Resolves: RHEL-19556 - squid: denial of service in HTTP request

parsing (CVE-2023-50269)
2024-02-02 02:37:40 +01:00 · 2024-02-02 02:37:40 +01:00 · a006243e29
commit a006243e29
parent 203568450c
2 changed files with 58 additions and 1 deletions
--- a/squid-5.5-CVE-2023-50269.patch
+++ b/squid-5.5-CVE-2023-50269.patch
@ -0,0 +1,50 @@
 diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h
 index 55a7a43..94a8700 100644
 --- a/src/ClientRequestContext.h
 +++ b/src/ClientRequestContext.h
@@ -80,6 +80,10 @@ public:
 #endif
     ErrorState *error; ///< saved error page for centralized/delayed processing
     bool readNextRequest; ///< whether Squid should read after error handling
 +
 +#if FOLLOW_X_FORWARDED_FOR
 +    size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far
 +#endif
 };
 #endif /* SQUID_CLIENTREQUESTCONTEXT_H */
 diff --git a/src/client_side_request.cc b/src/client_side_request.cc
 index f44849e..c7c09d4 100644
 --- a/src/client_side_request.cc
 +++ b/src/client_side_request.cc
@@ -80,6 +80,11 @@
 static const char *const crlf = "\r\n";
 #if FOLLOW_X_FORWARDED_FOR
 +
 +#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX)
 +#define SQUID_X_FORWARDED_FOR_HOP_MAX 64
 +#endif
 +
 static void clientFollowXForwardedForCheck(Acl::Answer answer, void *data);
 #endif /* FOLLOW_X_FORWARDED_FOR */
@@ -485,8 +490,16 @@ clientFollowXForwardedForCheck(Acl::Answer answer, void *data)
                 /* override the default src_addr tested if we have to go deeper than one level into XFF */
                 Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr;
             }
 -            calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
 -            return;
 +            if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) {
 +                calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
 +                return;
 +            }
 +            const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name;
 +            debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses" <<
 +                   Debug::Extra << "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber <<
 +                   Debug::Extra << "last/accepted address: " << request->indirect_client_addr <<
 +                   Debug::Extra << "ignored trailing addresses: " << request->x_forwarded_for_iterator);
 +            // fall through to resume clientAccessCheck() processing
         }
     }
--- a/squid.spec
+++ b/squid.spec
@ -2,7 +2,7 @@
 Name:     squid
 Version:  5.5
-Release:  9%{?dist}
+Release:  10%{?dist}
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@ -68,6 +68,8 @@ Patch508: squid-5.5-CVE-2023-46724.patch
 Patch509: squid-5.5-CVE-2023-49285.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2252923
 Patch510: squid-5.5-CVE-2023-49286.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2254663
 Patch511: squid-5.5-CVE-2023-50269.patch
 # cache_swap.sh
@ -154,6 +156,7 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch508 -p1 -b .CVE-2023-46724
 %patch509 -p1 -b .CVE-2023-49285
 %patch510 -p1 -b .CVE-2023-49286
 %patch511 -p1 -b .CVE-2023-50269
 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526
 # Patch in the vendor documentation and used different location for documentation
@ -380,6 +383,10 @@ fi
 %changelog
 * Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-10
 - Resolves: RHEL-19556 - squid: denial of service in HTTP request
  parsing (CVE-2023-50269)
 * Thu Feb 01 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-9
 - Resolves: RHEL-18354 - squid: Buffer over-read in the HTTP Message processing
  feature (CVE-2023-49285)