From d3a8eee6212ca44efedec2404823d5ba2f2ad263 Mon Sep 17 00:00:00 2001 From: CentOS Buildsys Date: Mar 17 2014 09:24:48 +0000 Subject: import squid-3.3.8-11.el7.src.rpm --- diff --git a/SOURCES/squid-3.3-12677.patch b/SOURCES/squid-3.3-12677.patch new file mode 100644 index 0000000..5707e42 --- /dev/null +++ b/SOURCES/squid-3.3-12677.patch @@ -0,0 +1,200 @@ +------------------------------------------------------------ +revno: 12677 +revision-id: squid3@treenet.co.nz-20140309023519-t6wmqou7m816tgnl +parent: squid3@treenet.co.nz-20140309021524-wtxyrfoagz95ezwp +author: Alex Rousskov +committer: Amos Jeffries +branch nick: 3.3 +timestamp: Sat 2014-03-08 19:35:19 -0700 +message: + Avoid assertions on Range requests that trigger Squid-generated errors. + + Added HttpRequest::ignoreRange() to encapsulate range ignoring logic. + Currently the new method only contains the code common among all callers. More + work is needed to check whether further caller homogenization is possible. + + Documented that ClientSocketContext::getNextRangeOffset() may sometimes be + called before it is ready to do its job. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20140309023519-t6wmqou7m816tgnl +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 +# testament_sha1: 0e0335663a55b0dca989893fb98f81d8d9604572 +# timestamp: 2014-03-09 02:37:50 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 +# base_revision_id: squid3@treenet.co.nz-20140309021524-\ +# wtxyrfoagz95ezwp +# +# Begin patch +=== modified file 'src/HttpRequest.cc' +--- src/HttpRequest.cc 2013-09-11 01:03:45 +0000 ++++ src/HttpRequest.cc 2014-03-09 02:35:19 +0000 +@@ -658,6 +658,20 @@ + return rangeOffsetLimit; + } + ++void ++HttpRequest::ignoreRange(const char *reason) ++{ ++ if (range) { ++ debugs(73, 3, static_cast(range) << " for " << reason); ++ delete range; ++ range = NULL; ++ } ++ // Some callers also reset isRanged but it may not be safe for all callers: ++ // isRanged is used to determine whether a weak ETag comparison is allowed, ++ // and that check should not ignore the Range header if it was present. ++ // TODO: Some callers also delete HDR_RANGE, HDR_REQUEST_RANGE. Should we? ++} ++ + bool + HttpRequest::canHandle1xx() const + { + +=== modified file 'src/HttpRequest.h' +--- src/HttpRequest.h 2013-07-26 12:21:20 +0000 ++++ src/HttpRequest.h 2014-03-09 02:35:19 +0000 +@@ -246,6 +246,8 @@ + */ + CbcPointer clientConnectionManager; + ++ /// forgets about the cached Range header (for a reason) ++ void ignoreRange(const char *reason); + int64_t getRangeOffsetLimit(); /* the result of this function gets cached in rangeOffsetLimit */ + + private: + +=== modified file 'src/client_side.cc' +--- src/client_side.cc 2013-09-29 17:28:00 +0000 ++++ src/client_side.cc 2014-03-09 02:35:19 +0000 +@@ -1281,9 +1281,7 @@ + * offset data, but we won't be requesting it. + * So, we can either re-request, or generate an error + */ +- debugs(33, 3, "clientBuildRangeHeader: will not do ranges: " << range_err << "."); +- delete http->request->range; +- http->request->range = NULL; ++ http->request->ignoreRange(range_err); + } else { + /* XXX: TODO: Review, this unconditional set may be wrong. - TODO: review. */ + httpStatusLineSet(&rep->sline, rep->sline.version, +@@ -1662,9 +1660,16 @@ + int64_t + ClientSocketContext::getNextRangeOffset() const + { ++ debugs (33, 5, "range: " << http->request->range << ++ "; http offset " << http->out.offset << ++ "; reply " << reply); ++ ++ // XXX: This method is called from many places, including pullData() which ++ // may be called before prepareReply() [on some Squid-generated errors]. ++ // Hence, we may not even know yet whether we should honor/do ranges. ++ + if (http->request->range) { + /* offset in range specs does not count the prefix of an http msg */ +- debugs (33, 5, "ClientSocketContext::getNextRangeOffset: http offset " << http->out.offset); + /* check: reply was parsed and range iterator was initialized */ + assert(http->range_iter.valid); + /* filter out data according to range specs */ +@@ -1701,7 +1706,7 @@ + void + ClientSocketContext::pullData() + { +- debugs(33, 5, HERE << clientConnection << " attempting to pull upstream data"); ++ debugs(33, 5, reply << " written " << http->out.size << " into " << clientConnection); + + /* More data will be coming from the stream. */ + StoreIOBuffer readBuffer; +@@ -2492,7 +2497,7 @@ + clientReplyContext *repContext = dynamic_cast(node->data.getRaw()); + assert(repContext); + debugs(33, 5, "Responding with delated error for " << http->uri); +- repContext->setReplyToStoreEntry(sslServerBump->entry); ++ repContext->setReplyToStoreEntry(sslServerBump->entry, "delayed SslBump error"); + + // save the original request for logging purposes + if (!context->http->al->request) + +=== modified file 'src/client_side_reply.cc' +--- src/client_side_reply.cc 2013-12-15 05:23:23 +0000 ++++ src/client_side_reply.cc 2014-03-09 02:35:19 +0000 +@@ -134,13 +134,18 @@ + + http->al->http.code = errstate->httpStatus; + ++ if (http->request) ++ http->request->ignoreRange("responding with a Squid-generated error"); ++ + createStoreEntry(method, RequestFlags()); + assert(errstate->callback_data == NULL); + errorAppendEntry(http->storeEntry(), errstate); + /* Now the caller reads to get this */ + } + +-void clientReplyContext::setReplyToStoreEntry(StoreEntry *entry) ++// Assumes that the entry contains an error response without Content-Range. ++// To use with regular entries, make HTTP Range header removal conditional. ++void clientReplyContext::setReplyToStoreEntry(StoreEntry *entry, const char *reason) + { + entry->lock(); // removeClientStoreReference() unlocks + sc = storeClientListAdd(entry, this); +@@ -149,6 +154,8 @@ + #endif + reqofs = 0; + reqsize = 0; ++ if (http->request) ++ http->request->ignoreRange(reason); + flags.storelogiccomplete = 1; + http->storeEntry(entry); + } + +=== modified file 'src/client_side_reply.h' +--- src/client_side_reply.h 2012-09-10 12:49:35 +0000 ++++ src/client_side_reply.h 2014-03-09 02:35:19 +0000 +@@ -73,7 +73,7 @@ + int storeOKTransferDone() const; + int storeNotOKTransferDone() const; + /// replaces current response store entry with the given one +- void setReplyToStoreEntry(StoreEntry *e); ++ void setReplyToStoreEntry(StoreEntry *e, const char *reason); + /// builds error using clientBuildError() and calls setReplyToError() below + void setReplyToError(err_type, http_status, const HttpRequestMethod&, char const *, Ip::Address &, HttpRequest *, const char *, + #if USE_AUTH + +=== modified file 'src/client_side_request.cc' +--- src/client_side_request.cc 2014-03-09 02:10:07 +0000 ++++ src/client_side_request.cc 2014-03-09 02:35:19 +0000 +@@ -1131,8 +1131,7 @@ + else { + req_hdr->delById(HDR_RANGE); + req_hdr->delById(HDR_REQUEST_RANGE); +- delete