Fix CVE-2023-46846 CVE-2023-46847
This commit is contained in:
parent
297f15c9e2
commit
a19c7db24c
File diff suppressed because it is too large
Load Diff
179
SOURCES/squid-4.15-CVE-2023-46846.patch
Normal file
179
SOURCES/squid-4.15-CVE-2023-46846.patch
Normal file
@ -0,0 +1,179 @@
|
||||
From 1b17fc9ee99b822dcca6149d1b30e3aaf7d661cf Mon Sep 17 00:00:00 2001
|
||||
From: Amos Jeffries <yadij@users.noreply.github.com>
|
||||
Date: Fri, 13 Oct 2023 08:44:16 +0000
|
||||
Subject: [PATCH 2/2] RFC 9112: Improve HTTP chunked encoding compliance
|
||||
(#1498)
|
||||
|
||||
---
|
||||
src/http/one/Parser.cc | 8 +-------
|
||||
src/http/one/Parser.h | 4 +---
|
||||
src/http/one/TeChunkedParser.cc | 23 ++++++++++++++++++-----
|
||||
src/parser/Tokenizer.cc | 12 ++++++++++++
|
||||
src/parser/Tokenizer.h | 7 +++++++
|
||||
5 files changed, 39 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc
|
||||
index affe0b1..05591fe 100644
|
||||
--- a/src/http/one/Parser.cc
|
||||
+++ b/src/http/one/Parser.cc
|
||||
@@ -65,16 +65,10 @@ Http::One::Parser::DelimiterCharacters()
|
||||
void
|
||||
Http::One::Parser::skipLineTerminator(Tokenizer &tok) const
|
||||
{
|
||||
- if (tok.skip(Http1::CrLf()))
|
||||
- return;
|
||||
-
|
||||
if (Config.onoff.relaxed_header_parser && tok.skipOne(CharacterSet::LF))
|
||||
return;
|
||||
|
||||
- if (tok.atEnd() || (tok.remaining().length() == 1 && tok.remaining().at(0) == '\r'))
|
||||
- throw InsufficientInput();
|
||||
-
|
||||
- throw TexcHere("garbage instead of CRLF line terminator");
|
||||
+ tok.skipRequired("line-terminating CRLF", Http1::CrLf());
|
||||
}
|
||||
|
||||
/// all characters except the LF line terminator
|
||||
diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h
|
||||
index 40e281b..9a2a4ad 100644
|
||||
--- a/src/http/one/Parser.h
|
||||
+++ b/src/http/one/Parser.h
|
||||
@@ -120,9 +120,7 @@ protected:
|
||||
* detect and skip the CRLF or (if tolerant) LF line terminator
|
||||
* consume from the tokenizer.
|
||||
*
|
||||
- * \throws exception on bad or InsuffientInput.
|
||||
- * \retval true only if line terminator found.
|
||||
- * \retval false incomplete or missing line terminator, need more data.
|
||||
+ * \throws exception on bad or InsufficientInput
|
||||
*/
|
||||
void skipLineTerminator(Tokenizer &) const;
|
||||
|
||||
diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc
|
||||
index 6d2f8ea..3bff6c7 100644
|
||||
--- a/src/http/one/TeChunkedParser.cc
|
||||
+++ b/src/http/one/TeChunkedParser.cc
|
||||
@@ -91,6 +91,11 @@ Http::One::TeChunkedParser::parseChunkSize(Tokenizer &tok)
|
||||
{
|
||||
Must(theChunkSize <= 0); // Should(), really
|
||||
|
||||
+ static const SBuf bannedHexPrefixLower("0x");
|
||||
+ static const SBuf bannedHexPrefixUpper("0X");
|
||||
+ if (tok.skip(bannedHexPrefixLower) || tok.skip(bannedHexPrefixUpper))
|
||||
+ throw TextException("chunk starts with 0x", Here());
|
||||
+
|
||||
int64_t size = -1;
|
||||
if (tok.int64(size, 16, false) && !tok.atEnd()) {
|
||||
if (size < 0)
|
||||
@@ -121,7 +126,7 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
|
||||
// bad or insufficient input, like in the code below. TODO: Expand up.
