import OL squid-4.15-7.module+el8.9.0+90111+615ac445.5

2024-01-08 07:36:06 +00:00 · 2024-01-08 07:36:06 +00:00 · b5d3c5c00b
commit b5d3c5c00b
parent 9beaf3832c
5 changed files with 3560 additions and 1 deletions
--- a/SOURCES/squid-4.15-CVE-2023-46724.patch
+++ b/SOURCES/squid-4.15-CVE-2023-46724.patch
@ -0,0 +1,38 @@
+From 792ef23e6e1c05780fe17f733859eef6eb8c8be3 Mon Sep 17 00:00:00 2001
+From: Andreas Weigel <andreas.weigel@securepoint.de>
+Date: Wed, 18 Oct 2023 04:14:31 +0000
+Subject: [PATCH] Fix validation of certificates with CN=* (#1523)
+
+The bug was discovered and detailed by Joshua Rogers at
+https://megamansec.github.io/Squid-Security-Audit/
+where it was filed as "Buffer UnderRead in SSL CN Parsing".
+---
+ src/anyp/Uri.cc | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc
+index 77b6f0c92..a6a5d5d9e 100644
+--- a/src/anyp/Uri.cc
+++ b/src/anyp/Uri.cc
+@@ -173,6 +173,10 @@ urlInitialize(void)
+     assert(0 == matchDomainName("*.foo.com", ".foo.com", mdnHonorWildcards));
+     assert(0 != matchDomainName("*.foo.com", "foo.com", mdnHonorWildcards));
+ 
+    assert(0 != matchDomainName("foo.com", ""));
+    assert(0 != matchDomainName("foo.com", "", mdnHonorWildcards));
+    assert(0 != matchDomainName("foo.com", "", mdnRejectSubsubDomains));
+
+     /* more cases? */
+ }
+ 
+@@ -756,6 +760,8 @@ matchDomainName(const char *h, const char *d, MatchDomainNameFlags flags)
+         return -1;
+ 
+     dl = strlen(d);
+    if (dl == 0)
+        return 1;
+ 
+     /*
+      * Start at the ends of the two strings and work towards the
+-- 
+2.25.1
--- a/SOURCES/squid-4.15-CVE-2023-46728.patch
+++ b/SOURCES/squid-4.15-CVE-2023-46728.patch
--- a/SOURCES/squid-4.15-CVE-2023-49285.patch
+++ b/SOURCES/squid-4.15-CVE-2023-49285.patch
@ -0,0 +1,38 @@
+commit deee944f9a12c9fd399ce52f3e2526bb573a9470
+Author: Alex Rousskov <rousskov@measurement-factory.com>
+Date:   Wed Oct 25 19:41:45 2023 +0000
+
+    RFC 1123: Fix date parsing (#1538)
+
+    The bug was discovered and detailed by Joshua Rogers at
+    https://megamansec.github.io/Squid-Security-Audit/datetime-overflow.html
+    where it was filed as "1-Byte Buffer OverRead in RFC 1123 date/time
+    Handling".
+
+Back port upstream patch
+Signed-Off-By: tianyue.lan@oracle.com
+---
+ lib/rfc1123.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/rfc1123.c b/lib/rfc1123.c
+index 2d889cc..add63f0 100644
+--- a/lib/rfc1123.c
+++ b/lib/rfc1123.c
+@@ -50,7 +50,13 @@ make_month(const char *s)
+     char month[3];
+ 
+     month[0] = xtoupper(*s);
+    if (!month[0])
+        return -1; // protects *(s + 1) below
+
+     month[1] = xtolower(*(s + 1));
+    if (!month[1])
+        return -1; // protects *(s + 2) below
+
+     month[2] = xtolower(*(s + 2));
+ 
+     for (i = 0; i < 12; i++)
+-- 
+2.39.3
+
--- a/SOURCES/squid-4.15-CVE-2023-49286.patch
+++ b/SOURCES/squid-4.15-CVE-2023-49286.patch
@ -0,0 +1,88 @@
+commit 6014c6648a2a54a4ecb7f952ea1163e0798f9264
+Author: Alex Rousskov <rousskov@measurement-factory.com>
+Date:   Fri Oct 27 21:27:20 2023 +0000
+
+    Exit without asserting when helper process startup fails (#1543)
+
+    ... to dup() after fork() and before execvp().
+
+    Assertions are for handling program logic errors. Helper initialization
+    code already handled system call errors correctly (i.e. by exiting the
+    newly created helper process with an error), except for a couple of
+    assert()s that could be triggered by dup(2) failures.
+
+    This bug was discovered and detailed by Joshua Rogers at
+    https://megamansec.github.io/Squid-Security-Audit/ipc-assert.html
+    where it was filed as 'Assertion in Squid "Helper" Process Creator'.
+
+Back port upstream patch
+Signed-Off-By: tianyue.lan@oracle.com
+---
+ src/ipc.cc | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+diff --git a/src/ipc.cc b/src/ipc.cc
+index e92a27f..3ddae70 100644
+--- a/src/ipc.cc
+++ b/src/ipc.cc
+@@ -19,6 +19,11 @@
+ #include "SquidConfig.h"
+ #include "SquidIpc.h"
+ #include "tools.h"
+#include <cstdlib>
+
+#if HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+ 
+ static const char *hello_string = "hi there\n";
+ #ifndef HELLO_BUF_SZ
+@@ -365,6 +370,22 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
+     }
+ 
+     PutEnvironment();
+
+    // A dup(2) wrapper that reports and exits the process on errors. The
+    // exiting logic is only suitable for this child process context.
+    const auto dupOrExit = [prog,name](const int oldFd) {
+        const auto newFd = dup(oldFd);
+        if (newFd < 0) {
+            const auto savedErrno = errno;
+            debugs(54, DBG_CRITICAL, "ERROR: Helper process initialization failure: " << name <<
+                   Debug::Extra << "helper (CHILD) PID: " << getpid() <<
+                   Debug::Extra << "helper program name: " << prog <<
+                   Debug::Extra << "dup(2) system call error for FD " << oldFd << ": " << xstrerr(savedErrno));
+            _exit(EXIT_FAILURE);
+        }
+        return newFd;
+    };
+
+     /*
+      * This double-dup stuff avoids problems when one of
+      *  crfd, cwfd, or debug_log are in the rage 0-2.
+@@ -372,17 +393,16 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
+ 
+     do {
+         /* First make sure 0-2 is occupied by something. Gets cleaned up later */
+-        x = dup(crfd);
+-        assert(x > -1);
+-    } while (x < 3 && x > -1);
+        x = dupOrExit(crfd);
+    } while (x < 3);
+ 
+     close(x);
+ 
+-    t1 = dup(crfd);
+    t1 = dupOrExit(crfd);
+ 
+-    t2 = dup(cwfd);
+    t2 = dupOrExit(cwfd);
+ 
+-    t3 = dup(fileno(debug_log));
+    t3 = dupOrExit(fileno(debug_log));
+ 
+     assert(t1 > 2 && t2 > 2 && t3 > 2);
+ 
+-- 
+2.39.3
+
--- a/SPECS/squid.spec
+++ b/SPECS/squid.spec
@ -2,7 +2,7 @@

