import squid-4.15-6.module+el8.8.0+17468+cecc5697
This commit is contained in:
parent
725ec763b0
commit
388e5778b6
129
SOURCES/squid-4.15-CVE-2021-46784.patch
Normal file
129
SOURCES/squid-4.15-CVE-2021-46784.patch
Normal file
@ -0,0 +1,129 @@
|
||||
From 780c4ea1b4c9d2fb41f6962aa6ed73ae57f74b2b Mon Sep 17 00:00:00 2001
|
||||
From: Joshua Rogers <MegaManSec@users.noreply.github.com>
|
||||
Date: Mon, 18 Apr 2022 13:42:36 +0000
|
||||
Subject: [PATCH] Improve handling of Gopher responses (#1022)
|
||||
|
||||
---
|
||||
src/gopher.cc | 45 ++++++++++++++++++++-------------------------
|
||||
1 file changed, 20 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/src/gopher.cc b/src/gopher.cc
|
||||
index 169b0e18299..6187da18bcd 100644
|
||||
--- a/src/gopher.cc
|
||||
+++ b/src/gopher.cc
|
||||
@@ -371,7 +371,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
|
||||
char *lpos = NULL;
|
||||
char *tline = NULL;
|
||||
LOCAL_ARRAY(char, line, TEMP_BUF_SIZE);
|
||||
- LOCAL_ARRAY(char, tmpbuf, TEMP_BUF_SIZE);
|
||||
char *name = NULL;
|
||||
char *selector = NULL;
|
||||
char *host = NULL;
|
||||
@@ -381,7 +380,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
|
||||
char gtype;
|
||||
StoreEntry *entry = NULL;
|
||||
|
||||
- memset(tmpbuf, '\0', TEMP_BUF_SIZE);
|
||||
memset(line, '\0', TEMP_BUF_SIZE);
|
||||
|
||||
entry = gopherState->entry;
|
||||
@@ -416,7 +414,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
|
||||
return;
|
||||
}
|
||||
|
||||
- String outbuf;
|
||||
+ SBuf outbuf;
|
||||
|
||||
if (!gopherState->HTML_header_added) {
|
||||
if (gopherState->conversion == GopherStateData::HTML_CSO_RESULT)
|
||||
@@ -583,34 +581,34 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
|
||||
break;
|
||||
}
|
||||
|
||||
- memset(tmpbuf, '\0', TEMP_BUF_SIZE);
|
||||
-
|
||||
if ((gtype == GOPHER_TELNET) || (gtype == GOPHER_3270)) {
|
||||
if (strlen(escaped_selector) != 0)
|
||||
- snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s@%s%s%s/\">%s</A>\n",
|
||||
- icon_url, escaped_selector, rfc1738_escape_part(host),
|
||||
- *port ? ":" : "", port, html_quote(name));
|
||||
+ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s@%s%s%s/\">%s</A>\n",
|
||||
+ icon_url, escaped_selector, rfc1738_escape_part(host),
|
||||
+ *port ? ":" : "", port, html_quote(name));
|
||||
else
|
||||
- snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s%s%s/\">%s</A>\n",
|
||||
- icon_url, rfc1738_escape_part(host), *port ? ":" : "",
|
||||
- port, html_quote(name));
|
||||
+ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"telnet://%s%s%s/\">%s</A>\n",
|
||||
+ icon_url, rfc1738_escape_part(host), *port ? ":" : "",
|
||||
+ port, html_quote(name));
|
||||
|
||||
} else if (gtype == GOPHER_INFO) {
|
||||
- snprintf(tmpbuf, TEMP_BUF_SIZE, "\t%s\n", html_quote(name));
|
||||
+ outbuf.appendf("\t%s\n", html_quote(name));
|
||||
} else {
|
||||
if (strncmp(selector, "GET /", 5) == 0) {
|
||||
/* WWW link */
|
||||
- snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"http://%s/%s\">%s</A>\n",
|
||||
- icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name));
|
||||
+ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"http://%s/%s\">%s</A>\n",
|
||||
+ icon_url, host, rfc1738_escape_unescaped(selector + 5), html_quote(name));
|
||||
+ } else if (gtype == GOPHER_WWW) {
|
||||
+ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
|
||||
+ icon_url, rfc1738_escape_unescaped(selector), html_quote(name));
|
||||
} else {
|
||||
/* Standard link */
|
||||
- snprintf(tmpbuf, TEMP_BUF_SIZE, "<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
|
||||
- icon_url, host, gtype, escaped_selector, html_quote(name));
|
||||
+ outbuf.appendf("<IMG border=\"0\" SRC=\"%s\"> <A HREF=\"gopher://%s/%c%s\">%s</A>\n",
|
||||
+ icon_url, host, gtype, escaped_selector, html_quote(name));
|
||||
}
|
||||
}
|
||||
|
||||
safe_free(escaped_selector);
|
||||
- outbuf.append(tmpbuf);
|
||||
} else {
|
||||
memset(line, '\0', TEMP_BUF_SIZE);
|
||||
continue;
|
||||
@@ -643,13 +641,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
|
||||
break;
|
||||
|
||||
if (gopherState->cso_recno != recno) {
|
||||
- snprintf(tmpbuf, TEMP_BUF_SIZE, "</PRE><HR noshade size=\"1px\"><H2>Record# %d<br><i>%s</i></H2>\n<PRE>", recno, html_quote(result));
|
||||
+ outbuf.appendf("</PRE><HR noshade size=\"1px\"><H2>Record# %d<br><i>%s</i></H2>\n<PRE>", recno, html_quote(result));
|
||||
gopherState->cso_recno = recno;
|
||||
} else {
|
||||
- snprintf(tmpbuf, TEMP_BUF_SIZE, "%s\n", html_quote(result));
|
||||
+ outbuf.appendf("%s\n", html_quote(result));
|
||||
}
|
||||
|
||||
- outbuf.append(tmpbuf);
|
||||
break;
|
||||
} else {
|
||||
int code;
|
||||
@@ -677,8 +674,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
|
||||
|
||||
case 502: { /* Too Many Matches */
|
||||
/* Print the message the server returns */
|
||||
- snprintf(tmpbuf, TEMP_BUF_SIZE, "</PRE><HR noshade size=\"1px\"><H2>%s</H2>\n<PRE>", html_quote(result));
|
||||
- outbuf.append(tmpbuf);
|
||||
+ outbuf.appendf("</PRE><HR noshade size=\"1px\"><H2>%s</H2>\n<PRE>", html_quote(result));
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -694,13 +690,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len)
|
||||
|
||||
} /* while loop */
|
||||
|
||||
- if (outbuf.size() > 0) {
|
||||
- entry->append(outbuf.rawBuf(), outbuf.size());
|
||||
+ if (outbuf.length() > 0) {
|
||||
+ entry->append(outbuf.rawContent(), outbuf.length());
|
||||
/* now let start sending stuff to client */
|
||||
entry->flush();
|
||||
}
|
||||
|
||||
- outbuf.clean();
|
||||
return;
|
||||
}
|
||||
|
38
SOURCES/squid-4.15-CVE-2022-41318.patch
Normal file
38
SOURCES/squid-4.15-CVE-2022-41318.patch
Normal file
@ -0,0 +1,38 @@
|
||||
commit 4031c6c2b004190fdffbc19dab7cd0305a2025b7 (refs/remotes/origin/v4, refs/remotes/github/v4, refs/heads/v4)
|
||||
Author: Amos Jeffries <yadij@users.noreply.github.com>
|
||||
Date: 2022-08-09 23:34:54 +0000
|
||||
|
||||
Bug 3193 pt2: NTLM decoder truncating strings (#1114)
|
||||
|
||||
The initial bug fix overlooked large 'offset' causing integer
|
||||
wrap to extract a too-short length string.
|
||||
|
||||
Improve debugs and checks sequence to clarify cases and ensure
|
||||
that all are handled correctly.