|
||||
try {
|
||||
parseChunkExtensions(tok); // a possibly empty chunk-ext list
|
||||
- skipLineTerminator(tok);
|
||||
+ tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf());
|
||||
buf_ = tok.remaining();
|
||||
parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME;
|
||||
return true;
|
||||
@@ -132,12 +137,14 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
|
||||
// other exceptions bubble up to kill message parsing
|
||||
}
|
||||
|
||||
-/// Parses the chunk-ext list (RFC 7230 section 4.1.1 and its Errata #4667):
|
||||
+/// Parses the chunk-ext list (RFC 9112 section 7.1.1:
|
||||
/// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] )
|
||||
void
|
||||
-Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &tok)
|
||||
+Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok)
|
||||
{
|
||||
do {
|
||||
+ auto tok = callerTok;
|
||||
+
|
||||
ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size
|
||||
|
||||
if (!tok.skip(';'))
|
||||
@@ -145,6 +152,7 @@ Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &tok)
|
||||
|
||||
parseOneChunkExtension(tok);
|
||||
buf_ = tok.remaining(); // got one extension
|
||||
+ callerTok = tok;
|
||||
} while (true);
|
||||
}
|
||||
|
||||
@@ -158,11 +166,14 @@ Http::One::ChunkExtensionValueParser::Ignore(Tokenizer &tok, const SBuf &extName
|
||||
/// Parses a single chunk-ext list element:
|
||||
/// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] )
|
||||
void
|
||||
-Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &tok)
|
||||
+Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &callerTok)
|
||||
{
|
||||
+ auto tok = callerTok;
|
||||
+
|
||||
ParseBws(tok); // Bug 4492: ICAP servers send SP before chunk-ext-name
|
||||
|
||||
const auto extName = tok.prefix("chunk-ext-name", CharacterSet::TCHAR);
|
||||
+ callerTok = tok; // in case we determine that this is a valueless chunk-ext
|
||||
|
||||
ParseBws(tok);
|
||||
|
||||
@@ -176,6 +187,8 @@ Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &tok)
|
||||
customExtensionValueParser->parse(tok, extName);
|
||||
else
|
||||
ChunkExtensionValueParser::Ignore(tok, extName);
|
||||
+
|
||||
+ callerTok = tok;
|
||||
}
|
||||
|
||||
bool
|
||||
@@ -209,7 +222,7 @@ Http::One::TeChunkedParser::parseChunkEnd(Tokenizer &tok)
|
||||
Must(theLeftBodySize == 0); // Should(), really
|
||||
|
||||
try {
|
||||
- skipLineTerminator(tok);
|
||||
+ tok.skipRequired("chunk CRLF", Http1::CrLf());
|
||||
buf_ = tok.remaining(); // parse checkpoint
|
||||
theChunkSize = 0; // done with the current chunk
|
||||
parsingStage_ = Http1::HTTP_PARSE_CHUNK_SZ;
|
||||
diff --git a/src/parser/Tokenizer.cc b/src/parser/Tokenizer.cc
|
||||
index 68f4aec..8516869 100644
|
||||
--- a/src/parser/Tokenizer.cc
|
||||
+++ b/src/parser/Tokenizer.cc
|
||||
@@ -147,6 +147,18 @@ Parser::Tokenizer::skipAll(const CharacterSet &tokenChars)
|
||||
return success(prefixLen);
|
||||
}
|
||||
|
||||
+void
|
||||
+Parser::Tokenizer::skipRequired(const char *description, const SBuf &tokenToSkip)
|
||||
+{
|
||||
+ if (skip(tokenToSkip) || tokenToSkip.isEmpty())
|
||||
+ return;
|
||||
+
|
||||
+ if (tokenToSkip.startsWith(buf_))
|
||||
+ throw InsufficientInput();
|
||||
+
|
||||
+ throw TextException(ToSBuf("cannot skip ", description), Here());
|
||||
+}
|
||||
+
|
||||
bool
|
||||
Parser::Tokenizer::skipOne(const CharacterSet &chars)
|
||||
{
|
||||
diff --git a/src/parser/Tokenizer.h b/src/parser/Tokenizer.h
|
||||
index 03a8388..78ab9e7 100644
|
||||
--- a/src/parser/Tokenizer.h
|
||||
+++ b/src/parser/Tokenizer.h
|
||||
@@ -115,6 +115,13 @@ public:
|
||||
*/
|
||||
SBuf::size_type skipAll(const CharacterSet &discardables);
|
||||
|
||||
+ /** skips a given character sequence (string);
|
||||
+ * does nothing if the sequence is empty
|
||||
+ *
|
||||
+ * \throws exception on mismatching prefix or InsufficientInput
|
||||
+ */
|
||||
+ void skipRequired(const char *description, const SBuf &tokenToSkip);
|
||||
+
|
||||
/** Removes a single trailing character from the set.
