Resolves: RHEL-19552 - squid:4/squid: denial of service in HTTP request

parsing (CVE-2023-50269)
2024-02-02 05:47:19 +01:00 · 2024-02-02 05:47:19 +01:00 · b453d4cb91
commit b453d4cb91
parent 42ed4e34d5
2 changed files with 58 additions and 1 deletions
--- a/squid-4.15-CVE-2023-50269.patch
+++ b/squid-4.15-CVE-2023-50269.patch
@ -0,0 +1,50 @@
+diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h
+index fe2edf6..47aa935 100644
+--- a/src/ClientRequestContext.h
+++ b/src/ClientRequestContext.h
+@@ -81,6 +81,10 @@ public:
+ #endif
+     ErrorState *error; ///< saved error page for centralized/delayed processing
+     bool readNextRequest; ///< whether Squid should read after error handling
+
+#if FOLLOW_X_FORWARDED_FOR
+    size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far
+#endif
+ };
+ 
+ #endif /* SQUID_CLIENTREQUESTCONTEXT_H */
+diff --git a/src/client_side_request.cc b/src/client_side_request.cc
+index 1c6ff62..b758f6f 100644
+--- a/src/client_side_request.cc
+++ b/src/client_side_request.cc
+@@ -78,6 +78,11 @@
+ static const char *const crlf = "\r\n";
+ 
+ #if FOLLOW_X_FORWARDED_FOR
+
+#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX)
+#define SQUID_X_FORWARDED_FOR_HOP_MAX 64
+#endif
+
+ static void clientFollowXForwardedForCheck(allow_t answer, void *data);
+ #endif /* FOLLOW_X_FORWARDED_FOR */
+ 
+@@ -485,8 +490,16 @@ clientFollowXForwardedForCheck(allow_t answer, void *data)
+                 /* override the default src_addr tested if we have to go deeper than one level into XFF */
+                 Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr;
+             }
+-            calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
+-            return;
+            if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) {
+                calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
+                return;
+            }
+            const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name;
+            debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses" <<
+                   Debug::Extra << "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber <<
+                   Debug::Extra << "last/accepted address: " << request->indirect_client_addr <<
+                   Debug::Extra << "ignored trailing addresses: " << request->x_forwarded_for_iterator);
+            // fall through to resume clientAccessCheck() processing
+         }
+     }
+ 
--- a/squid.spec
+++ b/squid.spec
@ -2,7 +2,7 @@

 Name:     squid
 Version:  4.15
-Release:  8%{?dist}
+Release:  9%{?dist}
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@ -63,6 +63,8 @@ Patch307: squid-4.15-CVE-2023-46724.patch
 Patch308: squid-4.15-CVE-2023-49285.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2252923
 Patch309: squid-4.15-CVE-2023-49286.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2254663
+Patch310: squid-4.15-CVE-2023-50269.patch


 Requires: bash >= 2.0
@ -138,6 +140,7 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch307 -p1 -b .CVE-2023-46724
 %patch308 -p1 -b .CVE-2023-49285
 %patch309 -p1 -b .CVE-2023-49286
+%patch310 -p1 -b .CVE-2023-50269


 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526
@ -355,6 +358,10 @@ fi


 %changelog
+* Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-9
+- Resolves: RHEL-19552 - squid:4/squid: denial of service in HTTP request 
+  parsing (CVE-2023-50269)
+
 * Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-8
 - Resolves: RHEL-18351 - squid:4/squid: Buffer over-read in the HTTP Message
  processing feature (CVE-2023-49285)