Resolves: RHEL-160675 - squid:4/squid: Squid: Denial of Service

via crafted ICP traffic (CVE-2026-32748) Resolves: RHEL-160674 - squid:4/squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling (CVE-2026-33526)
2026-04-07 16:24:30 +02:00 · 2026-04-07 16:24:30 +02:00 · df165bd9a4
commit df165bd9a4
parent 5fbe9fa189
3 changed files with 213 additions and 1 deletions
--- a/squid-4.15-CVE-2026-32748.patch
+++ b/squid-4.15-CVE-2026-32748.patch
@ -0,0 +1,182 @@
+commit 0d9d86c3f2a79b2913edf2f5ed03ff3792c876ea
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Tue Apr 7 16:22:05 2026 +0200
+
+    Fix CVE-2026-32748
+
+diff --git a/src/ICP.h b/src/ICP.h
+index a45455b..aa3ab57 100644
+--- a/src/ICP.h
+++ b/src/ICP.h
+@@ -104,10 +104,7 @@ extern Comm::ConnectionPointer icpOutgoingConn;
+ extern Ip::Address theIcpPublicHostID;
+ 
+ /// \ingroup ServerProtocolICPAPI
+-HttpRequest* icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from);
+-
+-/// \ingroup ServerProtocolICPAPI
+-bool icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request);
+HttpRequestPointer icpGetRequest(const char *url, int reqnum, int fd, const Ip::Address &from);
+ 
+ /// \ingroup ServerProtocolICPAPI
+ void icpCreateAndSend(icp_opcode, int flags, char const *url, int reqnum, int pad, int fd, const Ip::Address &from);
+@@ -122,7 +119,7 @@ int icpUdpSend(int, const Ip::Address &, icp_common_t *, const LogTags &, int);
+ LogTags icpLogFromICPCode(icp_opcode opcode);
+ 
+ /// \ingroup ServerProtocolICPAPI
+-void icpDenyAccess(Ip::Address &from, char *url, int reqnum, int fd);
+void icpDenyAccess(const Ip::Address &from, const char *url, int reqnum, int fd);
+ 
+ /// \ingroup ServerProtocolICPAPI
+ PF icpHandleUdp;
+diff --git a/src/icp_v2.cc b/src/icp_v2.cc
+index eb63899..c167a5d 100644
+--- a/src/icp_v2.cc
+++ b/src/icp_v2.cc
+@@ -394,7 +394,7 @@ icpCreateAndSend(icp_opcode opcode, int flags, char const *url, int reqnum, int
+ }
+ 
+ void
+-icpDenyAccess(Ip::Address &from, char *url, int reqnum, int fd)
+icpDenyAccess(const Ip::Address &from, const char * const url, const int reqnum, const int fd)
+ {
+     debugs(12, 2, "icpDenyAccess: Access Denied for " << from << " by " << AclMatchedName << ".");
+ 
+@@ -409,8 +409,9 @@ icpDenyAccess(Ip::Address &from, char *url, int reqnum, int fd)
+     }
+ }
+ 
+-bool
+-icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request)
+/// icpGetRequest() helper that determines whether squid.conf allows the given ICP query
+static bool
+icpAccessAllowed(const Ip::Address &from, HttpRequest * icp_request)
+ {
+     /* absent any explicit rules, we deny all */
+     if (!Config.accessList.icp)
+@@ -431,8 +432,8 @@ icpGetUrlToSend(char *url)
+         return url;
+ }
+ 
+-HttpRequest *
+-icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from)
+HttpRequest::Pointer
+icpGetRequest(const char *url, int reqnum, int fd, const Ip::Address &from)
+ {
+     if (strpbrk(url, w_space)) {
+         icpCreateAndSend(ICP_ERR, 0, rfc1738_escape(url), reqnum, 0, fd, from);
+@@ -440,12 +441,17 @@ icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from)
+     }
+ 
+     const MasterXaction::Pointer mx = new MasterXaction(XactionInitiator::initIcp);
+-    auto *result = HttpRequest::FromUrlXXX(url, mx);
+-    if (!result)
+-        icpCreateAndSend(ICP_ERR, 0, url, reqnum, 0, fd, from);
+-
+-    return result;
+    if (const HttpRequest::Pointer request = HttpRequest::FromUrlXXX(url, mx)) {
+        if (!icpAccessAllowed(from, request.getRaw())) {
+            icpDenyAccess(from, url, reqnum, fd);
+            return nullptr;
+        }
+ 
+        return request;
+    }
+ 
+    icpCreateAndSend(ICP_ERR, 0, url, reqnum, 0, fd, from, nullptr);
+    return nullptr;
+ }
+ 
+ static void
+@@ -456,18 +462,11 @@ doV2Query(int fd, Ip::Address &from, char *buf, icp_common_t header)
+     uint32_t flags = 0;
+     /* We have a valid packet */
+     char *url = buf + sizeof(icp_common_t) + sizeof(uint32_t);
+-    HttpRequest *icp_request = icpGetRequest(url, header.reqnum, fd, from);
