import squid-5.5-5.el9
This commit is contained in:
parent
c960196416
commit
ea69b16138
38
SOURCES/squid-5.5-CVE-2022-41318.patch
Normal file
38
SOURCES/squid-5.5-CVE-2022-41318.patch
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
commit 4031c6c2b004190fdffbc19dab7cd0305a2025b7 (refs/remotes/origin/v4, refs/remotes/github/v4, refs/heads/v4)
|
||||||
|
Author: Amos Jeffries <yadij@users.noreply.github.com>
|
||||||
|
Date: 2022-08-09 23:34:54 +0000
|
||||||
|
|
||||||
|
Bug 3193 pt2: NTLM decoder truncating strings (#1114)
|
||||||
|
|
||||||
|
The initial bug fix overlooked large 'offset' causing integer
|
||||||
|
wrap to extract a too-short length string.
|
||||||
|
|
||||||
|
Improve debugs and checks sequence to clarify cases and ensure
|
||||||
|
that all are handled correctly.
|
||||||
|
|
||||||
|
diff --git a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc
|
||||||
|
index 5d9637290..f00fd51f8 100644
|
||||||
|
--- a/lib/ntlmauth/ntlmauth.cc
|
||||||
|
+++ b/lib/ntlmauth/ntlmauth.cc
|
||||||
|
@@ -107,10 +107,19 @@ ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr
|
||||||
|
int32_t o = le32toh(str->offset);
|
||||||
|
// debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o);
|
||||||
|
|
||||||
|
- if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) {
|
||||||
|
- debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
|
||||||
|
+ if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) {
|
||||||
|
+ debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
|
||||||
|
return rv;
|
||||||
|
}
|
||||||
|
+ else if (o <= 0 || o > packet_size) {
|
||||||
|
+ debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
|
||||||
|
+ return rv;
|
||||||
|
+ }
|
||||||
|
+ else if (l > packet_size - o) {
|
||||||
|
+ debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
|
||||||
|
+ return rv;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
rv.str = (char *)packet + o;
|
||||||
|
rv.l = 0;
|
||||||
|
if ((flags & NTLM_NEGOTIATE_ASCII) == 0) {
|
156
SOURCES/squid-5.5-ip-bind-address-no-port.patch
Normal file
156
SOURCES/squid-5.5-ip-bind-address-no-port.patch
Normal file
@ -0,0 +1,156 @@
|
|||||||
|
commit c54122584d175cf1d292b239a5b70f2d1aa77c3a
|
||||||
|
Author: Tomas Korbar <tkorbar@redhat.com>
|
||||||
|
Date: Mon Dec 5 15:03:07 2022 +0100
|
||||||
|
|
||||||
|
Backport adding IP_BIND_ADDRESS_NO_PORT flag to outgoing connections
|
||||||
|
|
||||||
|
diff --git a/src/comm.cc b/src/comm.cc
|
||||||
|
index b4818f3..b18d175 100644
|
||||||
|
--- a/src/comm.cc
|
||||||
|
+++ b/src/comm.cc
|
||||||
|
@@ -59,6 +59,7 @@
|
||||||
|
*/
|
||||||
|
|
||||||
|
static IOCB commHalfClosedReader;
|
||||||
|
+static int comm_openex(int sock_type, int proto, Ip::Address &, int flags, const char *note);
|
||||||
|
static void comm_init_opened(const Comm::ConnectionPointer &conn, const char *note, struct addrinfo *AI);
|
||||||
|
static int comm_apply_flags(int new_socket, Ip::Address &addr, int flags, struct addrinfo *AI);
|
||||||
|
|
||||||
|
@@ -76,6 +77,7 @@ static EVH commHalfClosedCheck;
|
||||||
|
static void commPlanHalfClosedCheck();
|
||||||
|
|
||||||
|
static Comm::Flag commBind(int s, struct addrinfo &);
|
||||||
|
+static void commSetBindAddressNoPort(int);
|
||||||
|
static void commSetReuseAddr(int);
|
||||||
|
static void commSetNoLinger(int);
|
||||||
|
#ifdef TCP_NODELAY
|
||||||
|
@@ -202,6 +204,22 @@ comm_local_port(int fd)
|
||||||
|
return F->local_addr.port();
|
||||||
|
}
|
||||||
|
|
||||||
|
+/// sets the IP_BIND_ADDRESS_NO_PORT socket option to optimize ephemeral port
|
||||||
|
+/// reuse by outgoing TCP connections that must bind(2) to a source IP address
|
||||||
|
+static void
|
||||||
|
+commSetBindAddressNoPort(const int fd)
|
||||||
|
+{
|
||||||
|
+#if defined(IP_BIND_ADDRESS_NO_PORT)
|
||||||
|
+ int flag = 1;
|
||||||
|
+ if (setsockopt(fd, IPPROTO_IP, IP_BIND_ADDRESS_NO_PORT, reinterpret_cast<char*>(&flag), sizeof(flag)) < 0) {
