From df165bd9a44d9d98f92108d815d4aeb89b4101ee Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Tue, 7 Apr 2026 16:24:30 +0200 Subject: [PATCH] Resolves: RHEL-160675 - squid:4/squid: Squid: Denial of Service via crafted ICP traffic (CVE-2026-32748) Resolves: RHEL-160674 - squid:4/squid: Squid: Denial of Service via heap Use-After-Free vulnerability in ICP handling (CVE-2026-33526) --- squid-4.15-CVE-2026-32748.patch | 182 ++++++++++++++++++++++++++++++++ squid-4.15-CVE-2026-33526.patch | 18 ++++ squid.spec | 14 ++- 3 files changed, 213 insertions(+), 1 deletion(-) create mode 100644 squid-4.15-CVE-2026-32748.patch create mode 100644 squid-4.15-CVE-2026-33526.patch diff --git a/squid-4.15-CVE-2026-32748.patch b/squid-4.15-CVE-2026-32748.patch new file mode 100644 index 0000000..4d7a469 --- /dev/null +++ b/squid-4.15-CVE-2026-32748.patch @@ -0,0 +1,182 @@ +commit 0d9d86c3f2a79b2913edf2f5ed03ff3792c876ea +Author: Tomas Korbar +Date: Tue Apr 7 16:22:05 2026 +0200 + + Fix CVE-2026-32748 + +diff --git a/src/ICP.h b/src/ICP.h +index a45455b..aa3ab57 100644 +--- a/src/ICP.h ++++ b/src/ICP.h +@@ -104,10 +104,7 @@ extern Comm::ConnectionPointer icpOutgoingConn; + extern Ip::Address theIcpPublicHostID; + + /// \ingroup ServerProtocolICPAPI +-HttpRequest* icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from); +- +-/// \ingroup ServerProtocolICPAPI +-bool icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request); ++HttpRequestPointer icpGetRequest(const char *url, int reqnum, int fd, const Ip::Address &from); + + /// \ingroup ServerProtocolICPAPI + void icpCreateAndSend(icp_opcode, int flags, char const *url, int reqnum, int pad, int fd, const Ip::Address &from); +@@ -122,7 +119,7 @@ int icpUdpSend(int, const Ip::Address &, icp_common_t *, const LogTags &, int); + LogTags icpLogFromICPCode(icp_opcode opcode); + + /// \ingroup ServerProtocolICPAPI +-void icpDenyAccess(Ip::Address &from, char *url, int reqnum, int fd); ++void icpDenyAccess(const Ip::Address &from, const char *url, int reqnum, int fd); + + /// \ingroup ServerProtocolICPAPI + PF icpHandleUdp; +diff --git a/src/icp_v2.cc b/src/icp_v2.cc +index eb63899..c167a5d 100644 +--- a/src/icp_v2.cc ++++ b/src/icp_v2.cc +@@ -394,7 +394,7 @@ icpCreateAndSend(icp_opcode opcode, int flags, char const *url, int reqnum, int + } + + void +-icpDenyAccess(Ip::Address &from, char *url, int reqnum, int fd) ++icpDenyAccess(const Ip::Address &from, const char * const url, const int reqnum, const int fd) + { + debugs(12, 2, "icpDenyAccess: Access Denied for " << from << " by " << AclMatchedName << "."); + +@@ -409,8 +409,9 @@ icpDenyAccess(Ip::Address &from, char *url, int reqnum, int fd) + } + } + +-bool +-icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request) ++/// icpGetRequest() helper that determines whether squid.conf allows the given ICP query ++static bool ++icpAccessAllowed(const Ip::Address &from, HttpRequest * icp_request) + { + /* absent any explicit rules, we deny all */ + if (!Config.accessList.icp) +@@ -431,8 +432,8 @@ icpGetUrlToSend(char *url) + return url; + } + +-HttpRequest * +-icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from) ++HttpRequest::Pointer ++icpGetRequest(const char *url, int reqnum, int fd, const