CVE-2016-2569.patch
	squid-3.5-13993-CVE-2016-2570.patch

	squid.initd
	squid.confd
@@ -35,9 +39,9 @@ source="http://www.squid-cache.org/Versions/v3/${pkgver%.*}/squid-${pkgver}.tar.
pkgusers="squid"
pkggroups="squid"

_builddir="$srcdir"/$pkgname-$pkgver
builddir="$srcdir"/$pkgname-$pkgver
prepare() {
	cd "$_builddir"
	cd "$builddir"
	for i in $source; do
		case $i in
		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
@@ -47,7 +51,7 @@ prepare() {
}

build() {
	cd "$_builddir"
	cd "$builddir"

	./configure \
		--build=$CBUILD \
@@ -91,7 +95,7 @@ build() {
}

package() {
	cd "$_builddir"
	cd "$builddir"
	make DESTDIR="$pkgdir" install

	install -m755 -D "$srcdir"/$pkgname.initd "$pkgdir"/etc/init.d/$pkgname
@@ -120,6 +124,9 @@ aaa90395f61377c5d0efc6c662cbd643  urlgroup.patch
e8cb42ff4fece3d34fb18dd9c9de9624  squid-3.4-13235.patch
5a04690517dbade66ea41aae0db9f3aa  SQUID-2016_8.patch
fa14289924dea81c3507879376456e66  SQUID-2016_9.patch
ffd171f39dd5c0db28f1979c99863472  squid-3.5-13990-CVE-2016-2571.patch
5dadf06e369f253e077310ded5ede674  squid-3.5-13991-CVE-2016-2569.patch
5be19e981eb0f2c02c2972882337ad7e  squid-3.5-13993-CVE-2016-2570.patch
947b668332a205626c854d0aece0f3e0  squid.initd
73db59e6c1c242dbc748feeb116650e0  squid.confd
58823e0b86bc2dc71d270208b7b284b4  squid.logrotate"
@@ -131,6 +138,9 @@ da44e0e017cc25deb3b221dd0fc7b535c30165cc4eab4752607ad210f60c36b3  squid-3.4-1323
9039b6632ba91e2c4f8df8b34b4daa9a80692722b0a1ddf8b42dd3c6e31882c1  squid-3.4-13235.patch
50e0b16ee5f7e5683563c3234695f74d1b18e8fcdcce097dc8eb442fc6606e18  SQUID-2016_8.patch
9f86e103766a08bb15b06755b6a5b13e5821e89a1472cc0de29b11900c3e6fd0  SQUID-2016_9.patch
9f1f95a1471881fe5dd8da3d473376cffbb0a0d484e639474f589d626bfa6dde  squid-3.5-13990-CVE-2016-2571.patch
34448f24ed73b040ea6c7ef5c18054445ea309104dfdc43f68a4cce7f11362ed  squid-3.5-13991-CVE-2016-2569.patch
405e3e8d2fbf0f675e17a16f0f6c024e470a01ead17c2b0626a98aee55917b87  squid-3.5-13993-CVE-2016-2570.patch
29eb267e6ebf9b409836b35ba37f263924f40c30cd0c24b91b1ddce380f2163b  squid.initd
4012fc97d7ab653c8a73c4dac09751de80c847a90ee2483ddd41a04168cdeb2b  squid.confd
b6efdb3261c2e4b5074ef49160af8b96e65f934c7fd64b8954df48aa41cd9b67  squid.logrotate"
@@ -142,6 +152,9 @@ b477397f205ba207502a42aae674c85cad85eec831158ea0834361d98ef09a0f103d7a847e101bdd
099df7c5cc803e03f3bd77ee20348834b82110a6f7a844512d90dbfb957f1b6da0168a5a31d00b18ab0ccce704a7f97655f1acc84440204b614dc2913d935da8  squid-3.4-13235.patch
a0ca97c1cb1b04b6e94af55dd67c11f084a07106ad8bb1687d52762b906d8a79247cfde9de4abf1c65da1b0aefacfaae9166ad9c5f6183f5b5dd1ec3ab4ae81b  SQUID-2016_8.patch
af96a87ad673b38c974b8d9e49a235d65d4a480cae3859d1018bf5fec77c79dffbfa42454937eb309aef5a745a800edfc543ac3d5041d961a094af42a58f91b7  SQUID-2016_9.patch
f59e753fa2c416b57091eede4dfe04c5a6cf72443a0eb7d539b756b2a42d9ff20cfd2616353d256f4670d4c6d3833b3135e8967db5c28f1f5f1b252700dd419d  squid-3.5-13990-CVE-2016-2571.patch
5874f00c02ced40b5e61ad5e3ef2cb30098f2e941258248779a4c227c819d9ea47be6d8ef143631a0834e99b2b04fa3db3d2e8eab81b329c8c14f7ae78ca3822  squid-3.5-13991-CVE-2016-2569.patch
501febe38a46e955b1225fddfcbd0e984b16ae94d6f1bff5414c3b5ab28f6c327138108732babcbdc3da8e5596e94aeccf449734c5782d0f5c1fbe97598ebe2f  squid-3.5-13993-CVE-2016-2570.patch
3da7673cde48aac9d7f45b0c0208c2608dd66b3fa70f897b83cb3d0a4f9ba88f3e3706cbab65eb811e77a52643d8616350c84ab599d8e617212f934cb44ffc99  squid.initd
7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9  squid.confd
89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5  squid.logrotate"
diff --git a/main/squid/squid-3.5-13990-CVE-2016-2571.patch b/main/squid/squid-3.5-13990-CVE-2016-2571.patch
new file mode 100644
index 0000000..675928c
--- /dev/null
+++ b/main/squid/squid-3.5-13990-CVE-2016-2571.patch
@@ -0,0 +1,47 @@
patch was modified for applying to squid-3.4.14
------------------------------------------------------------
revno: 13990
revision-id: rousskov@measurement-factory.com-20160218041533-8tmtd45c3nky2gyy
parent: squid3@treenet.co.nz-20160215135848-ms0dmjsfouxcb8g2
committer: Alex Rousskov <rousskov@measurement-factory.com>
branch nick: 3.5
timestamp: Wed 2016-02-17 21:15:33 -0700
message:
  Better handling of huge response headers. Fewer "BUG 3279" messages.
  