|
||||||
|
+ const auto savedErrno = errno;
|
||||||
|
+ debugs(50, DBG_IMPORTANT, "ERROR: setsockopt(IP_BIND_ADDRESS_NO_PORT) failure: " << xstrerr(savedErrno));
|
||||||
|
+ }
|
||||||
|
+#else
|
||||||
|
+ (void)fd;
|
||||||
|
+#endif
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static Comm::Flag
|
||||||
|
commBind(int s, struct addrinfo &inaddr)
|
||||||
|
{
|
||||||
|
@@ -228,6 +246,10 @@ comm_open(int sock_type,
|
||||||
|
int flags,
|
||||||
|
const char *note)
|
||||||
|
{
|
||||||
|
+ // assume zero-port callers do not need to know the assigned port right away
|
||||||
|
+ if (sock_type == SOCK_STREAM && addr.port() == 0 && ((flags & COMM_DOBIND) || !addr.isAnyAddr()))
|
||||||
|
+ flags |= COMM_DOBIND_PORT_LATER;
|
||||||
|
+
|
||||||
|
return comm_openex(sock_type, proto, addr, flags, note);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -329,7 +351,7 @@ comm_set_transparent(int fd)
|
||||||
|
* Create a socket. Default is blocking, stream (TCP) socket. IO_TYPE
|
||||||
|
* is OR of flags specified in defines.h:COMM_*
|
||||||
|
*/
|
||||||
|
-int
|
||||||
|
+static int
|
||||||
|
comm_openex(int sock_type,
|
||||||
|
int proto,
|
||||||
|
Ip::Address &addr,
|
||||||
|
@@ -488,6 +510,9 @@ comm_apply_flags(int new_socket,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
+ if ((flags & COMM_DOBIND_PORT_LATER))
|
||||||
|
+ commSetBindAddressNoPort(new_socket);
|
||||||
|
+
|
||||||
|
if (commBind(new_socket, *AI) != Comm::OK) {
|
||||||
|
comm_close(new_socket);
|
||||||
|
return -1;
|
||||||
|
diff --git a/src/comm.h b/src/comm.h
|
||||||
|
index 5a1a7c2..a9f33db 100644
|
||||||
|
--- a/src/comm.h
|
||||||
|
+++ b/src/comm.h
|
||||||
|
@@ -43,7 +43,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Open a port specially bound for listening or sending through a specific port.
|
||||||
|
- * This is a wrapper providing IPv4/IPv6 failover around comm_openex().
|
||||||
|
* Please use for all listening sockets and bind() outbound sockets.
|
||||||
|
*
|
||||||
|
* It will open a socket bound for:
|
||||||
|
@@ -59,7 +58,6 @@ void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struc
|
||||||
|
int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note);
|
||||||
|
void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note);
|
||||||
|
|
||||||
|
-int comm_openex(int, int, Ip::Address &, int, const char *);
|
||||||
|
unsigned short comm_local_port(int fd);
|
||||||
|
|
||||||
|
int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen);
|
||||||
|
diff --git a/src/comm/ConnOpener.cc b/src/comm/ConnOpener.cc
|
||||||
|
index 19c1237..79fa2ed 100644
|
||||||
|
--- a/src/comm/ConnOpener.cc
|
||||||
|
+++ b/src/comm/ConnOpener.cc
|
||||||
|
@@ -285,7 +285,7 @@ Comm::ConnOpener::createFd()
|
||||||
|
if (callback_ == NULL || callback_->canceled())
|
||||||
|
return false;
|
||||||
|
|
||||||
|
- temporaryFd_ = comm_openex(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_);
|
||||||
|
+ temporaryFd_ = comm_open(SOCK_STREAM, IPPROTO_TCP, conn_->local, conn_->flags, host_);
|
||||||
|
if (temporaryFd_ < 0) {
|
||||||
|
sendAnswer(Comm::ERR_CONNECT, 0, "Comm::ConnOpener::createFd");
|
||||||
|
return false;
|
||||||
|
diff --git a/src/comm/Connection.h b/src/comm/Connection.h
|
||||||
|
index 40c2249..2641f4e 100644
|
||||||
|
--- a/src/comm/Connection.h
|
||||||
|
+++ b/src/comm/Connection.h
|
||||||
|
@@ -52,6 +52,8 @@ namespace Comm
|
||||||
|
#define COMM_REUSEPORT 0x40 //< needs SO_REUSEPORT
|
||||||
|
/// not registered with Comm and not owned by any connection-closing code
|
||||||
|
#define COMM_ORPHANED 0x40
|
||||||
|
+/// Internal Comm optimization: Keep the source port unassigned until connect(2)
|
||||||
|
+#define COMM_DOBIND_PORT_LATER 0x100
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Store data about the physical and logical attributes of a connection.
