From 9b4c5553470e69752281d57d90e87006579138c4 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 02 2019 10:23:06 +0000 Subject: import squid-4.4-5.module+el8.0.0+4045+70edde92 --- diff --git a/SOURCES/squid-4.4.0-CVE-2019-12527.patch b/SOURCES/squid-4.4.0-CVE-2019-12527.patch new file mode 100644 index 0000000..ea950f5 --- /dev/null +++ b/SOURCES/squid-4.4.0-CVE-2019-12527.patch @@ -0,0 +1,139 @@ +commit 7f73e9c5d17664b882ed32590e6af310c247f320 +Author: Amos Jeffries +Date: 2019-06-19 05:58:36 +0000 + + Update HttpHeader::getAuth to SBuf (#416) + + Replace the fixed-size buffer for decoding base64 tokens with an + SBuf to avoid decoder issues on large inputs. + + Update callers to SBuf API operations for more efficient memory + management. + +diff --git a/src/HttpHeader.cc b/src/HttpHeader.cc +index 1e2b650..284a057 100644 +--- a/src/HttpHeader.cc ++++ b/src/HttpHeader.cc +@@ -1268,43 +1268,46 @@ HttpHeader::getContRange() const + return cr; + } + +-const char * +-HttpHeader::getAuth(Http::HdrType id, const char *auth_scheme) const ++SBuf ++HttpHeader::getAuthToken(Http::HdrType id, const char *auth_scheme) const + { + const char *field; + int l; + assert(auth_scheme); + field = getStr(id); + ++ static const SBuf nil; + if (!field) /* no authorization field */ +- return NULL; ++ return nil; + + l = strlen(auth_scheme); + + if (!l || strncasecmp(field, auth_scheme, l)) /* wrong scheme */ +- return NULL; ++ return nil; + + field += l; + + if (!xisspace(*field)) /* wrong scheme */ +- return NULL; ++ return nil; + + /* skip white space */ + for (; field && xisspace(*field); ++field); + + if (!*field) /* no authorization cookie */ +- return NULL; ++ return nil; + +- static char decodedAuthToken[8192]; ++ const auto fieldLen = strlen(field); ++ SBuf result; ++ char *decodedAuthToken = result.rawAppendStart(BASE64_DECODE_LENGTH(fieldLen)); + struct base64_decode_ctx ctx; + base64_decode_init(&ctx); + size_t decodedLen = 0; +- if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast(decodedAuthToken), strlen(field), field) || ++ if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast(decodedAuthToken), fieldLen, field) || + !base64_decode_final(&ctx)) { +- return NULL; ++ return nil; + } +- decodedAuthToken[decodedLen] = '\0'; +- return decodedAuthToken; ++ result.rawAppendFinish(decodedAuthToken, decodedLen); ++ return result; + } + + ETag +diff --git a/src/HttpHeader.h b/src/HttpHeader.h +index a26b127..3b262be 100644 +--- a/src/HttpHeader.h ++++ b/src/HttpHeader.h +@@ -134,7 +134,7 @@ public: + HttpHdrRange *getRange() const; + HttpHdrSc *getSc() const; + HttpHdrContRange *getContRange() const; +- const char *getAuth(Http::HdrType id, const char *auth_scheme) const; ++ SBuf getAuthToken(Http::HdrType id, const char *auth_scheme) const; + ETag getETag(Http::HdrType id) const; + TimeOrTag getTimeOrTag(Http::HdrType id) const; + int hasListMember(Http::HdrType id, const char *member, const char separator) const; +diff --git a/src/cache_manager.cc b/src/cache_manager.cc +index da22f7a..2fae767 100644 +--- a/src/cache_manager.cc ++++ b/src/cache_manager.cc +@@ -27,6 +27,7 @@ + #include "mgr/FunAction.h" + #include "mgr/QueryParams.h" + #include "protos.h" ++#include "sbuf/StringConvert.h" + #include "SquidConfig.h" + #include "SquidTime.h" + #include "Store.h" +@@ -243,20 +244,20 @@ CacheManager::ParseHeaders(const HttpRequest * request, Mgr::ActionParams ¶m + // TODO: use the authentication system decode to retrieve these details properly. + + /* base 64 _decoded_ user:passwd pair */ +- const char *basic_cookie = request->header.getAuth(Http::HdrType::AUTHORIZATION, "Basic"); ++ const auto basic_cookie(request->header.getAuthToken(Http::HdrType::AUTHORIZATION, "Basic")); + +- if (!basic_cookie) ++ if (basic_cookie.isEmpty()) + return; + +- const char *passwd_del; +- if (!(passwd_del = strchr(basic_cookie, ':'))) { ++ const auto colonPos = basic_cookie.find(':'); ++ if (colonPos == SBuf::npos) { + debugs(16, DBG_IMPORTANT, "CacheManager::ParseHeaders: unknown basic_cookie format '" << basic_cookie << "'"); + return; + } + + /* found user:password pair, reset old values */ +- params.userName.limitInit(basic_cookie, passwd_del - basic_cookie); +- params.password = passwd_del + 1; ++ params.userName = SBufToString(basic_cookie.substr(0, colonPos)); ++ params.password = SBufToString(basic_cookie.substr(colonPos+1)); + + /* warning: this prints decoded password which maybe not be what you want to do @?@ @?@ */ + debugs(16, 9, "CacheManager::ParseHeaders: got user: '" << +diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc +index b958b14..7ca5d24 100644 +--- a/src/clients/FtpGateway.cc ++++ b/src/clients/FtpGateway.cc +@@ -1050,7 +1050,7 @@ Ftp::Gateway::checkAuth(const HttpHeader * req_hdr) + + #if HAVE_AUTH_MODULE_BASIC + /* Check HTTP Authorization: headers (better than defaults, but less than URL) */ +- const SBuf auth(req_hdr->getAuth(Http::HdrType::AUTHORIZATION, "Basic")); ++ const auto auth(req_hdr->getAuthToken(Http::HdrType::AUTHORIZATION, "Basic")); + if (!auth.isEmpty()) { + flags.authenticated = 1; + loginParser(auth, false); diff --git a/SPECS/squid.spec b/SPECS/squid.spec index 1696777..f2aeafc 100644 --- a/SPECS/squid.spec +++ b/SPECS/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 4.4 -Release: 4%{?dist} +Release: 5%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -36,6 +36,10 @@ Patch206: squid-4.4.0-active-ftp.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1612524 Patch207: squid-4.4.0-man-pages.patch +# security fixes +# https://bugzilla.redhat.com/show_bug.cgi?id=1744672 +Patch500: squid-4.4.0-CVE-2019-12527.patch + Requires: bash >= 2.0 Requires(pre): shadow-utils Requires(post): systemd @@ -93,6 +97,8 @@ lookup program (dnsserver), a program for retrieving FTP data %patch206 -p1 -b .active-ftp %patch207 -p1 -b .man-pages +%patch500 -p1 -b .CVE-2019-12527 + %build # cppunit-config patch changes configure.ac autoconf @@ -295,6 +301,10 @@ fi %changelog +* Fri Aug 23 2019 Lubos Uhliarik - 7:4.4-5 +- Resolves: #1744672 - CVE-2019-12527 squid:4/squid: heap-based buffer overflow + in HttpHeader::getAuth + * Tue Dec 11 2018 Lubos Uhliarik - 7:4.4-4 - Resolves: #1612524 - Man page scan results for squid