import UBI squid-5.5-22.el9_7.4

2026-03-31 16:33:21 -04:00 · 2026-03-31 16:33:21 -04:00 · a8b682e74e
commit a8b682e74e
parent 0bcd7b0156
3 changed files with 212 additions and 1 deletions
--- a/SOURCES/squid-5.5-CVE-2026-32748.patch
+++ b/SOURCES/squid-5.5-CVE-2026-32748.patch
@ -0,0 +1,179 @@
+commit 6d238b8a1558553675a8d284e21f37c1ca552816
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Mon Mar 30 10:20:49 2026 +0200
+
+    Fix CVE-2026-32748
+
+diff --git a/src/ICP.h b/src/ICP.h
+index 0e3c46b..53c9e73 100644
+--- a/src/ICP.h
+++ b/src/ICP.h
+@@ -88,10 +88,7 @@ extern Comm::ConnectionPointer icpOutgoingConn;
+ extern Ip::Address theIcpPublicHostID;
+ 
+ /// \ingroup ServerProtocolICPAPI
+-HttpRequest* icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from);
+-
+-/// \ingroup ServerProtocolICPAPI
+-bool icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request);
+HttpRequestPointer icpGetRequest(const char *url, int reqnum, int fd, const Ip::Address &from);
+ 
+ /// \ingroup ServerProtocolICPAPI
+ void icpCreateAndSend(icp_opcode, int flags, char const *url, int reqnum, int pad, int fd, const Ip::Address &from, AccessLogEntryPointer);
+@@ -100,7 +97,7 @@ void icpCreateAndSend(icp_opcode, int flags, char const *url, int reqnum, int pa
+ icp_opcode icpGetCommonOpcode();
+ 
+ /// \ingroup ServerProtocolICPAPI
+-void icpDenyAccess(Ip::Address &from, char *url, int reqnum, int fd);
+void icpDenyAccess(const Ip::Address &from, const char *url, int reqnum, int fd);
+ 
+ /// \ingroup ServerProtocolICPAPI
+ PF icpHandleUdp;
+diff --git a/src/icp_v2.cc b/src/icp_v2.cc
+index 83c1bf1..3d5efda 100644
+--- a/src/icp_v2.cc
+++ b/src/icp_v2.cc
+@@ -449,7 +449,7 @@ icpCreateAndSend(icp_opcode opcode, int flags, char const *url, int reqnum, int
+ }
+ 
+ void
+-icpDenyAccess(Ip::Address &from, char *url, int reqnum, int fd)
+icpDenyAccess(const Ip::Address &from, const char * const url, const int reqnum, const int fd)
+ {
+     debugs(12, 2, "icpDenyAccess: Access Denied for " << from << " by " << AclMatchedName << ".");
+ 
+@@ -464,8 +464,9 @@ icpDenyAccess(Ip::Address &from, char *url, int reqnum, int fd)
+     }
+ }
+ 
+-bool
+-icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request)
+/// icpGetRequest() helper that determines whether squid.conf allows the given ICP query
+static bool
+icpAccessAllowed(const Ip::Address &from, HttpRequest * icp_request)
+ {
+     /* absent any explicit rules, we deny all */
+     if (!Config.accessList.icp)
+@@ -486,8 +487,8 @@ icpGetUrlToSend(char *url)
+         return url;
+ }
+ 
+-HttpRequest *
+-icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from)
+HttpRequest::Pointer
+icpGetRequest(const char *url, int reqnum, int fd, const Ip::Address &from)
+ {
+     if (strpbrk(url, w_space)) {
+         icpCreateAndSend(ICP_ERR, 0, rfc1738_escape(url), reqnum, 0, fd, from, nullptr);
+@@ -495,12 +496,17 @@ icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from)
+     }
+ 
+     const MasterXaction::Pointer mx = new MasterXaction(XactionInitiator::initIcp);
+-    auto *result = HttpRequest::FromUrlXXX(url, mx);
+-    if (!result)
+-        icpCreateAndSend(ICP_ERR, 0, url, reqnum, 0, fd, from, nullptr);
+    if (const HttpRequest::Pointer request = HttpRequest::FromUrlXXX(url, mx)) {
+        if (!icpAccessAllowed(from, request.getRaw())) {
+            icpDenyAccess(from, url, reqnum, fd);
+            return nullptr;
+        }
+ 
+-    return result;
+        return request;
+    }
+ 
+    icpCreateAndSend(ICP_ERR, 0, url, reqnum, 0, fd, from, nullptr);
+    return nullptr;
+ }
+ 
+ static void
+@@ -511,18 +517,11 @@ doV2Query(int fd, Ip::Address &from, char *buf, icp_common_t header)
+     uint32_t flags = 0;
+     /* We have a valid packet */
+     char *url = buf + sizeof(icp_common_t) + sizeof(uint32_t);
+-    HttpRequest *icp_request = icpGetRequest(url, header.reqnum, fd, from);