+    const auto icp_request = icpGetRequest(url, header.reqnum, fd, from);
+ 
+     if (!icp_request)
+         return;
+ 
+-    HTTPMSGLOCK(icp_request);
+-
+-    if (!icpAccessAllowed(from, icp_request)) {
+-        icpDenyAccess(from, url, header.reqnum, fd);
+-        HTTPMSGUNLOCK(icp_request);
+-        return;
+-    }
+ #if USE_ICMP
+     if (header.flags & ICP_FLAG_SRC_RTT) {
+         rtt = netdbHostRtt(icp_request->url.host());
+@@ -480,7 +479,7 @@ doV2Query(int fd, Ip::Address &from, char *buf, icp_common_t header)
+ #endif /* USE_ICMP */
+ 
+     /* The peer is allowed to use this cache */
+-    ICP2State *state = new ICP2State(header, icp_request);
+    ICP2State *state = new ICP2State(header, icp_request.getRaw());
+     state->fd = fd;
+     state->from = from;
+     state->url = xstrdup(url);
+@@ -489,8 +488,6 @@ doV2Query(int fd, Ip::Address &from, char *buf, icp_common_t header)
+     state->src_rtt = src_rtt;
+ 
+     StoreEntry::getPublic(state, url, Http::METHOD_GET);
+-
+-    HTTPMSGUNLOCK(icp_request);
+ }
+ 
+ void
+diff --git a/src/icp_v3.cc b/src/icp_v3.cc
+index 5dd6709..b48f7d8 100644
+--- a/src/icp_v3.cc
+++ b/src/icp_v3.cc
+@@ -36,19 +36,13 @@ doV3Query(int fd, Ip::Address &from, char *buf, icp_common_t header)
+ {
+     /* We have a valid packet */
+     char *url = buf + sizeof(icp_common_t) + sizeof(uint32_t);
+-    HttpRequest *icp_request = icpGetRequest(url, header.reqnum, fd, from);
+    const auto icp_request = icpGetRequest(url, header.reqnum, fd, from);
+ 
+     if (!icp_request)
+         return;
+ 
+-    if (!icpAccessAllowed(from, icp_request)) {
+-        icpDenyAccess (from, url, header.reqnum, fd);
+-        delete icp_request;
+-        return;
+-    }
+-
+     /* The peer is allowed to use this cache */
+-    ICP3State *state = new ICP3State (header, icp_request);
+    ICP3State *state = new ICP3State (header, icp_request.getRaw());
+     state->fd = fd;
+     state->from = from;
+     state->url = xstrdup(url);
+diff --git a/src/tests/stub_icp.cc b/src/tests/stub_icp.cc
+index 9c0f60f..4429ccb 100644
+--- a/src/tests/stub_icp.cc
+++ b/src/tests/stub_icp.cc
+@@ -8,6 +8,7 @@
+ 
+ #include "squid.h"
+ #include "comm/Connection.h"
+#include "HttpRequest.h"
+ #include "ICP.h"
+ 
+ #define STUB_API "icp_*.cc"
+@@ -27,13 +28,12 @@ Comm::ConnectionPointer icpIncomingConn;
+ Comm::ConnectionPointer icpOutgoingConn;
+ Ip::Address theIcpPublicHostID;
+ 
+-HttpRequest* icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from) STUB_RETVAL(NULL)
+-bool icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request) STUB_RETVAL(false)
+HttpRequest::Pointer icpGetRequest(const char *, int, int, const Ip::Address &) STUB_RETVAL(nullptr)
+ void icpCreateAndSend(icp_opcode, int flags, char const *url, int reqnum, int pad, int fd, const Ip::Address &from) STUB
+ icp_opcode icpGetCommonOpcode() STUB_RETVAL(ICP_INVALID)
+ int icpUdpSend(int, const Ip::Address &, icp_common_t *, LogTags, int) STUB_RETVAL(0)
+ LogTags icpLogFromICPCode(icp_opcode opcode) STUB_RETVAL(LOG_TAG_NONE)
+-void icpDenyAccess(Ip::Address &from, char *url, int reqnum, int fd) STUB
+void icpDenyAccess(const Ip::Address &, const char *, int, int) STUB
+ void icpHandleIcpV3(int, Ip::Address &, char *, int) STUB
+ int icpCheckUdpHit(StoreEntry *, HttpRequest * request) STUB_RETVAL(0)
+ void icpConnectionsOpen(void) STUB
--- a/squid-4.15-CVE-2026-33526.patch
+++ b/squid-4.15-CVE-2026-33526.patch
@ -0,0 +1,18 @@
+commit 476f48d4c482e9e0e5ba457ad35175f70e71562b
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Tue Apr 7 16:18:09 2026 +0200
+
+    Fix CVE-2026-33526
+
+diff --git a/src/icp_v2.cc b/src/icp_v2.cc
+index 8d03bde..eb63899 100644
+--- a/src/icp_v2.cc
+++ b/src/icp_v2.cc
+@@ -435,7 +435,6 @@ HttpRequest *
+ icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from)
+ {
+     if (strpbrk(url, w_space)) {
+-        url = rfc1738_escape(url);
+         icpCreateAndSend(ICP_ERR, 0, rfc1738_escape(url), reqnum, 0, fd, from);
+         return NULL;
+     }
--- a/squid.spec
+++ b/squid.spec
@ -2,7 +2,7 @@

