Resolves: RHEL-122481 - squid: Squid vulnerable to information disclosure via
authentication credential leakage in error handling (CVE-2025-62168)
This commit is contained in:
parent
a20627248e
commit
c78c76326b
173
squid-6.10-CVE-2025-62168.patch
Normal file
173
squid-6.10-CVE-2025-62168.patch
Normal file
@ -0,0 +1,173 @@
|
||||
diff --git a/src/HttpRequest.cc b/src/HttpRequest.cc
|
||||
index d6be6ae..5c85eb8 100644
|
||||
--- a/src/HttpRequest.cc
|
||||
+++ b/src/HttpRequest.cc
|
||||
@@ -341,7 +341,7 @@ HttpRequest::swapOut(StoreEntry * e)
|
||||
|
||||
/* packs request-line and headers, appends <crlf> terminator */
|
||||
void
|
||||
-HttpRequest::pack(Packable * p) const
|
||||
+HttpRequest::pack(Packable * const p, const bool maskSensitiveInfo) const
|
||||
{
|
||||
assert(p);
|
||||
/* pack request-line */
|
||||
@@ -349,8 +349,8 @@ HttpRequest::pack(Packable * p) const
|
||||
SQUIDSBUFPRINT(method.image()), SQUIDSBUFPRINT(url.path()),
|
||||
http_ver.major, http_ver.minor);
|
||||
/* headers */
|
||||
- header.packInto(p);
|
||||
- /* trailer */
|
||||
+ header.packInto(p, maskSensitiveInfo);
|
||||
+ /* indicate the end of the header section */
|
||||
p->append("\r\n", 2);
|
||||
}
|
||||
|
||||
diff --git a/src/HttpRequest.h b/src/HttpRequest.h
|
||||
index 2256a55..2ada8e5 100644
|
||||
--- a/src/HttpRequest.h
|
||||
+++ b/src/HttpRequest.h
|
||||
@@ -206,7 +206,7 @@ public:
|
||||
|
||||
void swapOut(StoreEntry * e);
|
||||
|
||||
- void pack(Packable * p) const;
|
||||
+ void pack(Packable * p, bool maskSensitiveInfo = false) const;
|
||||
|
||||
static void httpRequestPack(void *obj, Packable *p);
|
||||
|
||||
diff --git a/src/cf.data.pre b/src/cf.data.pre
|
||||
index 20a7338..d1f3317 100644
|
||||
--- a/src/cf.data.pre
|
||||
+++ b/src/cf.data.pre
|
||||
@@ -8941,12 +8941,18 @@ NAME: email_err_data
|
||||
COMMENT: on|off
|
||||
TYPE: onoff
|
||||
LOC: Config.onoff.emailErrData
|
||||
-DEFAULT: on
|
||||
+DEFAULT: off
|
||||
DOC_START
|
||||
If enabled, information about the occurred error will be
|
||||
included in the mailto links of the ERR pages (if %W is set)
|
||||
so that the email body contains the data.
|
||||
Syntax is <A HREF="mailto:%w%W">%w</A>
|
||||
+
|
||||
+ SECURITY WARNING:
|
||||
+ Request headers and other included facts may contain
|
||||
+ sensitive information about transaction history, the
|
||||
+ Squid instance, and its environment which would be
|
||||
+ unavailable to error recipients otherwise.
|
||||
DOC_END
|
||||
|
||||
NAME: deny_info
|
||||
diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc
|
||||
index 6818d76..860edfc 100644
|
||||
--- a/src/client_side_reply.cc
|
||||
+++ b/src/client_side_reply.cc
|
||||
@@ -94,7 +94,7 @@ clientReplyContext::clientReplyContext(ClientHttpRequest *clientContext) :
|
||||
void
|
||||
clientReplyContext::setReplyToError(
|
||||
err_type err, Http::StatusCode status, char const *uri,
|
||||
- const ConnStateData *conn, HttpRequest *failedrequest, const char *unparsedrequest,
|
||||
+ const ConnStateData *conn, HttpRequest *failedrequest, const char *,
|
||||
#if USE_AUTH
|
||||
Auth::UserRequest::Pointer auth_user_request
|
||||
#else
|
||||
@@ -104,9 +104,6 @@ clientReplyContext::setReplyToError(
|
||||
{
|
||||
auto errstate = clientBuildError(err, status, uri, conn, failedrequest, http->al);
|
||||
|
||||
- if (unparsedrequest)
|
||||
- errstate->request_hdrs = xstrdup(unparsedrequest);
|
||||
-
|
||||
#if USE_AUTH
|
||||
errstate->auth_user_request = auth_user_request;
|
||||
#endif
|
||||
@@ -995,11 +992,14 @@ clientReplyContext::traceReply()
|
||||
triggerInitialStoreRead();
|
||||
http->storeEntry()->releaseRequest();
|
||||
http->storeEntry()->buffer();
|
||||
+ MemBuf content;
|
||||
+ content.init();
|
||||
+ http->request->pack(&content, true /* hide authorization data */);
|
||||
const HttpReplyPointer rep(new HttpReply);
|
||||
- rep->setHeaders(Http::scOkay, nullptr, "text/plain", http->request->prefixLen(), 0, squid_curtime);
|
||||
+ rep->setHeaders(Http::scOkay, nullptr, "message/http", content.contentSize(), 0, squid_curtime);
|
||||
+ rep->body.set(SBuf(content.buf, content.size));
|
||||
http->storeEntry()->replaceHttpReply(rep);
|
||||
- http->request->swapOut(http->storeEntry());
|
||||
- http->storeEntry()->complete();
|
||||