  When we failed to parse a response, do not store the fake half-baked
  response (via a replaceHttpReply() call). Doing so leads to misleading
  "BUG 3279: HTTP reply without Date" messages (at best).  The fake
  response is only meant for continueAfterParsingHeader().
  
  Also removed a misleading XXX that may have caused Bug 4432 in v4.0
  (trunk r14548).
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: rousskov@measurement-factory.com-20160218041533-\
#   8tmtd45c3nky2gyy
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: 0a7978c0442191d33a9472c6185692a78da6c0b0
# timestamp: 2016-02-18 04:50:56 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20160215135848-\
#   ms0dmjsfouxcb8g2
# 
# Begin patch
=== modified file 'src/http.cc'
--- a/src/http.cc
+++ b/src/http.cc
@@ -719,11 +719,8 @@
         if (!parsed && error > 0) { // unrecoverable parsing error
             debugs(11, 3, "processReplyHeader: Non-HTTP-compliant header: '" <<  readBuf->content() << "'");
             flags.headers_parsed = true;
-            // XXX: when sanityCheck is gone and Http::StatusLine is used to parse,
-            //   the sline should be already set the appropriate values during that parser stage
             newrep->sline.set(Http::ProtocolVersion(1,1), error);
-            HttpReply *vrep = setVirginReply(newrep);
-            entry->replaceHttpReply(vrep);
+            setVirginReply(newrep);
             ctx_exit(ctx);
             return;
         }

diff --git a/main/squid/squid-3.5-13991-CVE-2016-2569.patch b/main/squid/squid-3.5-13991-CVE-2016-2569.patch
new file mode 100644
index 0000000..2f813ec
--- /dev/null
+++ b/main/squid/squid-3.5-13991-CVE-2016-2569.patch
@@ -0,0 +1,223 @@
patch was modified for applying to squid-3.4.14
------------------------------------------------------------
revno: 13991
revision-id: rousskov@measurement-factory.com-20160219231541-syrgnvl1av8bbn8d
parent: rousskov@measurement-factory.com-20160218041533-8tmtd45c3nky2gyy
committer: Alex Rousskov <rousskov@measurement-factory.com>
branch nick: 3.5
timestamp: Fri 2016-02-19 16:15:41 -0700
message:
  Throw instead of asserting on some String overflows.
  
  Note that Client-caught exceptions result in HTTP 500 (Internal Server
  Error) responses with X-Squid-Error set to "ERR_CANNOT_FORWARD 0".
  
  Also avoid stuck Client jobs on exceptions. 
  
  Also unified String size limit checks.
  