+    const auto icp_request = icpGetRequest(url, header.reqnum, fd, from);
+ 
+     if (!icp_request)
+         return;
+ 
+-    HTTPMSGLOCK(icp_request);
+-
+-    if (!icpAccessAllowed(from, icp_request)) {
+-        icpDenyAccess(from, url, header.reqnum, fd);
+-        HTTPMSGUNLOCK(icp_request);
+-        return;
+-    }
+ #if USE_ICMP
+     if (header.flags & ICP_FLAG_SRC_RTT) {
+         rtt = netdbHostRtt(icp_request->url.host());
+@@ -535,7 +534,7 @@ doV2Query(int fd, Ip::Address &from, char *buf, icp_common_t header)
+ #endif /* USE_ICMP */
+ 
+     /* The peer is allowed to use this cache */
+-    ICP2State *state = new ICP2State(header, icp_request);
+    ICP2State *state = new ICP2State(header, icp_request.getRaw());
+     state->fd = fd;
+     state->from = from;
+     state->url = xstrdup(url);
+@@ -544,8 +543,6 @@ doV2Query(int fd, Ip::Address &from, char *buf, icp_common_t header)
+     state->src_rtt = src_rtt;
+ 
+     StoreEntry::getPublic(state, url, Http::METHOD_GET);
+-
+-    HTTPMSGUNLOCK(icp_request);
+ }
+ 
+ void
+diff --git a/src/icp_v3.cc b/src/icp_v3.cc
+index 54ce7b8..92afb7a 100644
+--- a/src/icp_v3.cc
+++ b/src/icp_v3.cc
+@@ -37,19 +37,13 @@ doV3Query(int fd, Ip::Address &from, char *buf, icp_common_t header)
+ {
+     /* We have a valid packet */
+     char *url = buf + sizeof(icp_common_t) + sizeof(uint32_t);
+-    HttpRequest *icp_request = icpGetRequest(url, header.reqnum, fd, from);
+    const auto icp_request = icpGetRequest(url, header.reqnum, fd, from);
+ 
+     if (!icp_request)
+         return;
+ 
+-    if (!icpAccessAllowed(from, icp_request)) {
+-        icpDenyAccess (from, url, header.reqnum, fd);
+-        delete icp_request;
+-        return;
+-    }
+-
+     /* The peer is allowed to use this cache */
+-    ICP3State *state = new ICP3State (header, icp_request);
+    ICP3State *state = new ICP3State (header, icp_request.getRaw());
+     state->fd = fd;
+     state->from = from;
+     state->url = xstrdup(url);
+diff --git a/src/tests/stub_icp.cc b/src/tests/stub_icp.cc
+index a6a81da..4f3d1f2 100644
+--- a/src/tests/stub_icp.cc
+++ b/src/tests/stub_icp.cc
+@@ -9,6 +9,7 @@
+ #include "squid.h"
+ #include "AccessLogEntry.h"
+ #include "comm/Connection.h"
+#include "HttpRequest.h"
+ #include "ICP.h"
+ 
+ #define STUB_API "icp_*.cc"
+@@ -29,11 +30,10 @@ Comm::ConnectionPointer icpIncomingConn;
+ Comm::ConnectionPointer icpOutgoingConn;
+ Ip::Address theIcpPublicHostID;
+ 
+-HttpRequest* icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from) STUB_RETVAL(NULL)
+-bool icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request) STUB_RETVAL(false)
+HttpRequest::Pointer icpGetRequest(const char *, int, int, const Ip::Address &) STUB_RETVAL(nullptr)
+ void icpCreateAndSend(icp_opcode, int flags, char const *url, int reqnum, int pad, int fd, const Ip::Address &from, AccessLogEntryPointer) STUB
+ icp_opcode icpGetCommonOpcode() STUB_RETVAL(ICP_INVALID)
+-void icpDenyAccess(Ip::Address &from, char *url, int reqnum, int fd) STUB
+void icpDenyAccess(const Ip::Address &, const char *, int, int) STUB
+ void icpHandleIcpV3(int, Ip::Address &, char *, int) STUB
+ void icpConnectionsOpen(void) STUB
+ void icpConnectionShutdown(void) STUB
--- a/SOURCES/squid-5.5-CVE-2026-33526.patch
+++ b/SOURCES/squid-5.5-CVE-2026-33526.patch
@ -0,0 +1,18 @@
+commit aa6ea619ad7a4f6e2cd54141d3d5289bda57e200
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Mon Mar 30 10:10:57 2026 +0200
+
+    Fix CVE-2026-33526
+
+diff --git a/src/icp_v2.cc b/src/icp_v2.cc
+index 2cdbb48..83c1bf1 100644
+--- a/src/icp_v2.cc
+++ b/src/icp_v2.cc
+@@ -490,7 +490,6 @@ HttpRequest *
+ icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from)
+ {
+     if (strpbrk(url, w_space)) {
+-        url = rfc1738_escape(url);
+         icpCreateAndSend(ICP_ERR, 0, rfc1738_escape(url), reqnum, 0, fd, from, nullptr);
+         return NULL;
+     }
--- a/SPECS/squid.spec
+++ b/SPECS/squid.spec
@ -2,7 +2,7 @@