+ http->storeEntry()->completeSuccessfully("traceReply() stored the entire response");
|
||||
}
|
||||
|
||||
#define SENDING_BODY 0
|
||||
diff --git a/src/errorpage.cc b/src/errorpage.cc
|
||||
index 0b7e5b8..31566dc 100644
|
||||
--- a/src/errorpage.cc
|
||||
+++ b/src/errorpage.cc
|
||||
@@ -792,7 +792,6 @@ ErrorState::~ErrorState()
|
||||
{
|
||||
safe_free(redirect_url);
|
||||
safe_free(url);
|
||||
- safe_free(request_hdrs);
|
||||
wordlistDestroy(&ftp.server_msg);
|
||||
safe_free(ftp.request);
|
||||
safe_free(ftp.reply);
|
||||
@@ -850,7 +849,10 @@ ErrorState::Dump(MemBuf * mb)
|
||||
SQUIDSBUFPRINT(request->url.path()),
|
||||
AnyP::ProtocolType_str[request->http_ver.protocol],
|
||||
request->http_ver.major, request->http_ver.minor);
|
||||
- request->header.packInto(&str);
|
||||
+ MemBuf r;
|
||||
+ r.init();
|
||||
+ request->pack(&r, true /* hide authorization data */);
|
||||
+ str.append(r.content(), r.contentSize());
|
||||
}
|
||||
|
||||
str.append("\r\n", 2);
|
||||
@@ -1112,18 +1114,10 @@ ErrorState::compileLegacyCode(Build &build)
|
||||
p = "[no request]";
|
||||
break;
|
||||
}
|
||||
- if (request) {
|
||||
- mb.appendf(SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\n",
|
||||
- SQUIDSBUFPRINT(request->method.image()),
|
||||
- SQUIDSBUFPRINT(request->url.path()),
|
||||
- AnyP::ProtocolType_str[request->http_ver.protocol],
|
||||
- request->http_ver.major, request->http_ver.minor);
|
||||
- request->header.packInto(&mb, true); //hide authorization data
|
||||
- } else if (request_hdrs) {
|
||||
- p = request_hdrs;
|
||||
- } else {
|
||||
+ else if (request)
|
||||
+ request->pack(&mb, true /* hide authorization data */);
|
||||
+ else
|
||||
p = "[no request]";
|
||||
- }
|
||||
break;
|
||||
|
||||
case 's':
|
||||
diff --git a/src/errorpage.h b/src/errorpage.h
|
||||
index 8d23857..0dc10d7 100644
|
||||
--- a/src/errorpage.h
|
||||
+++ b/src/errorpage.h
|
||||
@@ -194,7 +194,6 @@ public:
|
||||
MemBuf *listing = nullptr;
|
||||
} ftp;
|
||||
|
||||
- char *request_hdrs = nullptr;
|
||||
char *err_msg = nullptr; /* Preformatted error message from the cache */
|
||||
|
||||
AccessLogEntryPointer ale; ///< transaction details (or nil)
|
||||
diff --git a/src/tests/stub_HttpRequest.cc b/src/tests/stub_HttpRequest.cc
|
||||
index 495597d..48a0f1c 100644
|
||||
--- a/src/tests/stub_HttpRequest.cc
|
||||
+++ b/src/tests/stub_HttpRequest.cc
|
||||
@@ -45,7 +45,7 @@ bool HttpRequest::expectingBody(const HttpRequestMethod &, int64_t &) const STUB
|
||||
bool HttpRequest::bodyNibbled() const STUB_RETVAL(false)
|
||||
int HttpRequest::prefixLen() const STUB_RETVAL(0)
|
||||
void HttpRequest::swapOut(StoreEntry *) STUB
|
||||
-void HttpRequest::pack(Packable *) const STUB
|
||||
+void HttpRequest::pack(Packable *, bool) const STUB
|
||||
void HttpRequest::httpRequestPack(void *, Packable *) STUB
|
||||
HttpRequest * HttpRequest::FromUrl(const SBuf &, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr)
|
||||
HttpRequest * HttpRequest::FromUrlXXX(const char *, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr)
|
||||
10
squid.spec
10
squid.spec
@ -2,7 +2,7 @@
|
||||
|
||||
Name: squid
|
||||
Version: 6.10
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
Summary: The Squid proxy caching server
|
||||
Epoch: 7
|
||||
# See CREDITS for breakdown of non GPLv2+ code
|
||||
@ -48,6 +48,10 @@ Patch208: squid-6.10-cache-peer-connect-errors.patch
|
||||
# https://issues.redhat.com/browse/RHEL-107994
|
||||
Patch209: squid-6.10-provider-keys-digest.patch
|
||||
|
||||
# Security patches
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2404736
|
||||
Patch500: squid-6.10-CVE-2025-62168.patch
|
||||
|
||||
# cache_swap.sh
|
||||
Requires: bash gawk
|
||||
# for httpd conf file - cachemgr script alias
|
||||
@ -331,6 +335,10 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Nov 10 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:6.10-9
|
||||
- Resolves: RHEL-122481 - squid: Squid vulnerable to information disclosure via
|
||||
authentication credential leakage in error handling (CVE-2025-62168)
|
||||
|
||||
* Fri Sep 12 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:6.10-8
|
||||
- Resolves: RHEL-107994 - squid does not work with post-quantum crypto
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user