  Essentially trunk r14552, which has a detailed commit message.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: rousskov@measurement-factory.com-20160219231541-\
#   syrgnvl1av8bbn8d
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: 3a9c41e0584065e737250cf9f8eb9eea7a85e9ba
# timestamp: 2016-02-19 23:50:57 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: rousskov@measurement-factory.com-20160218041533-\
#   8tmtd45c3nky2gyy
# 
# Begin patch
=== modified file 'src/SquidString.h'
--- a/src/SquidString.h
+++ b/src/SquidString.h
@@ -80,6 +80,13 @@
     _SQUID_INLINE_ int caseCmp(char const *, size_type count) const;
     _SQUID_INLINE_ int caseCmp(String const &) const;
 
+    /// Whether creating a totalLen-character string is safe (i.e., unlikely to assert).
+    /// Optional extras can be used for overflow-safe length addition.
+    /// Implementation has to add 1 because many String allocation methods do.
+    static bool CanGrowTo(size_type totalLen, const size_type extras = 0) { return SafeAdd(totalLen, extras) && SafeAdd(totalLen, 1); }
+    /// whether appending growthLen characters is safe (i.e., unlikely to assert)
+    bool canGrowBy(const size_type growthLen) const { return CanGrowTo(size(), growthLen); }
+
     String substr(size_type from, size_type to) const;
 
     _SQUID_INLINE_ void cut(size_type newLength);
@@ -95,10 +102,14 @@
     _SQUID_INLINE_ bool nilCmp(bool, bool, int &) const;
 
     /* never reference these directly! */
-    size_type size_; /* buffer size; 64K limit */
+    size_type size_; /* buffer size; limited by SizeMax_ */
 
     size_type len_;  /* current length  */
 
+    static const size_type SizeMax_ = 65535; ///< 64K limit protects some fixed-size buffers
+    /// returns true after increasing the first argument by extra if the sum does not exceed SizeMax_
+    static bool SafeAdd(size_type &base, size_type extra) { if (extra <= SizeMax_ && base <= SizeMax_ - extra) { base += extra; return true; } return false; }
+
     char *buf_;
 
     _SQUID_INLINE_ void set(char const *loc, char const ch);

=== modified file 'src/StrList.cc'
--- a/src/StrList.cc
+++ b/src/StrList.cc
@@ -11,20 +11,24 @@
 #include "squid.h"
 #include "SquidString.h"
 #include "StrList.h"
+#include "base/TextException.h" 
 
 /** appends an item to the list */
 void
 strListAdd(String * str, const char *item, char del)
 {
     assert(str && item);
+    const String::size_type itemSize = strlen(item);
     if (str->size()) {
         char buf[3];
         buf[0] = del;
         buf[1] = ' ';
         buf[2] = '\0';
+        Must(str->canGrowBy(2));
         str->append(buf, 2);
     }
-    str->append(item, strlen(item));
+    Must(str->canGrowBy(itemSize));
+    str->append(item, itemSize);
 }
 
 /** returns true iff "m" is a member of the list */

=== modified file 'src/String.cc'
--- a/src/String.cc
+++ b/src/String.cc
@@ -42,7 +42,7 @@
 String::setBuffer(char *aBuf, String::size_type aSize)
 {
     assert(undefined());
-    assert(aSize < 65536);
+    assert(aSize <= SizeMax_);
     buf_ = aBuf;
     size_ = aSize;
 }
@@ -171,7 +171,7 @@
     } else {
         // Create a temporary string and absorb it later.
         String snew;
-        assert(len_ + len < 65536); // otherwise snew.len_ overflows below
+        assert(canGrowBy(len)); // otherwise snew.len_ may overflow below
         snew.len_ = len_ + len;
         snew.allocBuffer(snew.len_ + 1);
 

=== modified file 'src/Server.cc'
--- a/src/Server.cc
+++ b/src/Server.cc
@@ -49,6 +49,7 @@
         startedAdaptation(false),
 #endif
         receivedWholeRequestBody(false),
+        doneWithFwd(NULL),
         theVirginReply(NULL),
         theFinalReply(NULL)
 {
@@ -74,8 +75,6 @@
     HTTPMSGUNLOCK(theVirginReply);
     HTTPMSGUNLOCK(theFinalReply);
 
-    fwd = NULL; // refcounted
-
     if (responseBodyBuffer != NULL) {
         delete responseBodyBuffer;
         responseBodyBuffer = NULL;
@@ -93,6 +92,14 @@
     cleanAdaptation();
 #endif
 
+    if (!doneWithServer())
+        closeServer();
+
+    if (!doneWithFwd) {
+        doneWithFwd = "swanSong()";
+        fwd->handleUnregisteredServerEnd();
+    }
+
     BodyConsumer::swanSong();
 #if USE_ADAPTATION
     Initiator::swanSong();
@@ -218,6 +225,7 @@
 {
     debugs(11,5, HERE << "completing forwarding for "  << fwd);
     assert(fwd != NULL);
+    doneWithFwd = "completeForwarding()";
     fwd->complete();
 }
 

=== modified file 'src/Server.h'
--- a/src/Server.h
+++ b/src/Server.h
@@ -176,6 +176,10 @@
 #endif
     bool receivedWholeRequestBody; ///< handleRequestBodyProductionEnded called
 