 Name:     squid
 Version:  4.15
-Release:  7%{?dist}.3
+Release:  7%{?dist}.5
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@ -62,6 +62,10 @@ Patch1004: 0004-Remove-mem_hdr-freeDataUpto-assertion-1562.patch
 Patch1005: 0005-Backport-Add-Assure-as-a-replacement-for-problematic.patch
 Patch1006: 0006-Backport-additional-functions-for-SquidMath.patch
 Patch1007: 0007-Adapt-to-older-gcc-cleanup.patch
+Patch1008: squid-4.15-CVE-2023-46724.patch 
+Patch1009: squid-4.15-CVE-2023-46728.patch
+Patch1010: squid-4.15-CVE-2023-49285.patch
+Patch1011: squid-4.15-CVE-2023-49286.patch


 Requires: bash >= 2.0
@ -142,6 +146,10 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch1005 -p1
 %patch1006 -p1
 %patch1007 -p1
+%patch1008 -p1
+%patch1009 -p1
+%patch1010 -p1
+%patch1011 -p1

 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526
 # Patch in the vendor documentation and used different location for documentation
@ -358,6 +366,12 @@ fi


 %changelog
+* Wed Jan 03 2024 Tianyue Lan <tianyue.lan@oracle.com> - 7:4.15-7.5
+- Fix squid: Denial of Service in SSL Certificate validation (CVE-2023-46724)
+- Fix squid: NULL pointer dereference in the gopher protocol code (CVE-2023-46728)
+- Fix squid: Buffer over-read in the HTTP Message processing feature (CVE-2023-49285)
+- Fix squid: Incorrect Check of Function Return Value In Helper Process management(CVE-2023-49286)
+
 * Sun Dec 09 2023 Alex Burmashev <alexander.burmashev@oracle.com> - 7:4.15-7.3
 - Fix squid: DoS against HTTP and HTTPS (CVE-2023-5824)