diff --git a/SOURCES/squid-3.5.20-CVE-2018-1000024.patch b/SOURCES/squid-3.5.20-CVE-2018-1000024.patch new file mode 100644 index 0000000..9392219 --- /dev/null +++ b/SOURCES/squid-3.5.20-CVE-2018-1000024.patch @@ -0,0 +1,28 @@ +commit eb2db98a676321b814fc4a51c4fb7928a8bb45d9 (refs/remotes/origin/v3.5) +Author: Amos Jeffries +Date: 2018-01-19 13:54:14 +1300 + + ESI: make sure endofName never exceeds tagEnd (#130) + +diff --git a/src/esi/CustomParser.cc b/src/esi/CustomParser.cc +index d86d2d3..db634d9 100644 +--- a/src/esi/CustomParser.cc ++++ b/src/esi/CustomParser.cc +@@ -121,7 +121,7 @@ ESICustomParser::parse(char const *dataToParse, size_t const lengthOfData, bool + + char * endofName = strpbrk(const_cast(tag), w_space); + +- if (endofName > tagEnd) ++ if (!endofName || endofName > tagEnd) + endofName = const_cast(tagEnd); + + *endofName = '\0'; +@@ -214,7 +214,7 @@ ESICustomParser::parse(char const *dataToParse, size_t const lengthOfData, bool + + char * endofName = strpbrk(const_cast(tag), w_space); + +- if (endofName > tagEnd) ++ if (!endofName || endofName > tagEnd) + endofName = const_cast(tagEnd); + + *endofName = '\0'; diff --git a/SOURCES/squid-3.5.20-CVE-2018-1000027.patch b/SOURCES/squid-3.5.20-CVE-2018-1000027.patch new file mode 100644 index 0000000..9ecd8a5 --- /dev/null +++ b/SOURCES/squid-3.5.20-CVE-2018-1000027.patch @@ -0,0 +1,23 @@ +commit 8232b83d3fa47a1399f155cb829db829369fbae9 (refs/remotes/origin/v3.5) +Author: squidadm +Date: 2018-01-21 08:07:08 +1300 + + Fix indirect IP logging for transactions without a client connection (#129) (#136) + +diff --git a/src/client_side_request.cc b/src/client_side_request.cc +index be124f3..203f89d 100644 +--- a/src/client_side_request.cc ++++ b/src/client_side_request.cc +@@ -488,9 +488,9 @@ clientFollowXForwardedForCheck(allow_t answer, void *data) + * Ensure that the access log shows the indirect client + * instead of the direct client. + */ +- ConnStateData *conn = http->getConn(); +- conn->log_addr = request->indirect_client_addr; +- http->al->cache.caddr = conn->log_addr; ++ http->al->cache.caddr = request->indirect_client_addr; ++ if (ConnStateData *conn = http->getConn()) ++ conn->log_addr = request->indirect_client_addr; + } + request->x_forwarded_for_iterator.clean(); + request->flags.done_follow_x_forwarded_for = true; diff --git a/SOURCES/squid-3.5.20-CVE-2019-12525.patch b/SOURCES/squid-3.5.20-CVE-2019-12525.patch new file mode 100644 index 0000000..6bfe4e3 --- /dev/null +++ b/SOURCES/squid-3.5.20-CVE-2019-12525.patch @@ -0,0 +1,30 @@ +commit ec0d0f39cf28da14eead0ba5e777e95855bc2f67 +Author: Amos Jeffries +Date: 2019-06-08 21:09:23 +0000 + + Fix Digest auth parameter parsing (#415) + + Only remove quoting if the domain=, uri= or qop= parameter + value is surrounded by double-quotes. + +diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc +index 674dd93..d2cd2e9 100644 +--- a/src/auth/digest/Config.cc ++++ b/src/auth/digest/Config.cc +@@ -781,14 +781,14 @@ Auth::Digest::Config::decode(char const *proxy_auth, const char *aRequestRealm) + if (keyName == SBuf("domain",6) || keyName == SBuf("uri",3)) { + // domain is Special. Not a quoted-string, must not be de-quoted. But is wrapped in '"' + // BUG 3077: uri= can also be sent to us in a mangled (invalid!) form like domain +- if (*p == '"' && *(p + vlen -1) == '"') { ++ if (vlen > 1 && *p == '"' && *(p + vlen -1) == '"') { + value.limitInit(p+1, vlen-2); + } + } else if (keyName == SBuf("qop",3)) { + // qop is more special. + // On request this must not be quoted-string de-quoted. But is several values wrapped in '"' + // On response this is a single un-quoted token. +- if (*p == '"' && *(p + vlen -1) == '"') { ++ if (vlen > 1 && *p == '"' && *(p + vlen -1) == '"') { + value.limitInit(p+1, vlen-2); + } else { + value.limitInit(p, vlen); diff --git a/SPECS/squid.spec b/SPECS/squid.spec index b06625d..bb327c6 100644 --- a/SPECS/squid.spec +++ b/SPECS/squid.spec @@ -4,7 +4,7 @@ Name: squid Version: 3.5.20 -Release: 14%{?dist} +Release: 16%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -63,6 +63,10 @@ Patch218: squid-3.5.20-cache-siblings-gw.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1727744 Patch500: squid-3.5.20-CVE-2019-13345.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1582301 +Patch501: squid-3.5.20-CVE-2018-1000024.patch +Patch502: squid-3.5.20-CVE-2018-1000027.patch +Patch503: squid-3.5.20-CVE-2019-12525.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: bash >= 2.0 @@ -151,6 +155,9 @@ migration and script which prepares squid for downgrade operation. # security fixes %patch500 -p1 -b .CVE-2019-13345 +%patch501 -p1 -b .CVE-2018-1000024 +%patch502 -p1 -b .CVE-2018-1000027 +%patch503 -p1 -b .CVE-2019-12525 # https://bugzilla.redhat.com/show_bug.cgi?id=1471140 # Patch in the vendor documentation and used different location for documentation @@ -380,7 +387,11 @@ fi chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || : %changelog -* Thu Jul 25 2019 Lubos Uhliarik - 7:3.5.20-14 +* Fri Mar 27 2020 Lubos Uhliarik - 7:3.5.20-16 +- Resolves: #1738582 - CVE-2019-12525 squid: parsing of header + Proxy-Authentication leads to memory corruption + +* Thu Jul 25 2019 Lubos Uhliarik - 7:3.5.20-15 - Resolves: #1690551 - Squid cache_peer DNS lookup failed when not all lower case - Resolves: #1680022 - squid can't display download/upload packet size for HTTPS @@ -388,7 +399,8 @@ fi - Resolves: #1717430 - Excessive memory usage when running out of descriptors - Resolves: #1676420 - Cache siblings return wrongly cached gateway timeouts - Resolves: #1729435 - CVE-2019-13345 squid: XSS via user_name or auth parameter - in cachemgr.cgi + in cachemgr.cgi +- Resolves: #1582301 - CVE-2018-1000024 CVE-2018-1000027 squid: various flaws * Thu Dec 06 2018 Luboš Uhliarik - 7:3.5.20-13 - Resolves: #1620546 - migration of upstream squid