|
||||
|
||||
diff --git a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc
|
||||
index 5d9637290..f00fd51f8 100644
|
||||
--- a/lib/ntlmauth/ntlmauth.cc
|
||||
+++ b/lib/ntlmauth/ntlmauth.cc
|
||||
@@ -107,10 +107,19 @@ ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr
|
||||
int32_t o = le32toh(str->offset);
|
||||
// debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o);
|
||||
|
||||
- if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) {
|
||||
- debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
|
||||
+ if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) {
|
||||
+ debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
|
||||
return rv;
|
||||
}
|
||||
+ else if (o <= 0 || o > packet_size) {
|
||||
+ debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
|
||||
+ return rv;
|
||||
+ }
|
||||
+ else if (l > packet_size - o) {
|
||||
+ debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
|
||||
+ return rv;
|
||||
+ }
|
||||
+
|
||||
rv.str = (char *)packet + o;
|
||||
rv.l = 0;
|
||||
if ((flags & NTLM_NEGOTIATE_ASCII) == 0) {
|
156
SOURCES/squid-4.15-ip-bind-address-no-port.patch
Normal file
156
SOURCES/squid-4.15-ip-bind-address-no-port.patch
Normal file
@ -0,0 +1,156 @@
|
||||
commit c08948c8b831a2ba73c676b48aa11ba1b58cc542
|
||||
Author: Tomas Korbar <tkorbar@redhat.com>
|
||||
Date: Thu Dec 8 11:03:08 2022 +0100
|
||||
|
||||
Backport adding IP_BIND_ADDRESS_NO_PORT flag to outgoing connections
|
||||
|
||||
diff --git a/src/comm.cc b/src/comm.cc
|
||||
index 0d5f34d..6811b54 100644
|
||||
--- a/src/comm.cc
|
||||
+++ b/src/comm.cc
|
||||
@@ -58,6 +58,7 @@
|
||||
*/
|
||||
|
||||
static IOCB commHalfClosedReader;
|
||||
+static int comm_openex(int sock_type, int proto, Ip::Address &, int flags, const char *note);
|
||||
static void comm_init_opened(const Comm::ConnectionPointer &conn, const char *note, struct addrinfo *AI);
|
||||
static int comm_apply_flags(int new_socket, Ip::Address &addr, int flags, struct addrinfo *AI);
|
||||
|
||||
@@ -75,6 +76,7 @@ static EVH commHalfClosedCheck;
|
||||
static void commPlanHalfClosedCheck();
|
||||
|
||||
static Comm::Flag commBind(int s, struct addrinfo &);
|
||||
+static void commSetBindAddressNoPort(int);
|
||||
static void commSetReuseAddr(int);
|
||||
static void commSetNoLinger(int);
|
||||
#ifdef TCP_NODELAY
|
||||
@@ -201,6 +203,22 @@ comm_local_port(int fd)
|
||||
return F->local_addr.port();
|
||||
}
|
||||
|
||||
+/// sets the IP_BIND_ADDRESS_NO_PORT socket option to optimize ephemeral port
|
||||
+/// reuse by outgoing TCP connections that must bind(2) to a source IP address
|
||||
+static void
|
||||
+commSetBindAddressNoPort(const int fd)
|
||||
+{
|
||||
+#if defined(IP_BIND_ADDRESS_NO_PORT)
|
||||
+ int flag = 1;
|
||||
+ if (setsockopt(fd, IPPROTO_IP, IP_BIND_ADDRESS_NO_PORT, reinterpret_cast<char*>(&flag), sizeof(flag)) < 0) {
|
||||
+ const auto savedErrno = errno;
|
||||
+ debugs(50, DBG_IMPORTANT, "ERROR: setsockopt(IP_BIND_ADDRESS_NO_PORT) failure: " << xstrerr(savedErrno));
|
||||
+ }
|
||||
+#else
|
||||
+ (void)fd;
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
static Comm::Flag
|
||||
commBind(int s, struct addrinfo &inaddr)
|
||||
{
|
||||
@@ -227,6 +245,10 @@ comm_open(int sock_type,
