diff --git a/SOURCES/squid-5.5-CVE-2022-41318.patch b/SOURCES/squid-5.5-CVE-2022-41318.patch new file mode 100644 index 0000000..cb303ad --- /dev/null +++ b/SOURCES/squid-5.5-CVE-2022-41318.patch @@ -0,0 +1,38 @@ +commit 4031c6c2b004190fdffbc19dab7cd0305a2025b7 (refs/remotes/origin/v4, refs/remotes/github/v4, refs/heads/v4) +Author: Amos Jeffries +Date: 2022-08-09 23:34:54 +0000 + + Bug 3193 pt2: NTLM decoder truncating strings (#1114) + + The initial bug fix overlooked large 'offset' causing integer + wrap to extract a too-short length string. + + Improve debugs and checks sequence to clarify cases and ensure + that all are handled correctly. + +diff --git a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc +index 5d9637290..f00fd51f8 100644 +--- a/lib/ntlmauth/ntlmauth.cc ++++ b/lib/ntlmauth/ntlmauth.cc +@@ -107,10 +107,19 @@ ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr + int32_t o = le32toh(str->offset); + // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o); + +- if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) { +- debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); ++ if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) { ++ debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); + return rv; + } ++ else if (o <= 0 || o > packet_size) { ++ debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); ++ return rv; ++ } ++ else if (l > packet_size - o) { ++ debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); ++ return rv; ++ } ++ + rv.str = (char *)packet + o; + rv.l = 0; + if ((flags & NTLM_NEGOTIATE_ASCII) == 0) { diff --git a/SOURCES/squid-5.5-ip-bind-address-no-port.patch b/SOURCES/squid-5.5-ip-bind-address-no-port.patch new file mode 100644 index 0000000..55d9597 --- /dev/null +++ b/SOURCES/squid-5.5-ip-bind-address-no-port.patch @@ -0,0 +1,156 @@ +commit c54122584d175cf1d292b239a5b70f2d1aa77c3a +Author: Tomas Korbar +Date: Mon Dec 5 15:03:07 2022 +0100 + + Backport adding IP_BIND_ADDRESS_NO_PORT flag to outgoing connections + +diff --git a/src/comm.cc b/src/comm.cc +index b4818f3..b18d175 100644 +--- a/src/comm.cc ++++ b/src/comm.cc +@@ -59,6 +59,7 @@ + */ + + static IOCB commHalfClosedReader; ++static int comm_openex(int sock_type, int proto, Ip::Address &, int flags, const char *note); + static void comm_init_opened(const Comm::ConnectionPointer &conn, const char *note, struct addrinfo *AI); + static int comm_apply_flags(int new_socket, Ip::Address &addr, int flags, struct addrinfo *AI); + +@@ -76,6 +77,7 @@ static EVH commHalfClosedCheck; + static void commPlanHalfClosedCheck(); + + static Comm::Flag commBind(int s, struct addrinfo &); ++static void commSetBindAddressNoPort(int); + static void commSetReuseAddr(int); + static void commSetNoLinger(int); + #ifdef TCP_NODELAY +@@ -202,6 +204,22 @@ comm_local_port(int fd) + return F->local_addr.port(); + } + ++/// sets the IP_BIND_ADDRESS_NO_PORT socket option to optimize ephemeral port ++/// reuse by outgoing TCP connections that must bind(2) to a source IP address ++static void ++commSetBindAddressNoPort(const int fd) ++{ ++#if defined(IP_BIND_ADDRESS_NO_PORT) ++ int flag = 1; ++ if (setsockopt(fd, IPPROTO_IP, IP_BIND_ADDRESS_NO_PORT, reinterpret_cast(&flag), sizeof(flag)) < 0) { ++ const auto savedErrno = errno; ++ debugs(50, DBG_IMPORTANT, "ERROR: setsockopt(IP_BIND_ADDRESS_NO_PORT) failure: " << xstrerr(savedErrno)); ++ } ++#else ++ (void)fd; ++#endif ++} ++ + static Comm::Flag + commBind(int s, struct addrinfo &inaddr) + { +@@ -228,6 +246,10 @@ comm_open(int sock_type, + int flags, + const char *note) + { ++ // assume zero-port callers do not need to know the assigned port right away ++ if (sock_type == SOCK_STREAM && addr.port() == 0 && ((flags & COMM_DOBIND) || !addr.isAnyAddr())) ++ flags |= COMM_DOBIND_PORT_LATER; ++ + return comm_openex(sock_type, proto, addr, flags, note); + } + +@@ -329,7 +351,7 @@ comm_set_transparent(int fd) + * Create a socket. Default is blocking, stream (TCP) socket. IO_TYPE + * is OR of flags specified in defines.h:COMM_* + */ +-int ++static int + comm_openex(int sock_type, + int proto, + Ip::Address &addr, +@@ -488,6 +510,9 @@ comm_apply_flags(int new_socket, + } + } + #endif ++ if ((flags & COMM_DOBIND_PORT_LATER)) ++ commSetBindAddressNoPort(new_socket); ++ + if (commBind(new_socket, *AI) != Comm::OK) { + comm_close(new_socket); + return -1; +diff --git a/src/comm.h b/src/comm.h +index 5a1a7c2..a9f33db 100644 +--- a/src/comm.h ++++ b/src/comm.h +@@ -43,7 +43,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc + + /** + * Open a port specially bound for listening or sending through a specific port. +- * This is a wrapper providing IPv4/IPv6 failover around comm_openex(). + * Please use for all listening sockets and bind() outbound sockets. + * + * It will open a socket bound for: +@@ -59,7 +58,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc + int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note); + void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note); + +-int comm_openex(int, int, Ip::Address &, int, const char *); + unsigned short comm_local_port(int fd); + + int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen); +diff --git a/src/comm/ConnOpener.cc b/src/comm/ConnOpener.cc +index 19c1237..79fa2ed 100644 +--- a/src/comm/ConnOpener.cc ++++ b/src/comm/ConnOpener.cc +@@ -285,7 +285,7 @@ Comm::ConnOpener::createFd() + if (callback_ == NULL || callback_->canceled()) + return false; + +- temporaryFd_ = comm_openex(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_); ++ temporaryFd_ = comm_open(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_); + if (temporaryFd_ < 0) { + sendAnswer(Comm::ERR_CONNECT, 0, "Comm::ConnOpener::createFd"); + return false; +diff --git a/src/comm/Connection.h b/src/comm/Connection.h +index 40c2249..2641f4e 100644 +--- a/src/comm/Connection.h ++++ b/src/comm/Connection.h +@@ -52,6 +52,8 @@ namespace Comm + #define COMM_REUSEPORT 0x40 //< needs SO_REUSEPORT + /// not registered with Comm and not owned by any connection-closing code + #define COMM_ORPHANED 0x40 ++/// Internal Comm optimization: Keep the source port unassigned until connect(2) ++#define COMM_DOBIND_PORT_LATER 0x100 + + /** + * Store data about the physical and logical attributes of a connection. +diff --git a/src/ipc.cc b/src/ipc.cc +index 45cab52..42e11e6 100644 +--- a/src/ipc.cc ++++ b/src/ipc.cc +@@ -95,12 +95,12 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name + } else void(0) + + if (type == IPC_TCP_SOCKET) { +- crfd = cwfd = comm_open(SOCK_STREAM, ++ crfd = cwfd = comm_open_listener(SOCK_STREAM, + 0, + local_addr, + COMM_NOCLOEXEC, + name); +- prfd = pwfd = comm_open(SOCK_STREAM, ++ prfd = pwfd = comm_open_listener(SOCK_STREAM, + 0, /* protocol */ + local_addr, + 0, /* blocking */ +diff --git a/src/tests/stub_comm.cc b/src/tests/stub_comm.cc +index a1d33d6..bf4bea6 100644 +--- a/src/tests/stub_comm.cc ++++ b/src/tests/stub_comm.cc +@@ -48,7 +48,6 @@ int comm_open_uds(int sock_type, int proto, struct sockaddr_un* addr, int flags) + void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struct addrinfo *AI) STUB + int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note) STUB_RETVAL(-1) + void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note) STUB +-int comm_openex(int, int, Ip::Address &, int, tos_t tos, nfmark_t nfmark, const char *) STUB_RETVAL(-1) + unsigned short comm_local_port(int