 Name:     squid
 Version:  4.15
-Release:  10%{?dist}.9
+Release:  10%{?dist}.10
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@ -80,6 +80,10 @@ Patch313: squid-4.15-ignore-wsp-after-chunk-size.patch
 Patch314: squid-4.15-CVE-2024-23638.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2404736
 Patch315: squid-4.15-CVE-2025-62168.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2451574
+Patch316: squid-4.15-CVE-2026-33526.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2451577
+Patch317: squid-4.15-CVE-2026-32748.patch

 Requires: bash >= 2.0
 Requires(pre): shadow-utils
@ -159,6 +163,8 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch313 -p1 -b .ignore-wsp-chunk-sz
 %patch314 -p1 -b .CVE-2024-23638
 %patch315 -p1 -b .CVE-2025-62168
+%patch316 -p1 -b .CVE-2026-33526
+%patch317 -p1 -b .CVE-2026-32748

 # patch305 follow-up
 %patch212 -p1 -b .fatal-read-data-from-mem
@ -378,6 +384,12 @@ fi


 %changelog
+* Tue Apr 07 2026 Tomas Korbar <tkorbar@redhat.com> - 7:4.15-10.10
+- Resolves: RHEL-160675 - squid:4/squid: Squid: Denial of Service
+  via crafted ICP traffic (CVE-2026-32748)
+- Resolves: RHEL-160674 - squid:4/squid: Squid: Denial of Service
+  via heap Use-After-Free vulnerability in ICP handling (CVE-2026-33526)
+
 * Mon Oct 20 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.9
 - Resolves: RHEL-122484 - squid: Squid vulnerable to information disclosure via
  authentication credential leakage in error handling (CVE-2025-62168)