import OL squid-4.15-7.module+el8.9.0+90111+615ac445.5

This commit is contained in:
eabdullin 2024-01-08 07:36:06 +00:00
parent 9beaf3832c
commit b5d3c5c00b
5 changed files with 3560 additions and 1 deletions

View File

@ -0,0 +1,38 @@
From 792ef23e6e1c05780fe17f733859eef6eb8c8be3 Mon Sep 17 00:00:00 2001
From: Andreas Weigel <andreas.weigel@securepoint.de>
Date: Wed, 18 Oct 2023 04:14:31 +0000
Subject: [PATCH] Fix validation of certificates with CN=* (#1523)
The bug was discovered and detailed by Joshua Rogers at
https://megamansec.github.io/Squid-Security-Audit/
where it was filed as "Buffer UnderRead in SSL CN Parsing".
---
src/anyp/Uri.cc | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc
index 77b6f0c92..a6a5d5d9e 100644
--- a/src/anyp/Uri.cc
+++ b/src/anyp/Uri.cc
@@ -173,6 +173,10 @@ urlInitialize(void)
assert(0 == matchDomainName("*.foo.com", ".foo.com", mdnHonorWildcards));
assert(0 != matchDomainName("*.foo.com", "foo.com", mdnHonorWildcards));
+ assert(0 != matchDomainName("foo.com", ""));
+ assert(0 != matchDomainName("foo.com", "", mdnHonorWildcards));
+ assert(0 != matchDomainName("foo.com", "", mdnRejectSubsubDomains));
+
/* more cases? */
}
@@ -756,6 +760,8 @@ matchDomainName(const char *h, const char *d, MatchDomainNameFlags flags)
return -1;
dl = strlen(d);
+ if (dl == 0)
+ return 1;
/*
* Start at the ends of the two strings and work towards the
--
2.25.1

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,38 @@
commit deee944f9a12c9fd399ce52f3e2526bb573a9470
Author: Alex Rousskov <rousskov@measurement-factory.com>
Date: Wed Oct 25 19:41:45 2023 +0000
RFC 1123: Fix date parsing (#1538)
The bug was discovered and detailed by Joshua Rogers at
https://megamansec.github.io/Squid-Security-Audit/datetime-overflow.html
where it was filed as "1-Byte Buffer OverRead in RFC 1123 date/time
Handling".
Back port upstream patch
Signed-Off-By: tianyue.lan@oracle.com
---
lib/rfc1123.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/lib/rfc1123.c b/lib/rfc1123.c
index 2d889cc..add63f0 100644
--- a/lib/rfc1123.c
+++ b/lib/rfc1123.c
@@ -50,7 +50,13 @@ make_month(const char *s)
char month[3];
month[0] = xtoupper(*s);
+ if (!month[0])
+ return -1; // protects *(s + 1) below
+
month[1] = xtolower(*(s + 1));
+ if (!month[1])
+ return -1; // protects *(s + 2) below
+
month[2] = xtolower(*(s + 2));
for (i = 0; i < 12; i++)
--
2.39.3

