From 43e21cffe505a4587279d5acb5f6ba213649cd44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Fri, 2 Feb 2024 05:47:19 +0100 Subject: [PATCH] Resolves: RHEL-19552 - squid:4/squid: denial of service in HTTP request --- .squid.metadata | 1 + squid-4.15-CVE-2023-50269.patch | 50 +++++++++++++++++++++++++++++++++ squid.spec | 9 +++++- 3 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 .squid.metadata create mode 100644 squid-4.15-CVE-2023-50269.patch diff --git a/.squid.metadata b/.squid.metadata new file mode 100644 index 0000000..2251e1f --- /dev/null +++ b/.squid.metadata @@ -0,0 +1 @@ +60bda34ba39657e2d870c8c1d2acece8a69c3075 squid-4.15.tar.xz diff --git a/squid-4.15-CVE-2023-50269.patch b/squid-4.15-CVE-2023-50269.patch new file mode 100644 index 0000000..06ea82c --- /dev/null +++ b/squid-4.15-CVE-2023-50269.patch @@ -0,0 +1,50 @@ +diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h +index fe2edf6..47aa935 100644 +--- a/src/ClientRequestContext.h ++++ b/src/ClientRequestContext.h +@@ -81,6 +81,10 @@ public: + #endif + ErrorState *error; ///< saved error page for centralized/delayed processing + bool readNextRequest; ///< whether Squid should read after error handling ++ ++#if FOLLOW_X_FORWARDED_FOR ++ size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far ++#endif + }; + + #endif /* SQUID_CLIENTREQUESTCONTEXT_H */ +diff --git a/src/client_side_request.cc b/src/client_side_request.cc +index 1c6ff62..b758f6f 100644 +--- a/src/client_side_request.cc ++++ b/src/client_side_request.cc +@@ -78,6 +78,11 @@ + static const char *const crlf = "\r\n"; + + #if FOLLOW_X_FORWARDED_FOR ++ ++#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX) ++#define SQUID_X_FORWARDED_FOR_HOP_MAX 64 ++#endif ++ + static void clientFollowXForwardedForCheck(allow_t answer, void *data); + #endif /* FOLLOW_X_FORWARDED_FOR */ + +@@ -485,8 +490,16 @@ clientFollowXForwardedForCheck(allow_t answer, void *data) + /* override the default src_addr tested if we have to go deeper than one level into XFF */ + Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr; + } +- calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); +- return; ++ if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) { ++ calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); ++ return; ++ } ++ const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name; ++ debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses" << ++ Debug::Extra << "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber << ++ Debug::Extra << "last/accepted address: " << request->indirect_client_addr << ++ Debug::Extra << "ignored trailing addresses: " << request->x_forwarded_for_iterator); ++ // fall through to resume clientAccessCheck() processing + } + } + diff --git a/squid.spec b/squid.spec index cc7be52..3df353f 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 4.15 -Release: 8%{?dist} +Release: 9%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -63,6 +63,8 @@ Patch307: squid-4.15-CVE-2023-46724.patch Patch308: squid-4.15-CVE-2023-49285.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2252923 Patch309: squid-4.15-CVE-2023-49286.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2254663 +Patch310: squid-4.15-CVE-2023-50269.patch Requires: bash >= 2.0 @@ -138,6 +140,7 @@ lookup program (dnsserver), a program for retrieving FTP data %patch307 -p1 -b .CVE-2023-46724 %patch308 -p1 -b .CVE-2023-49285 %patch309 -p1 -b .CVE-2023-49286 +%patch310 -p1 -b .CVE-2023-50269 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 @@ -355,6 +358,10 @@ fi %changelog +* Fri Feb 02 2024 Luboš Uhliarik - 7:4.15-9 +- Resolves: RHEL-19552 - squid:4/squid: denial of service in HTTP request + parsing (CVE-2023-50269) + * Fri Feb 02 2024 Luboš Uhliarik - 7:4.15-8 - Resolves: RHEL-18351 - squid:4/squid: Buffer over-read in the HTTP Message processing feature (CVE-2023-49285)