Ip::Address &from) + { + if (strpbrk(url, w_space)) { + icpCreateAndSend(ICP_ERR, 0, rfc1738_escape(url), reqnum, 0, fd, from); +@@ -440,12 +441,17 @@ icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from) + } + + const MasterXaction::Pointer mx = new MasterXaction(XactionInitiator::initIcp); +- auto *result = HttpRequest::FromUrlXXX(url, mx); +- if (!result) +- icpCreateAndSend(ICP_ERR, 0, url, reqnum, 0, fd, from); +- +- return result; ++ if (const HttpRequest::Pointer request = HttpRequest::FromUrlXXX(url, mx)) { ++ if (!icpAccessAllowed(from, request.getRaw())) { ++ icpDenyAccess(from, url, reqnum, fd); ++ return nullptr; ++ } + ++ return request; ++ } ++ ++ icpCreateAndSend(ICP_ERR, 0, url, reqnum, 0, fd, from, nullptr); ++ return nullptr; + } + + static void +@@ -456,18 +462,11 @@ doV2Query(int fd, Ip::Address &from, char *buf, icp_common_t header) + uint32_t flags = 0; + /* We have a valid packet */ + char *url = buf + sizeof(icp_common_t) + sizeof(uint32_t); +- HttpRequest *icp_request = icpGetRequest(url, header.reqnum, fd, from); ++ const auto icp_request = icpGetRequest(url, header.reqnum, fd, from); + + if (!icp_request) + return; + +- HTTPMSGLOCK(icp_request); +- +- if (!icpAccessAllowed(from, icp_request)) { +- icpDenyAccess(from, url, header.reqnum, fd); +- HTTPMSGUNLOCK(icp_request); +- return; +- } + #if USE_ICMP + if (header.flags & ICP_FLAG_SRC_RTT) { + rtt = netdbHostRtt(icp_request->url.host()); +@@ -480,7 +479,7 @@ doV2Query(int fd, Ip::Address &from, char *buf, icp_common_t header) + #endif /* USE_ICMP */ + + /* The peer is allowed to use this cache */ +- ICP2State *state = new ICP2State(header, icp_request); ++ ICP2State *state = new ICP2State(header, icp_request.getRaw()); + state->fd = fd; + state->from = from; + state->url = xstrdup(url); +@@ -489,8 +488,6 @@ doV2Query(int fd, Ip::Address &from, char *buf, icp_common_t header) + state->src_rtt = src_rtt; + + StoreEntry::getPublic(state, url, Http::METHOD_GET); +- +- HTTPMSGUNLOCK(icp_request); + } + + void +diff --git a/src/icp_v3.cc b/src/icp_v3.cc +index 5dd6709..b48f7d8 100644 +--- a/src/icp_v3.cc ++++ b/src/icp_v3.cc +@@ -36,19 +36,13 @@ doV3Query(int fd, Ip::Address &from, char *buf, icp_common_t header) + { + /* We have a valid packet */ + char *url = buf + sizeof(icp_common_t) + sizeof(uint32_t); +- HttpRequest *icp_request = icpGetRequest(url, header.reqnum, fd, from); ++ const auto icp_request = icpGetRequest(url, header.reqnum, fd, from); + + if (!icp_request) + return; + +- if (!icpAccessAllowed(from, icp_request)) { +- icpDenyAccess (from, url, header.reqnum, fd); +- delete icp_request; +- return; +- } +- + /* The peer is allowed to use this cache */ +- ICP3State *state = new ICP3State (header, icp_request); ++ ICP3State *state = new ICP3State (header, icp_request.getRaw()); + state->fd = fd; + state->from = from; + state->url = xstrdup(url); +diff --git a/src/tests/stub_icp.cc b/src/tests/stub_icp.cc +index 9c0f60f..4429ccb 100644 +--- a/src/tests/stub_icp.cc ++++ b/src/tests/stub_icp.cc +@@ -8,6 +8,7 @@ + + #include "squid.h" + #include "comm/Connection.h" ++#include "HttpRequest.h" + #include "ICP.h" + + #define STUB_API "icp_*.cc" +@@ -27,13 +28,12 @@ Comm::ConnectionPointer