View File

@ -0,0 +1,88 @@
commit 6014c6648a2a54a4ecb7f952ea1163e0798f9264
Author: Alex Rousskov <rousskov@measurement-factory.com>
Date: Fri Oct 27 21:27:20 2023 +0000
Exit without asserting when helper process startup fails (#1543)
... to dup() after fork() and before execvp().
Assertions are for handling program logic errors. Helper initialization
code already handled system call errors correctly (i.e. by exiting the
newly created helper process with an error), except for a couple of
assert()s that could be triggered by dup(2) failures.
This bug was discovered and detailed by Joshua Rogers at
https://megamansec.github.io/Squid-Security-Audit/ipc-assert.html
where it was filed as 'Assertion in Squid "Helper" Process Creator'.
Back port upstream patch
Signed-Off-By: tianyue.lan@oracle.com
---
src/ipc.cc | 32 ++++++++++++++++++++++++++------
1 file changed, 26 insertions(+), 6 deletions(-)
diff --git a/src/ipc.cc b/src/ipc.cc
index e92a27f..3ddae70 100644
--- a/src/ipc.cc
+++ b/src/ipc.cc
@@ -19,6 +19,11 @@
#include "SquidConfig.h"
#include "SquidIpc.h"
#include "tools.h"
+#include <cstdlib>
+
+#if HAVE_UNISTD_H
+#include <unistd.h>
+#endif
static const char *hello_string = "hi there\n";
#ifndef HELLO_BUF_SZ
@@ -365,6 +370,22 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
}
PutEnvironment();
+
+ // A dup(2) wrapper that reports and exits the process on errors. The
+ // exiting logic is only suitable for this child process context.
+ const auto dupOrExit = [prog,name](const int oldFd) {
+ const auto newFd = dup(oldFd);
+ if (newFd < 0) {
+ const auto savedErrno = errno;
+ debugs(54, DBG_CRITICAL, "ERROR: Helper process initialization failure: " << name <<
+ Debug::Extra << "helper (CHILD) PID: " << getpid() <<
+ Debug::Extra << "helper program name: " << prog <<
+ Debug::Extra << "dup(2) system call error for FD " << oldFd << ": " << xstrerr(savedErrno));
+ _exit(EXIT_FAILURE);
+ }
+ return newFd;
+ };
+
/*
* This double-dup stuff avoids problems when one of
* crfd, cwfd, or debug_log are in the rage 0-2.
@@ -372,17 +393,16 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
do {
/* First make sure 0-2 is occupied by something. Gets cleaned up later */
- x = dup(crfd);
- assert(x > -1);
- } while (x < 3 && x > -1);
+ x = dupOrExit(crfd);
+ } while (x < 3);
close(x);
- t1 = dup(crfd);
+ t1 = dupOrExit(crfd);
- t2 = dup(cwfd);
+ t2 = dupOrExit(cwfd);
- t3 = dup(fileno(debug_log));
+ t3 = dupOrExit(fileno(debug_log));
assert(t1 > 2 && t2 > 2 && t3 > 2);
--
2.39.3

View File

@ -2,7 +2,7 @@
Name: squid Name: squid
Version: 4.15 Version: 4.15
Release: 7%{?dist}.3 Release: 7%{?dist}.5
Summary: The Squid proxy caching server Summary: The Squid proxy caching server
Epoch: 7 Epoch: 7
# See CREDITS for breakdown of non GPLv2+ code # See CREDITS for breakdown of non GPLv2+ code
@ -62,6 +62,10 @@ Patch1004: 0004-Remove-mem_hdr-freeDataUpto-assertion-1562.patch
Patch1005: 0005-Backport-Add-Assure-as-a-replacement-for-problematic.patch Patch1005: 0005-Backport-Add-Assure-as-a-replacement-for-problematic.patch
Patch1006: 0006-Backport-additional-functions-for-SquidMath.patch Patch1006: 0006-Backport-additional-functions-for-SquidMath.patch
Patch1007: 0007-Adapt-to-older-gcc-cleanup.patch Patch1007: 0007-Adapt-to-older-gcc-cleanup.patch
Patch1008: squid-4.15-CVE-2023-46724.patch
Patch1009: squid-4.15-CVE-2023-46728.patch
Patch1010: squid-4.15-CVE-2023-49285.patch
Patch1011: squid-4.15-CVE-2023-49286.patch
Requires: bash >= 2.0 Requires: bash >= 2.0
@ -142,6 +146,10 @@ lookup program (dnsserver), a program for retrieving FTP data
%patch1005 -p1 %patch1005 -p1
%patch1006 -p1 %patch1006 -p1
%patch1007 -p1 %patch1007 -p1
%patch1008 -p1
%patch1009 -p1
%patch1010 -p1
%patch1011 -p1
# https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526
# Patch in the vendor documentation and used different location for documentation # Patch in the vendor documentation and used different location for documentation
@ -358,6 +366,12 @@ fi
%changelog %changelog
* Wed Jan 03 2024 Tianyue Lan <tianyue.lan@oracle.com> - 7:4.15-7.5
- Fix squid: Denial of Service in SSL Certificate validation (CVE-2023-46724)
- Fix squid: NULL pointer dereference in the gopher protocol code (CVE-2023-46728)
- Fix squid: Buffer over-read in the HTTP Message processing feature (CVE-2023-49285)
- Fix squid: Incorrect Check of Function Return Value In Helper Process management(CVE-2023-49286)
* Sun Dec 09 2023 Alex Burmashev <alexander.burmashev@oracle.com> - 7:4.15-7.3 * Sun Dec 09 2023 Alex Burmashev <alexander.burmashev@oracle.com> - 7:4.15-7.3
- Fix squid: DoS against HTTP and HTTPS (CVE-2023-5824) - Fix squid: DoS against HTTP and HTTPS (CVE-2023-5824)