|
||||
*
|
||||
* \return whether a character was removed
|
||||
--
|
||||
2.39.3
|
||||
|
39
SOURCES/squid-4.15-CVE-2023-46847.patch
Normal file
39
SOURCES/squid-4.15-CVE-2023-46847.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From dc0e10bec3334053c1a5297e50dd7052ea18aef0 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Bason <nonsleepr@gmail.com>
|
||||
Date: Sun, 15 Oct 2023 13:04:47 +0000
|
||||
Subject: [PATCH] Fix stack buffer overflow when parsing Digest Authorization
|
||||
(#1517)
|
||||
|
||||
The bug was discovered and detailed by Joshua Rogers at
|
||||
https://megamansec.github.io/Squid-Security-Audit/digest-overflow.html
|
||||
where it was filed as "Stack Buffer Overflow in Digest Authentication".
|
||||
---
|
||||
src/auth/digest/Config.cc | 10 +++++++---
|
||||
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
|
||||
index f00e2ba68..3c070d242 100644
|
||||
--- a/src/auth/digest/Config.cc
|
||||
+++ b/src/auth/digest/Config.cc
|
||||
@@ -827,11 +827,15 @@ Auth::Digest::Config::decode(char const *proxy_auth, const HttpRequest *request,
|
||||
break;
|
||||
|
||||
case DIGEST_NC:
|
||||
- if (value.size() != 8) {
|
||||
+ if (value.size() == 8) {
|
||||
+ // for historical reasons, the nc value MUST be exactly 8 bytes
|
||||
+ static_assert(sizeof(digest_request->nc) == 8 + 1);
|
||||
+ xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
|
||||
+ debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
|
||||
+ } else {
|
||||
debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'");
|
||||
+ digest_request->nc[0] = 0;
|
||||
}
|
||||
- xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
|
||||
- debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
|
||||
break;
|
||||
|
||||
case DIGEST_CNONCE:
|
||||
--
|
||||
2.25.1
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
Name: squid
|
||||
Version: 4.15
|
||||
Release: 6%{?dist}
|
||||
Release: 6%{?dist}.1.alma.1
|
||||
Summary: The Squid proxy caching server
|
||||
Epoch: 7
|
||||
# See CREDITS for breakdown of non GPLv2+ code
|
||||
@ -38,6 +38,7 @@ Patch206: squid-4.11-active-ftp.patch
|
||||
Patch208: squid-4.11-convert-ipv4.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2006121
|
||||
Patch209: squid-4.15-ftp-filename-extraction.patch
|
||||
Patch210: 0001-Fix-incremental-parsing-of-chunked-quoted-extensions.patch
|
||||
|
||||
# Security fixes
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1941506
|
||||
@ -46,6 +47,10 @@ Patch300: squid-4.15-CVE-2021-28116.patch
|
||||
Patch301: squid-4.15-CVE-2021-46784.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2129771
|
||||
Patch302: squid-4.15-CVE-2022-41318.patch
|
||||
# OL squid-4.15-6.0.1.module+el8.8.0+90059+985ac402
|
||||
Patch303: squid-4.15-CVE-2023-46846.patch
|
||||
# OL squid-4.15-6.0.1.module+el8.8.0+90059+985ac402
|
||||
Patch304: squid-4.15-CVE-2023-46847.patch
|
||||
|
||||
Requires: bash >= 2.0
|
||||
Requires(pre): shadow-utils
|
||||
@ -107,11 +112,14 @@ lookup program (dnsserver), a program for retrieving FTP data
|
||||
%patch206 -p1 -b .active-ftp
|
||||
%patch208 -p1 -b .convert-ipv4
|
||||
%patch209 -p1 -b .ftp-fn-extraction
|
||||
%patch210 -p1 -b .fix-incremental-parsing
|
||||
|
||||
# Security patches
|
||||
%patch300 -p1 -b .CVE-2021-28116
|
||||
%patch301 -p1 -b .CVE-2021-46784
|
||||
%patch302 -p1 -b .CVE-2022-41318
|
||||
%patch303 -p1 -b .CVE-2023-46846
|
||||
%patch304 -p1 -b .CVE-2023-46847
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1679526
|
||||
# Patch in the vendor documentation and used different location for documentation
|
||||
@ -328,6 +336,10 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Nov 09 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 4.15-6.1
|
||||
- CVE-2023-46846 RFC 9112: Improve HTTP chunked encoding compliance
|
||||
- CVE-2023-46847 Fix stack buffer overflow when parsing Digest Authorization
|
||||
|
||||
* Thu Dec 08 2022 Tomas Korbar <tkorbar@redhat.com> - 4.15-6
|
||||
- Resolves: #2072988 - [RFE] Add the "IP_BIND_ADDRESS_NO_PORT"
|
||||
flag to sockets created for outgoing connections in the squid source code.
|
||||
|
Loading…
Reference in New Issue
Block a user