|
||||
int flags,
|
||||
const char *note)
|
||||
{
|
||||
+ // assume zero-port callers do not need to know the assigned port right away
|
||||
+ if (sock_type == SOCK_STREAM && addr.port() == 0 && ((flags & COMM_DOBIND) || !addr.isAnyAddr()))
|
||||
+ flags |= COMM_DOBIND_PORT_LATER;
|
||||
+
|
||||
return comm_openex(sock_type, proto, addr, flags, note);
|
||||
}
|
||||
|
||||
@@ -328,7 +350,7 @@ comm_set_transparent(int fd)
|
||||
* Create a socket. Default is blocking, stream (TCP) socket. IO_TYPE
|
||||
* is OR of flags specified in defines.h:COMM_*
|
||||
*/
|
||||
-int
|
||||
+static int
|
||||
comm_openex(int sock_type,
|
||||
int proto,
|
||||
Ip::Address &addr,
|
||||
@@ -476,6 +498,9 @@ comm_apply_flags(int new_socket,
|
||||
if ( addr.isNoAddr() )
|
||||
debugs(5,0,"CRITICAL: Squid is attempting to bind() port " << addr << "!!");
|
||||
|
||||
+ if ((flags & COMM_DOBIND_PORT_LATER))
|
||||
+ commSetBindAddressNoPort(new_socket);
|
||||
+
|
||||
if (commBind(new_socket, *AI) != Comm::OK) {
|
||||
comm_close(new_socket);
|
||||
return -1;
|
||||
diff --git a/src/comm.h b/src/comm.h
|
||||
index c963e1c..9ff201d 100644
|
||||
--- a/src/comm.h
|
||||
+++ b/src/comm.h
|
||||
@@ -43,7 +43,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc
|
||||
|
||||
/**
|
||||
* Open a port specially bound for listening or sending through a specific port.
|
||||
- * This is a wrapper providing IPv4/IPv6 failover around comm_openex().
|
||||
* Please use for all listening sockets and bind() outbound sockets.
|
||||
*
|
||||
* It will open a socket bound for:
|
||||
@@ -59,7 +58,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc
|
||||
int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note);
|
||||
void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note);
|
||||
|
||||
-int comm_openex(int, int, Ip::Address &, int, const char *);
|
||||
unsigned short comm_local_port(int fd);
|
||||
|
||||
int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen);
|
||||
diff --git a/src/comm/ConnOpener.cc b/src/comm/ConnOpener.cc
|
||||
index 25a30e4..2082214 100644
|
||||
--- a/src/comm/ConnOpener.cc
|
||||
+++ b/src/comm/ConnOpener.cc
|
||||
@@ -263,7 +263,7 @@ Comm::ConnOpener::createFd()
|
||||
if (callback_ == NULL || callback_->canceled())
|
||||
return false;
|
||||
|
||||
- temporaryFd_ = comm_openex(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_);
|
||||
+ temporaryFd_ = comm_open(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_);
|
||||
if (temporaryFd_ < 0) {
|
||||
sendAnswer(Comm::ERR_CONNECT, 0, "Comm::ConnOpener::createFd");
|
||||
return false;
|
||||
diff --git a/src/comm/Connection.h b/src/comm/Connection.h
|
||||
index 4f2f23a..1e32c22 100644
|
||||
--- a/src/comm/Connection.h
|
||||
+++ b/src/comm/Connection.h
|
||||
@@ -47,6 +47,8 @@ namespace Comm
|
||||
#define COMM_DOBIND 0x08 // requires a bind()
|
||||
#define COMM_TRANSPARENT 0x10 // arrived via TPROXY
|
||||
#define COMM_INTERCEPTION 0x20 // arrived via NAT
|
||||
+/// Internal Comm optimization: Keep the source port unassigned until connect(2)
|
||||
+#define COMM_DOBIND_PORT_LATER 0x100
|
||||
|
||||
/**
|
||||
* Store data about the physical and logical attributes of a connection.
