From c606686d6e5d73347f331eedc5aa7897e419a94a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Thu, 9 May 2024 09:51:08 +0200
Subject: [PATCH] Resolves: RHEL-30352 - squid v5 crashes with SIGABRT when
 ipv6 is disabled

  at kernel level but it is asked to connect to an ipv6 address by a client
---
 squid-5.5-ipv6-crash.patch | 113 +++++++++++++++++++++++++++++++++++++
 squid.spec                 |   9 ++-
 2 files changed, 121 insertions(+), 1 deletion(-)
 create mode 100644 squid-5.5-ipv6-crash.patch

diff --git a/squid-5.5-ipv6-crash.patch b/squid-5.5-ipv6-crash.patch
new file mode 100644
index 0000000..c47f89d
--- /dev/null
+++ b/squid-5.5-ipv6-crash.patch
@@ -0,0 +1,113 @@
+From a0a9e6dc69d0c7b9ba237702b4c5020abc7ad1f8 Mon Sep 17 00:00:00 2001
+From: Alex Rousskov <rousskov@measurement-factory.com>
+Date: Sat, 4 Nov 2023 00:30:42 +0000
+Subject: [PATCH] Bug 5154: Do not open IPv6 sockets when IPv6 is disabled
+ (#1567)
+
+... but allow basic IPv6 manipulations like getSockAddr().
+
+    Address.cc:663 getAddrInfo() assertion failed: false
+
+Squids receives IPv6 addresses from traffic, configuration, or
+hard-coded constants even when ./configured with --disable-ipv6 or when
+IPv6 support was automatically disabled at startup after failing IPv6
+tests. To handle IPv6 correctly, such Squids must support basic IPv6
+operations like recognizing an IPv6 address in a request-target or
+reporting an unsolicited IPv6 DNS record. At least for now, such Squids
+must also correctly parse configuration-related IPv6 addresses.
+
+All those activities rely on various low-level operations like filling
+addrinfo structure with IP address information. Since 2012 commit
+c5fbbc7, Ip::Address::getAddrInfo() was failing for IPv6 addresses when
+Ip::EnableIpv6 was falsy. That change correctly recognized[^1] the need
+for such Squids to handle IPv6, but to support basic operations, we need
+to reject IPv6 addresses at a higher level and without asserting.
+
+That high-level rejection work is ongoing, but initial attempts have
+exposed difficult problems that will take time to address. For now, we
+just avoid the assertion while protecting IPv6-disabled Squid from
+listening on or opening connections to IPv6 addresses. Since Squid
+already expects (and usually correctly handles) socket opening failures,
+disabling those operations is better than failing in low-level IP
+manipulation code.
+
+The overall IPv6 posture of IPv6-disabled Squids that lack http_access
+or other rules to deny IPv6 requests will change: This fix exposes more
+of IPv6-disabled Squid code to IPv6 addresses. It is possible that such
+exposure will make some IPv6 resources inside Squid (e.g., a previously
+cached HTTP response) accessible to external requests. Squids will not
+open or accept IPv6 connections but may forward requests with raw IPv6
+targets to IPv4 cache_peers. Whether these and similar behavior changes
+are going to be permanent is open for debate, but even if they are
+temporary, they are arguably better than the corresponding assertions.
+
+These changes do not effect IPv6-enabled Squids.
+
+The assertion in IPv6-disabled Squid was reported by Joshua Rogers at
+https://megamansec.github.io/Squid-Security-Audit/ipv6-assert.html where
+it was filed as "Assertion on IPv6 Host Requests with --disable-ipv6".
+
+[^1]: https://bugs.squid-cache.org/show_bug.cgi?id=3593#c1
+---
+ src/comm.cc         | 6 ++++++
+ src/ip/Address.cc   | 2 +-
+ src/ip/Intercept.cc | 8 ++++++++
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/src/comm.cc b/src/comm.cc
+index 4659955b011..271ba04d4da 100644
+--- a/src/comm.cc
++++ b/src/comm.cc
+@@ -344,6 +344,12 @@ comm_openex(int sock_type,
+     /* Create socket for accepting new connections. */
+     ++ statCounter.syscalls.sock.sockets;
+ 
++    if (!Ip::EnableIpv6 && addr.isIPv6()) {
++        debugs(50, 2, "refusing to open an IPv6 socket when IPv6 support is disabled: " << addr);
++        errno = ENOTSUP;
++        return -1;
++    }
++
+     /* Setup the socket addrinfo details for use */
+     addr.getAddrInfo(AI);
+     AI->ai_socktype = sock_type;
+diff --git a/src/ip/Address.cc b/src/ip/Address.cc
+index b6f810bfc25..ae6db37da5e 100644
+--- a/src/ip/Address.cc
++++ b/src/ip/Address.cc
+@@ -623,7 +623,7 @@ Ip::Address::getAddrInfo(struct addrinfo *&dst, int force) const
+             && dst->ai_protocol == 0)
+         dst->ai_protocol = IPPROTO_UDP;
+ 
+-    if (force == AF_INET6 || (force == AF_UNSPEC && Ip::EnableIpv6 && isIPv6()) ) {
++    if (force == AF_INET6 || (force == AF_UNSPEC && isIPv6()) ) {
+         dst->ai_addr = (struct sockaddr*)new sockaddr_in6;
+ 
+         memset(dst->ai_addr,0,sizeof(struct sockaddr_in6));
+diff --git a/src/ip/Intercept.cc b/src/ip/Intercept.cc
+index 1a5e2d15af1..a8522efaac0 100644
+--- a/src/ip/Intercept.cc
++++ b/src/ip/Intercept.cc
+@@ -15,6 +15,7 @@
+ #include "comm/Connection.h"
+ #include "fde.h"
+ #include "ip/Intercept.h"
++#include "ip/tools.h"
+ #include "src/tools.h"
+ 
+ #include <cerrno>
+@@ -430,6 +431,13 @@ Ip::Intercept::ProbeForTproxy(Ip::Address &test)
+ 
+     debugs(3, 3, "Detect TPROXY support on port " << test);
+ 
++    if (!Ip::EnableIpv6 && test.isIPv6() && !test.setIPv4()) {
++        debugs(3, DBG_CRITICAL, "Cannot use TPROXY for " << test << " because IPv6 support is disabled");
++        if (doneSuid)
++            leave_suid();
++        return false;
++    }
++
+     int tos = 1;
+     int tmp_sock = -1;
+ 
+
diff --git a/squid.spec b/squid.spec
index 3efa982..c779c3c 100644
--- a/squid.spec
+++ b/squid.spec
@@ -2,7 +2,7 @@
 