 Name:     squid
 Version:  5.5
-Release:  22%{?dist}.2
+Release:  22%{?dist}.4
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@ -97,6 +97,10 @@ Patch515: squid-5.5-CVE-2024-23638.patch
 Patch516: squid-5.5-ignore-wsp-after-chunk-size.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2404736
 Patch517: squid-5.5-CVE-2025-62168.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2451574
+Patch518: squid-5.5-CVE-2026-33526.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2451577
+Patch519: squid-5.5-CVE-2026-32748.patch

 # cache_swap.sh
 Requires: bash gawk
@ -193,6 +197,8 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch515 -p1 -b .CVE-2024-23638
 %patch516 -p1 -b .ignore-wsp-chunk-sz
 %patch517 -p1 -b .CVE-2025-62168
+%patch518 -p1 -b .CVE-2026-33526
+%patch519 -p1 -b .CVE-2026-32748

 # patch506 follow-up
 %patch212 -p1 -b .fatal-read-data-from-mem
@ -424,6 +430,14 @@ fi


 %changelog
+* Mon Mar 30 2026 Tomas Korbar <tkorbar@redhat.com> - 7:5.5-22.4
+- Resolves: RHEL-160692 - squid: Squid: Denial of Service via
+  crafted ICP traffic (CVE-2026-32748)
+
+* Mon Mar 30 2026 Tomas Korbar <tkorbar@redhat.com> - 7:5.5-22.3
+- Resolves: RHEL-160693 - squid: Squid: Denial of Service via
+  heap Use-After-Free vulnerability in ICP handling (CVE-2026-33526)
+
 * Thu Dec 04 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-22.2
 - Resolves: RHEL-131797 - "ICAP_ERR_OTHER/408" occurs in icap.log when
  downloading a file on RHEL9