fd) STUB_RETVAL(0) + int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen) STUB_RETVAL(-1) + void commCallCloseHandlers(int fd) STUB diff --git a/SOURCES/squid.sysusers b/SOURCES/squid.sysusers new file mode 100644 index 0000000..f9cc56b --- /dev/null +++ b/SOURCES/squid.sysusers @@ -0,0 +1,2 @@ +g squid 23 - +u squid 23 "Squid proxy user" /var/spool/squid /sbin/nologin diff --git a/SPECS/squid.spec b/SPECS/squid.spec index 6a230c0..d85bec4 100644 --- a/SPECS/squid.spec +++ b/SPECS/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 5.5 -Release: 2%{?dist} +Release: 5%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -18,12 +18,15 @@ Source5: squid.pam Source6: squid.nm Source7: squid.service Source8: cache_swap.sh +Source9: squid.sysusers Source98: perl-requires-squid.sh # Upstream patches # Backported patches +Patch101: squid-5.5-ip-bind-address-no-port.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2151188 # Local patches # Applying upstream patches first makes it less likely that local patches @@ -45,15 +48,14 @@ Patch208: squid-5.1-test-store-cppsuite.patch # Security patches # https://bugzilla.redhat.com/show_bug.cgi?id=2100721 Patch501: squid-5.5-CVE-2021-46784.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2129771 +Patch502: squid-5.5-CVE-2022-41318.patch # cache_swap.sh Requires: bash gawk # for httpd conf file - cachemgr script alias Requires: httpd-filesystem -Requires(pre): shadow-utils -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd + # squid_ldap_auth and other LDAP helpers require OpenLDAP BuildRequires: make BuildRequires: openldap-devel @@ -85,6 +87,8 @@ BuildRequires: systemd-rpm-macros # systemd notify BuildRequires: systemd-devel +%{?systemd_requires} +%{?sysusers_requires_compat} # Old NetworkManager expects the dispatcher scripts in a different place Conflicts: NetworkManager < 1.20 @@ -108,6 +112,7 @@ lookup program (dnsserver), a program for retrieving FTP data # Upstream patches # Backported patches +%patch101 -p1 -b .ip-bind-address-no-port # Local patches %patch201 -p1 -b .config @@ -120,6 +125,7 @@ lookup program (dnsserver), a program for retrieving FTP data %patch208 -p1 -b .test-store-cpp %patch501 -p1 -b .CVE-2021-46784 +%patch502 -p1 -b .CVE-2022-41318 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -239,6 +245,8 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/squid/squid.conf.documented # remove unpackaged files from the buildroot rm -f $RPM_BUILD_ROOT/squid.httpd.tmp +# sysusers.d +install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf %files %license COPYING @@ -280,15 +288,10 @@ rm -f $RPM_BUILD_ROOT/squid.httpd.tmp %{_libdir}/squid/* %{_datadir}/snmp/mibs/SQUID-MIB.txt %{_tmpfilesdir}/squid.conf +%{_sysusersdir}/squid.conf %pre -if ! getent group squid >/dev/null 2>&1; then - /usr/sbin/groupadd -g 23 squid -fi - -if ! getent passwd squid >/dev/null 2>&1 ; then - /usr/sbin/useradd -g 23 -u 23 -d /var/spool/squid -r -s /sbin/nologin squid >/dev/null 2>&1 || exit 1 -fi +%sysusers_create_compat %{SOURCE9} for i in /var/log/squid /var/spool/squid ; do if [ -d $i ] ; then @@ -331,8 +334,6 @@ do end end - - %post %systemd_post squid.service @@ -351,6 +352,17 @@ fi %changelog +* Tue Dec 06 2022 Tomas Korbar - 7:5.5-5 +- Resolves: #2151188 - [RFE] Add the "IP_BIND_ADDRESS_NO_PORT" + flag to sockets created for outgoing connections in the squid source code. + +* Mon Nov 07 2022 Luboš Uhliarik - 7:5.5-4 +- Resolves: #2095468 - [RFE] squid use systemd-sysusers + +* Mon Nov 07 2022 Luboš Uhliarik - 7:5.5-3 +- Resolves: #2130253 - CVE-2022-41318 squid: buffer-over-read in SSPI and SMB + authentication + * Mon Jul 11 2022 Luboš Uhliarik - 7:5.5-2 - Resolves: #2100785 - CVE-2021-46784 squid: DoS when processing gopher server responses