Resolves: RHEL-45057 - squid: Out-of-bounds write error may lead to Denial of

Service (CVE-2024-37894) Resolves: RHEL-22594 - squid: vulnerable to a Denial of Service attack against Cache Manager error responses (CVE-2024-23638)
2024-07-01 15:19:15 +02:00 · 2024-07-01 15:19:15 +02:00 · dd9c76343a
commit dd9c76343a
parent c606686d6e
3 changed files with 56 additions and 2 deletions
--- a/squid-5.5-CVE-2024-23638.patch
+++ b/squid-5.5-CVE-2024-23638.patch
@ -0,0 +1,30 @@
 commit 8fcff9c09824b18628f010d26a04247f6a6cbcb8
 Author: Alex Rousskov <rousskov@measurement-factory.com>
 Date:   Sun Nov 12 09:33:20 2023 +0000
    Do not update StoreEntry expiration after errorAppendEntry() (#1580)
    errorAppendEntry() is responsible for setting entry expiration times,
    which it does by calling StoreEntry::storeErrorResponse() that calls
    StoreEntry::negativeCache().
    This change was triggered by a vulnerability report by Joshua Rogers at
    https://megamansec.github.io/Squid-Security-Audit/cache-uaf.html where
    it was filed as "Use-After-Free in Cache Manager Errors". The reported
    "use after free" vulnerability was unknowingly addressed by 2022 commit
    1fa761a that removed excessively long "reentrant" store_client calls
    responsible for the disappearance of the properly locked StoreEntry in
    this (and probably other) contexts.
 diff --git a/src/cache_manager.cc b/src/cache_manager.cc
 index 61c7f65be..65bf22dd0 100644
 --- a/src/cache_manager.cc
 +++ b/src/cache_manager.cc
@@ -326,7 +326,6 @@ CacheManager::start(const Comm::ConnectionPointer &client, HttpRequest *request,
         err->url = xstrdup(entry->url());
         err->detailError(new ExceptionErrorDetail(Here().id()));
         errorAppendEntry(entry, err);
 -        entry->expires = squid_curtime;
         return;
     }
--- a/squid-5.5-CVE-2024-37894.patch
+++ b/squid-5.5-CVE-2024-37894.patch
@ -0,0 +1,13 @@
 diff --git a/lib/libTrie/TrieNode.cc b/lib/libTrie/TrieNode.cc
 index b379856..5d87279 100644
 --- a/lib/libTrie/TrieNode.cc
 +++ b/lib/libTrie/TrieNode.cc
@@ -32,7 +32,7 @@ TrieNode::add(char const *aString, size_t theLength, void *privatedata, TrieChar
     /* We trust that privatedata and existant keys have already been checked */
     if (theLength) {
 -        int index = transform ? (*transform)(*aString): *aString;
 +        const unsigned char index = transform ? (*transform)(*aString): *aString;
         if (!internal[index])
             internal[index] = new TrieNode;
--- a/squid.spec
+++ b/squid.spec
@ -2,7 +2,7 @@
 Name:     squid
 Version:  5.5
-Release:  13%{?dist}
+Release:  14%{?dist}
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@ -76,7 +76,10 @@ Patch511: squid-5.5-CVE-2023-50269.patch
 Patch512: squid-5.5-CVE-2024-25617.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2268366
 Patch513: squid-5.5-CVE-2024-25111.patch
-
+# https://bugzilla.redhat.com/show_bug.cgi?id=2294353
 Patch514: squid-5.5-CVE-2024-37894.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2260051
 Patch515: squid-5.5-CVE-2024-23638.patch
 # cache_swap.sh
 Requires: bash gawk
@ -166,6 +169,8 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch511 -p1 -b .CVE-2023-50269
 %patch512 -p1 -b .CVE-2024-25617
 %patch513 -p1 -b .CVE-2024-25111
 %patch514 -p1 -b .CVE-2024-37894
 %patch515 -p1 -b .CVE-2024-23638
 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526
@ -393,6 +398,12 @@ fi
 %changelog
 * Mon Jul 01 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-14
 - Resolves: RHEL-45057 - squid: Out-of-bounds write error may lead to Denial of 
  Service (CVE-2024-37894)
 - Resolves: RHEL-22594 - squid: vulnerable to a Denial of Service attack against
  Cache Manager error responses (CVE-2024-23638)
 * Thu May 09 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-13
 - Resolves: RHEL-30352 - squid v5 crashes with SIGABRT when ipv6 is disabled
  at kernel level but it is asked to connect to an ipv6 address by a client