request->range; +- request->range = NULL; ++ request->ignoreRange("neither HEAD nor GET"); + } + + if (req_hdr->has(HDR_AUTHORIZATION)) +@@ -1664,7 +1663,7 @@ + clientStreamNode *node = (clientStreamNode *)client_stream.tail->prev->data; + clientReplyContext *repContext = dynamic_cast(node->data.getRaw()); + assert (repContext); +- repContext->setReplyToStoreEntry(e); ++ repContext->setReplyToStoreEntry(e, "immediate SslBump error"); + errorAppendEntry(e, calloutContext->error); + calloutContext->error = NULL; + if (calloutContext->readNextRequest) + +=== modified file 'src/http.cc' +--- src/http.cc 2013-11-21 21:54:29 +0000 ++++ src/http.cc 2014-03-09 02:35:19 +0000 +@@ -1736,8 +1736,7 @@ + /* don't cache the result */ + request->flags.cachable = 0; + /* pretend it's not a range request */ +- delete request->range; +- request->range = NULL; ++ request->ignoreRange("want to request the whole object"); + request->flags.isRanged=false; + } + + diff --git a/SOURCES/squid-3.3.8-active-ftp-2.patch b/SOURCES/squid-3.3.8-active-ftp-2.patch new file mode 100644 index 0000000..268c7f6 --- /dev/null +++ b/SOURCES/squid-3.3.8-active-ftp-2.patch @@ -0,0 +1,65 @@ +--- ./src/ftp.cc 2013-07-13 15:22:32.000000000 +0200 ++++ ./src/ftp.cc 2013-12-21 15:39:23.015056228 +0100 +@@ -2816,6 +2816,7 @@ + } + + ftpState->listenForDataChannel(temp, ftpState->entry->url()); ++ ftpState->data.listenConn = temp; + } + + /// \ingroup ServerProtocolFTPInternal +@@ -2851,14 +2852,19 @@ + + // pull out the internal IP address bytes to send in PORT command... + // source them from the listen_conn->local +- ++ struct sockaddr_in addr; ++ socklen_t addrlen = sizeof(addr); ++ getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen); ++ unsigned char port_high = ntohs(addr.sin_port) >> 8; ++ unsigned char port_low = ntohs(addr.sin_port) & 0xff; ++ + struct addrinfo *AI = NULL; + ftpState->data.listenConn->local.GetAddrInfo(AI, AF_INET); + unsigned char *addrptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_addr; +- unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port; ++ // unsigned char *portptr = (unsigned char *) &((struct sockaddr_in*)AI->ai_addr)->sin_port; + snprintf(cbuf, CTRL_BUFLEN, "PORT %d,%d,%d,%d,%d,%d\r\n", + addrptr[0], addrptr[1], addrptr[2], addrptr[3], +- portptr[0], portptr[1]); ++ port_high, port_low); + ftpState->writeCommand(cbuf); + ftpState->state = SENT_PORT; + +@@ -2907,15 +2913,25 @@ + ftpFail(ftpState); + return; + } +- +- char buf[MAX_IPSTRLEN]; +- ++ unsigned int port; ++ struct sockaddr_storage addr; ++ socklen_t addrlen = sizeof(addr); ++ getsockname(ftpState->data.listenConn->fd, (struct sockaddr *) &addr, &addrlen); ++ if (addr.ss_family == AF_INET) { ++ struct sockaddr_in *addr4 = (struct sockaddr_in*) &addr; ++ port = ntohs( addr4->sin_port ); ++ } else { ++ struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &addr; ++ port = ntohs( addr6->sin6_port ); ++ } ++ ++ char buf[MAX_IPSTRLEN]; + /* RFC 2428 defines EPRT as IPv6 equivalent to IPv4 PORT command. */ + /* Which can be used by EITHER protocol. */ +- snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%d|\r\n", ++ snprintf(cbuf, CTRL_BUFLEN, "EPRT |%d|%s|%u|\r\n", + ( ftpState->data.listenConn->local.IsIPv6() ? 