+    /// whether we should not be talking to FwdState; XXX: clear fwd instead
+    /// points to a string literal which is used only for debugging
+    const char *doneWithFwd;
+
 private:
     void sendBodyIsTooLargeError();
     void maybePurgeOthers();

=== modified file 'src/ftp.cc'
--- a/src/ftp.cc
+++ b/src/ftp.cc
@@ -839,6 +839,7 @@
 {
     debugs(9, 4, HERE);
     ctrl.clear();
+    doneWithFwd = "ctrlClosed()"; // assume FwdState is monitoring too
     mustStop("FtpStateData::ctrlClosed");
 }
 

=== modified file 'src/http.cc'
--- a/src/http.cc
+++ b/src/http.cc
@@ -152,6 +152,7 @@
 HttpStateData::httpStateConnClosed(const CommCloseCbParams &params)
 {
     debugs(11, 5, "httpStateFree: FD " << params.fd << ", httpState=" << params.data);
+    doneWithFwd = "httpStateConnClosed()"; // assume FwdState is monitoring too
     mustStop("HttpStateData::httpStateConnClosed");
 }
 
@@ -2407,21 +2409,11 @@
     ServerStateData::sentRequestBody(io);
 }
 
-// Quickly abort the transaction
-// TODO: destruction should be sufficient as the destructor should cleanup,
-// including canceling close handlers
 void
 HttpStateData::abortTransaction(const char *reason)
 {
     debugs(11,5, HERE << "aborting transaction for " << reason <<
            "; " << serverConnection << ", this " << this);
-
-    if (Comm::IsConnOpen(serverConnection)) {
-        serverConnection->close();
-        return;
-    }
-
-    fwd->handleUnregisteredServerEnd();
-    mustStop("HttpStateData::abortTransaction");
+    mustStop(reason);
 }
 

diff --git a/main/squid/squid-3.5-13993-CVE-2016-2570.patch b/main/squid/squid-3.5-13993-CVE-2016-2570.patch
new file mode 100644
index 0000000..5568dc3
--- /dev/null
+++ b/main/squid/squid-3.5-13993-CVE-2016-2570.patch
@@ -0,0 +1,71 @@
patch was modified for applying to squid-3.4.14
------------------------------------------------------------
revno: 13993
revision-id: squid3@treenet.co.nz-20160223154710-wcrkwwyohp2f263g
parent: squidadm@squid-cache.org-20160220001407-1ejhjctyaf86oame
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3870
author: William Lima <william.lima@hscbrasil.com.br>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Wed 2016-02-24 04:47:10 +1300
message:
  Bug 3870: assertion failed: String.cc: 'len_ + len <65536' in ESI::CustomParser
  
  The custom ESI parser used in absence of libxml2 or libexpat parsers was
  restricted to handling 64KB buffers but under some conditions could expand
  to over 64KB during the parse process. Hitting this assertion.
  
  TODO: the parser can now be redesigned to make use of Tokenizer and
        CharacterSet parsing tools. But that is left for later work.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20160223154710-wcrkwwyohp2f263g
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: d8513f84eb3af6881e9264e9e4a4b0b3c6302caf
# timestamp: 2016-02-23 15:50:48 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squidadm@squid-cache.org-20160220001407-\
#   1ejhjctyaf86oame
# 
# Begin patch
=== modified file 'src/esi/CustomParser.cc'
--- a/src/esi/CustomParser.cc
+++ b/src/esi/CustomParser.cc
@@ -89,9 +89,11 @@
     }
 
     size_t openESITags (0);
-    //erring on the safe side. Probably rawBuf would be ok too
-    char const *currentPos = content.termedBuf();
-    size_t remainingCount = content.size();
+    // TODO: convert to Tokenizer parse
+    // erring on the safe side for now. Probably rawContent would be ok too
+    // note that operations below do *X='\0' ... altering the 'const' buffer content.
+    char const *currentPos = content.c_str();
+    SBuf::size_type remainingCount = content.length();
     char const *tag = NULL;
 
     while ((tag = findTag(currentPos, remainingCount))) {

=== modified file 'src/esi/CustomParser.h'
--- a/src/esi/CustomParser.h
+++ b/src/esi/CustomParser.h
@@ -14,7 +14,7 @@
 /* inherits from */
 #include "esi/Parser.h"
 
-/* for String variables */
+#include "SBuf.h"
 #include "SquidString.h"
 
 /**
@@ -46,7 +46,7 @@
     ESIParserClient *theClient;
     String error;
     /* cheap n dirty - buffer it all */
-    String content;
+    SBuf content;
     /* TODO: make a class of this type code */
     ESITAG_t lastTag;
 };

-- 
2.2.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)