icpIncomingConn; + Comm::ConnectionPointer icpOutgoingConn; + Ip::Address theIcpPublicHostID; + +-HttpRequest* icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from) STUB_RETVAL(NULL) +-bool icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request) STUB_RETVAL(false) ++HttpRequest::Pointer icpGetRequest(const char *, int, int, const Ip::Address &) STUB_RETVAL(nullptr) + void icpCreateAndSend(icp_opcode, int flags, char const *url, int reqnum, int pad, int fd, const Ip::Address &from) STUB + icp_opcode icpGetCommonOpcode() STUB_RETVAL(ICP_INVALID) + int icpUdpSend(int, const Ip::Address &, icp_common_t *, LogTags, int) STUB_RETVAL(0) + LogTags icpLogFromICPCode(icp_opcode opcode) STUB_RETVAL(LOG_TAG_NONE) +-void icpDenyAccess(Ip::Address &from, char *url, int reqnum, int fd) STUB ++void icpDenyAccess(const Ip::Address &, const char *, int, int) STUB + void icpHandleIcpV3(int, Ip::Address &, char *, int) STUB + int icpCheckUdpHit(StoreEntry *, HttpRequest * request) STUB_RETVAL(0) + void icpConnectionsOpen(void) STUB diff --git a/squid-4.15-CVE-2026-33526.patch b/squid-4.15-CVE-2026-33526.patch new file mode 100644 index 0000000..b3ae5c5 --- /dev/null +++ b/squid-4.15-CVE-2026-33526.patch @@ -0,0 +1,18 @@ +commit 476f48d4c482e9e0e5ba457ad35175f70e71562b +Author: Tomas Korbar +Date: Tue Apr 7 16:18:09 2026 +0200 + + Fix CVE-2026-33526 + +diff --git a/src/icp_v2.cc b/src/icp_v2.cc +index 8d03bde..eb63899 100644 +--- a/src/icp_v2.cc ++++ b/src/icp_v2.cc +@@ -435,7 +435,6 @@ HttpRequest * + icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from) + { + if (strpbrk(url, w_space)) { +- url = rfc1738_escape(url); + icpCreateAndSend(ICP_ERR, 0, rfc1738_escape(url), reqnum, 0, fd, from); + return NULL; + } diff --git a/squid.spec b/squid.spec index 7e4f1f0..67ab9e5 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 4.15 -Release: 10%{?dist}.9 +Release: 10%{?dist}.10 Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -80,6 +80,10 @@ Patch313: squid-4.15-ignore-wsp-after-chunk-size.patch Patch314: squid-4.15-CVE-2024-23638.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2404736 Patch315: squid-4.15-CVE-2025-62168.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2451574 +Patch316: squid-4.15-CVE-2026-33526.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2451577 +Patch317: squid-4.15-CVE-2026-32748.patch Requires: bash >= 2.0 Requires(pre): shadow-utils @@ -159,6 +163,8 @@ lookup program (dnsserver), a program for retrieving FTP data %patch313 -p1 -b .ignore-wsp-chunk-sz %patch314 -p1 -b .CVE-2024-23638 %patch315 -p1 -b .CVE-2025-62168 +%patch316 -p1 -b .CVE-2026-33526 +%patch317 -p1 -b .CVE-2026-32748 # patch305 follow-up %patch212 -p1 -b .fatal-read-data-from-mem @@ -378,6 +384,12 @@ fi %changelog +* Tue Apr 07 2026 Tomas Korbar - 7:4.15-10.10 +- Resolves: RHEL-160675 - squid:4/squid: Squid: Denial of Service + via crafted ICP traffic (CVE-2026-32748) +- Resolves: RHEL-160674 - squid:4/squid: Squid: Denial of Service + via heap Use-After-Free vulnerability in ICP handling (CVE-2026-33526) + * Mon Oct 20 2025 Luboš Uhliarik - 7:4.15-10.9 - Resolves: RHEL-122484 - squid: Squid vulnerable to information disclosure via authentication credential leakage in error handling (CVE-2025-62168)