2 : 1 ), + ftpState->data.listenConn->local.NtoA(buf,MAX_IPSTRLEN), +- ftpState->data.listenConn->local.GetPort() ); ++ port); + + ftpState->writeCommand(cbuf); + ftpState->state = SENT_EPRT; + diff --git a/SPECS/squid.spec b/SPECS/squid.spec index d480c09..aaf19e2 100644 --- a/SPECS/squid.spec +++ b/SPECS/squid.spec @@ -4,7 +4,7 @@ Name: squid Version: 3.3.8 -Release: 2%{?dist} +Release: 11%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -39,6 +39,11 @@ Patch204: squid-3.2.0.9-fpic.patch Patch205: squid-3.1.9-ltdl.patch Patch206: squid-3.3.4-empty-pod2man.patch Patch207: active-ftp.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=980511 +Patch208: squid-3.3.8-active-ftp-2.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1074873 +# http://www.squid-cache.org/Advisories/SQUID-2014_1.txt +Patch209: squid-3.3-12677.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: bash >= 2.0 @@ -56,8 +61,6 @@ BuildRequires: pam-devel BuildRequires: openssl-devel # squid_kerb_aut requires Kerberos development libs BuildRequires: krb5-devel -# squid_session_auth requires DB4 -BuildRequires: db4-devel # ESI support requires Expat & libxml2 BuildRequires: expat-devel libxml2-devel # TPROXY requires libcap, and also increases security somewhat @@ -68,6 +71,8 @@ BuildRequires: libecap-devel BuildRequires: libtool libtool-ltdl-devel # For test suite BuildRequires: cppunit-devel +# DB helper requires +BuildRequires: perl-podlators libdb-devel %description Squid is a high-performance proxy caching server for Web clients, @@ -108,6 +113,8 @@ The squid-sysvinit contains SysV initscritps support. %patch205 -p1 -b .ltdl %patch206 -p1 -b .empty-pod2man %patch207 -p1 -b .active-ftp +%patch208 -p1 -b .active-ftp-2 +%patch209 -p0 %build %ifarch sparcv9 sparc64 s390 s390x @@ -136,14 +143,14 @@ LDFLAGS="$RPM_LD_FLAGS -pie -Wl,-z,relro -Wl,-z,now" --enable-auth-ntlm="smb_lm,fake" \ --enable-auth-digest="file,LDAP,eDirectory" \ --enable-auth-negotiate="kerberos" \ - --enable-external-acl-helpers="ip_user,ldap_group,session,unix_group,wbinfo_group" \ + --enable-external-acl-helpers="file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group" \ --enable-cache-digests \ --enable-cachemgr-hostname=localhost \ --enable-delay-pools \ --enable-epoll \ --enable-icap-client \ --enable-ident-lookups \ - %ifnarch ppc64 ia64 x86_64 s390x + %ifnarch ppc64 ia64 x86_64 s390x aarch64 --with-large-files \ %endif --enable-linux-netfilter \ @@ -312,6 +319,34 @@ fi /sbin/chkconfig --add squid >/dev/null 2>&1 || : %changelog +* Mon Mar 17 2014 Pavel Šimerda - 7:3.3.8-11 +- Resolves: #1074873 - CVE-2014-0128 squid: denial of service when using + SSL-Bump + +* Wed Mar 05 2014 Pavel Šimerda ' - 7:3.3.8-10 +- Resolves: #1072973 - don't depend on libdb4 + +* Tue Feb 11 2014 Pavel Šimerda - 7:3.3.8-9 +- revert: Resolves: #1038160 - avoid running squid's own supervisor process + +* Tue Feb 11 2014 Pavel Šimerda - 7:3.3.8-8 +- Resolves: #1063248 - missing helpers + +* Fri Jan 24 2014 Daniel Mach - 7:3.3.8-7 +- Mass rebuild 2014-01-24 + +* Thu Jan 02 2014 Pavel Šimerda - 7:3.3.8-6 +- Resolves: #980511 - squid doesn't work with active FTP + +* Fri Dec 27 2013 Daniel Mach - 7:3.3.8-5 +- Mass rebuild 2013-12-27 + +* Tue Dec 10 2013 Pavel Šimerda - 7:3.3.8-4 +- Resolves: #1038160 - avoid running squid's own supervisor process + +* Thu Nov 21 2013 Pavel Šimerda - 7:3.3.8-3 +- Resolves: #1028588 - fix build on aarch64 + * Tue Aug 27 2013 Michal Luscon - 7:3.3.8-2 - Fixed: source code url