 Name:     squid
 Version:  5.5
-Release:  12%{?dist}
+Release:  13%{?dist}
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@@ -46,6 +46,8 @@ Patch207: squid-5.0.6-active-ftp.patch
 Patch208: squid-5.1-test-store-cppsuite.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2231827
 Patch209: squid-5.5-halfclosed.patch
+# https://issues.redhat.com/browse/RHEL-30352
+Patch210: squid-5.5-ipv6-crash.patch
 
 # Security patches
 # https://bugzilla.redhat.com/show_bug.cgi?id=2100721
@@ -149,6 +151,7 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch207 -p1 -b .active-ftp
 %patch208 -p1 -b .test-store-cpp
 %patch209 -p1 -b .halfclosed
+%patch210 -p1 -b .ipv6-crash
 
 %patch501 -p1 -b .CVE-2021-46784
 %patch502 -p1 -b .CVE-2022-41318
@@ -390,6 +393,10 @@ fi
 
 
 %changelog
+* Thu May 09 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-13
+- Resolves: RHEL-30352 - squid v5 crashes with SIGABRT when ipv6 is disabled
+  at kernel level but it is asked to connect to an ipv6 address by a client
+
 * Tue Mar 19 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-12
 - Resolves: RHEL-28530 - squid: Denial of Service in HTTP Chunked
   Decoding (CVE-2024-25111)