From dd9c76343ac1d2abc5ba70c6f7dd1b9a0e3b2f39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Mon, 1 Jul 2024 15:19:15 +0200 Subject: [PATCH] Resolves: RHEL-45057 - squid: Out-of-bounds write error may lead to Denial of Service (CVE-2024-37894) Resolves: RHEL-22594 - squid: vulnerable to a Denial of Service attack against Cache Manager error responses (CVE-2024-23638) --- squid-5.5-CVE-2024-23638.patch | 30 ++++++++++++++++++++++++++++++ squid-5.5-CVE-2024-37894.patch | 13 +++++++++++++ squid.spec | 15 +++++++++++++-- 3 files changed, 56 insertions(+), 2 deletions(-) create mode 100644 squid-5.5-CVE-2024-23638.patch create mode 100644 squid-5.5-CVE-2024-37894.patch diff --git a/squid-5.5-CVE-2024-23638.patch b/squid-5.5-CVE-2024-23638.patch new file mode 100644 index 0000000..16b246e --- /dev/null +++ b/squid-5.5-CVE-2024-23638.patch @@ -0,0 +1,30 @@ +commit 8fcff9c09824b18628f010d26a04247f6a6cbcb8 +Author: Alex Rousskov +Date: Sun Nov 12 09:33:20 2023 +0000 + + Do not update StoreEntry expiration after errorAppendEntry() (#1580) + + errorAppendEntry() is responsible for setting entry expiration times, + which it does by calling StoreEntry::storeErrorResponse() that calls + StoreEntry::negativeCache(). + + This change was triggered by a vulnerability report by Joshua Rogers at + https://megamansec.github.io/Squid-Security-Audit/cache-uaf.html where + it was filed as "Use-After-Free in Cache Manager Errors". The reported + "use after free" vulnerability was unknowingly addressed by 2022 commit + 1fa761a that removed excessively long "reentrant" store_client calls + responsible for the disappearance of the properly locked StoreEntry in + this (and probably other) contexts. + +diff --git a/src/cache_manager.cc b/src/cache_manager.cc +index 61c7f65be..65bf22dd0 100644 +--- a/src/cache_manager.cc ++++ b/src/cache_manager.cc +@@ -326,7 +326,6 @@ CacheManager::start(const Comm::ConnectionPointer &client, HttpRequest *request, + err->url = xstrdup(entry->url()); + err->detailError(new ExceptionErrorDetail(Here().id())); + errorAppendEntry(entry, err); +- entry->expires = squid_curtime; + return; + } + diff --git a/squid-5.5-CVE-2024-37894.patch b/squid-5.5-CVE-2024-37894.patch new file mode 100644 index 0000000..f8352a9 --- /dev/null +++ b/squid-5.5-CVE-2024-37894.patch @@ -0,0 +1,13 @@ +diff --git a/lib/libTrie/TrieNode.cc b/lib/libTrie/TrieNode.cc +index b379856..5d87279 100644 +--- a/lib/libTrie/TrieNode.cc ++++ b/lib/libTrie/TrieNode.cc +@@ -32,7 +32,7 @@ TrieNode::add(char const *aString, size_t theLength, void *privatedata, TrieChar + /* We trust that privatedata and existant keys have already been checked */ + + if (theLength) { +- int index = transform ? (*transform)(*aString): *aString; ++ const unsigned char index = transform ? (*transform)(*aString): *aString; + + if (!internal[index]) + internal[index] = new TrieNode; diff --git a/squid.spec b/squid.spec index c779c3c..9879588 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.5 -Release: 13%{?dist} +Release: 14%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -76,7 +76,10 @@ Patch511: squid-5.5-CVE-2023-50269.patch Patch512: squid-5.5-CVE-2024-25617.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2268366 Patch513: squid-5.5-CVE-2024-25111.patch - +# https://bugzilla.redhat.com/show_bug.cgi?id=2294353 +Patch514: squid-5.5-CVE-2024-37894.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2260051 +Patch515: squid-5.5-CVE-2024-23638.patch # cache_swap.sh Requires: bash gawk @@ -166,6 +169,8 @@ lookup program (dnsserver), a program for retrieving FTP data %patch511 -p1 -b .CVE-2023-50269 %patch512 -p1 -b .CVE-2024-25617 %patch513 -p1 -b .CVE-2024-25111 +%patch514 -p1 -b .CVE-2024-37894 +%patch515 -p1 -b .CVE-2024-23638 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 @@ -393,6 +398,12 @@ fi %changelog +* Mon Jul 01 2024 Luboš Uhliarik - 7:5.5-14 +- Resolves: RHEL-45057 - squid: Out-of-bounds write error may lead to Denial of + Service (CVE-2024-37894) +- Resolves: RHEL-22594 - squid: vulnerable to a Denial of Service attack against + Cache Manager error responses (CVE-2024-23638) + * Thu May 09 2024 Luboš Uhliarik - 7:5.5-13 - Resolves: RHEL-30352 - squid v5 crashes with SIGABRT when ipv6 is disabled at kernel level but it is asked to connect to an ipv6 address by a client