|
||||
diff --git a/src/ipc.cc b/src/ipc.cc
|
||||
index e1d48fc..e92a27f 100644
|
||||
--- a/src/ipc.cc
|
||||
+++ b/src/ipc.cc
|
||||
@@ -95,12 +95,12 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
|
||||
} else void(0)
|
||||
|
||||
if (type == IPC_TCP_SOCKET) {
|
||||
- crfd = cwfd = comm_open(SOCK_STREAM,
|
||||
+ crfd = cwfd = comm_open_listener(SOCK_STREAM,
|
||||
0,
|
||||
local_addr,
|
||||
COMM_NOCLOEXEC,
|
||||
name);
|
||||
- prfd = pwfd = comm_open(SOCK_STREAM,
|
||||
+ prfd = pwfd = comm_open_listener(SOCK_STREAM,
|
||||
0, /* protocol */
|
||||
local_addr,
|
||||
0, /* blocking */
|
||||
diff --git a/src/tests/stub_comm.cc b/src/tests/stub_comm.cc
|
||||
index 58f85e4..5381ab2 100644
|
||||
--- a/src/tests/stub_comm.cc
|
||||
+++ b/src/tests/stub_comm.cc
|
||||
@@ -46,7 +46,6 @@ int comm_open_uds(int sock_type, int proto, struct sockaddr_un* addr, int flags)
|
||||
void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struct addrinfo *AI) STUB
|
||||
int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note) STUB_RETVAL(-1)
|
||||
void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note) STUB
|
||||
-int comm_openex(int, int, Ip::Address &, int, tos_t tos, nfmark_t nfmark, const char *) STUB_RETVAL(-1)
|
||||
unsigned short comm_local_port(int fd) STUB_RETVAL(0)
|
||||
int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen) STUB_RETVAL(-1)
|
||||
void commCallCloseHandlers(int fd) STUB
|
@ -2,7 +2,7 @@
|
||||
|
||||
Name: squid
|
||||
Version: 4.15
|
||||
Release: 3%{?dist}
|
||||
Release: 6%{?dist}
|
||||
Summary: The Squid proxy caching server
|
||||
Epoch: 7
|
||||
# See CREDITS for breakdown of non GPLv2+ code
|
||||
@ -22,6 +22,8 @@ Source98: perl-requires-squid.sh
|
||||
# Upstream patches
|
||||
|
||||
# Backported patches
|
||||
Patch101: squid-4.15-ip-bind-address-no-port.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2072988
|
||||
|
||||
# Local patches
|
||||
# Applying upstream patches first makes it less likely that local patches
|
||||
@ -40,6 +42,10 @@ Patch209: squid-4.15-ftp-filename-extraction.patch
|
||||
# Security fixes
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1941506
|
||||
Patch300: squid-4.15-CVE-2021-28116.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2100721
|
||||
Patch301: squid-4.15-CVE-2021-46784.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2129771
|
||||
Patch302: squid-4.15-CVE-2022-41318.patch
|
||||
|
||||
Requires: bash >= 2.0
|
||||
Requires(pre): shadow-utils
|
||||
@ -90,6 +96,7 @@ lookup program (dnsserver), a program for retrieving FTP data
|
||||
# Upstream patches
|
||||
|
||||
# Backported patches
|
||||
%patch101 -p1 -b .ip-bind-address-no-port
|
||||
|
||||
# Local patches
|
||||
%patch201 -p1 -b .config
|
||||
@ -103,6 +110,8 @@ lookup program (dnsserver), a program for retrieving FTP data
|
||||
|
||||
# Security patches
|
||||
%patch300 -p1 -b .CVE-2021-28116
|
||||
%patch301 -p1 -b .CVE-2021-46784
|
||||
%patch302 -p1 -b .CVE-2022-41318
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1679526
|
||||
# Patch in the vendor documentation and used different location for documentation
|
||||
@ -319,6 +328,18 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Dec 08 2022 Tomas Korbar <tkorbar@redhat.com> - 4.15-6
|
||||
- Resolves: #2072988 - [RFE] Add the "IP_BIND_ADDRESS_NO_PORT"
|
||||
flag to sockets created for outgoing connections in the squid source code.
|
||||
|
||||
* Wed Sep 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-5
|
||||
- Resolves: #2130260 - CVE-2022-41318 squid:4/squid: buffer-over-read in SSPI and SMB
|
||||
authentication
|
||||
|
||||
* Tue Jun 28 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-4
|
||||
- Resolves: #2100783 - CVE-2021-46784 squid:4/squid: DoS when processing gopher
|
||||
server responses
|
||||
|
||||
* Wed Feb 09 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-3
|
||||
- Resolves: #1941506 - CVE-2021-28116 squid:4/squid: out-of-bounds read in WCCP
|
||||
protocol data may lead to information disclosure
|
||||
|
Loading…
Reference in New Issue
Block a user