From a006243e29426496c2c619094952584285f91e80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Fri, 2 Feb 2024 02:37:40 +0100 Subject: [PATCH] Resolves: RHEL-19556 - squid: denial of service in HTTP request parsing (CVE-2023-50269) --- squid-5.5-CVE-2023-50269.patch | 50 ++++++++++++++++++++++++++++++++++ squid.spec | 9 +++++- 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 squid-5.5-CVE-2023-50269.patch diff --git a/squid-5.5-CVE-2023-50269.patch b/squid-5.5-CVE-2023-50269.patch new file mode 100644 index 0000000..923a516 --- /dev/null +++ b/squid-5.5-CVE-2023-50269.patch @@ -0,0 +1,50 @@ +diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h +index 55a7a43..94a8700 100644 +--- a/src/ClientRequestContext.h ++++ b/src/ClientRequestContext.h +@@ -80,6 +80,10 @@ public: + #endif + ErrorState *error; ///< saved error page for centralized/delayed processing + bool readNextRequest; ///< whether Squid should read after error handling ++ ++#if FOLLOW_X_FORWARDED_FOR ++ size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far ++#endif + }; + + #endif /* SQUID_CLIENTREQUESTCONTEXT_H */ +diff --git a/src/client_side_request.cc b/src/client_side_request.cc +index f44849e..c7c09d4 100644 +--- a/src/client_side_request.cc ++++ b/src/client_side_request.cc +@@ -80,6 +80,11 @@ + static const char *const crlf = "\r\n"; + + #if FOLLOW_X_FORWARDED_FOR ++ ++#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX) ++#define SQUID_X_FORWARDED_FOR_HOP_MAX 64 ++#endif ++ + static void clientFollowXForwardedForCheck(Acl::Answer answer, void *data); + #endif /* FOLLOW_X_FORWARDED_FOR */ + +@@ -485,8 +490,16 @@ clientFollowXForwardedForCheck(Acl::Answer answer, void *data) + /* override the default src_addr tested if we have to go deeper than one level into XFF */ + Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr; + } +- calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); +- return; ++ if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) { ++ calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); ++ return; ++ } ++ const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name; ++ debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses" << ++ Debug::Extra << "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber << ++ Debug::Extra << "last/accepted address: " << request->indirect_client_addr << ++ Debug::Extra << "ignored trailing addresses: " << request->x_forwarded_for_iterator); ++ // fall through to resume clientAccessCheck() processing + } + } + diff --git a/squid.spec b/squid.spec index b23d028..9ddda72 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.5 -Release: 9%{?dist} +Release: 10%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -68,6 +68,8 @@ Patch508: squid-5.5-CVE-2023-46724.patch Patch509: squid-5.5-CVE-2023-49285.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2252923 Patch510: squid-5.5-CVE-2023-49286.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2254663 +Patch511: squid-5.5-CVE-2023-50269.patch # cache_swap.sh @@ -154,6 +156,7 @@ lookup program (dnsserver), a program for retrieving FTP data %patch508 -p1 -b .CVE-2023-46724 %patch509 -p1 -b .CVE-2023-49285 %patch510 -p1 -b .CVE-2023-49286 +%patch511 -p1 -b .CVE-2023-50269 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -380,6 +383,10 @@ fi %changelog +* Fri Feb 02 2024 Luboš Uhliarik - 7:5.5-10 +- Resolves: RHEL-19556 - squid: denial of service in HTTP request + parsing (CVE-2023-50269) + * Thu Feb 01 2024 Luboš Uhliarik - 7:5.5-9 - Resolves: RHEL-18354 - squid: Buffer over-read in the HTTP Message processing feature (CVE-2023-49285)