|
||||||
|
diff --git a/src/ipc.cc b/src/ipc.cc
|
||||||
|
index 45cab52..42e11e6 100644
|
||||||
|
--- a/src/ipc.cc
|
||||||
|
+++ b/src/ipc.cc
|
||||||
|
@@ -95,12 +95,12 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
|
||||||
|
} else void(0)
|
||||||
|
|
||||||
|
if (type == IPC_TCP_SOCKET) {
|
||||||
|
- crfd = cwfd = comm_open(SOCK_STREAM,
|
||||||
|
+ crfd = cwfd = comm_open_listener(SOCK_STREAM,
|
||||||
|
0,
|
||||||
|
local_addr,
|
||||||
|
COMM_NOCLOEXEC,
|
||||||
|
name);
|
||||||
|
- prfd = pwfd = comm_open(SOCK_STREAM,
|
||||||
|
+ prfd = pwfd = comm_open_listener(SOCK_STREAM,
|
||||||
|
0, /* protocol */
|
||||||
|
local_addr,
|
||||||
|
0, /* blocking */
|
||||||
|
diff --git a/src/tests/stub_comm.cc b/src/tests/stub_comm.cc
|
||||||
|
index a1d33d6..bf4bea6 100644
|
||||||
|
--- a/src/tests/stub_comm.cc
|
||||||
|
+++ b/src/tests/stub_comm.cc
|
||||||
|
@@ -48,7 +48,6 @@ int comm_open_uds(int sock_type, int proto, struct sockaddr_un* addr, int flags)
|
||||||
|
void comm_import_opened(const Comm::ConnectionPointer &, const char *note, struct addrinfo *AI) STUB
|
||||||
|
int comm_open_listener(int sock_type, int proto, Ip::Address &addr, int flags, const char *note) STUB_RETVAL(-1)
|
||||||
|
void comm_open_listener(int sock_type, int proto, Comm::ConnectionPointer &conn, const char *note) STUB
|
||||||
|
-int comm_openex(int, int, Ip::Address &, int, tos_t tos, nfmark_t nfmark, const char *) STUB_RETVAL(-1)
|
||||||
|
unsigned short comm_local_port(int fd) STUB_RETVAL(0)
|
||||||
|
int comm_udp_sendto(int sock, const Ip::Address &to, const void *buf, int buflen) STUB_RETVAL(-1)
|
||||||
|
void commCallCloseHandlers(int fd) STUB
|
2
SOURCES/squid.sysusers
Normal file
2
SOURCES/squid.sysusers
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
g squid 23 -
|
||||||
|
u squid 23 "Squid proxy user" /var/spool/squid /sbin/nologin
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
Name: squid
|
Name: squid
|
||||||
Version: 5.5
|
Version: 5.5
|
||||||
Release: 2%{?dist}
|
Release: 5%{?dist}
|
||||||
Summary: The Squid proxy caching server
|
Summary: The Squid proxy caching server
|
||||||
Epoch: 7
|
Epoch: 7
|
||||||
# See CREDITS for breakdown of non GPLv2+ code
|
# See CREDITS for breakdown of non GPLv2+ code
|
||||||
@ -18,12 +18,15 @@ Source5: squid.pam
|
|||||||
Source6: squid.nm
|
Source6: squid.nm
|
||||||
Source7: squid.service
|
Source7: squid.service
|
||||||
Source8: cache_swap.sh
|
Source8: cache_swap.sh
|
||||||
|
Source9: squid.sysusers
|
||||||
|
|
||||||
Source98: perl-requires-squid.sh
|
Source98: perl-requires-squid.sh
|
||||||
|
|
||||||
# Upstream patches
|
# Upstream patches
|
||||||
|
|
||||||
# Backported patches
|
# Backported patches
|
||||||
|
Patch101: squid-5.5-ip-bind-address-no-port.patch
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2151188
|
||||||
|
|
||||||
# Local patches
|
# Local patches
|
||||||
# Applying upstream patches first makes it less likely that local patches
|
# Applying upstream patches first makes it less likely that local patches
|
||||||
@ -45,15 +48,14 @@ Patch208: squid-5.1-test-store-cppsuite.patch
|
|||||||
# Security patches
|
# Security patches
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2100721
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2100721
|
||||||
Patch501: squid-5.5-CVE-2021-46784.patch
|
Patch501: squid-5.5-CVE-2021-46784.patch
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2129771
|
||||||
|
Patch502: squid-5.5-CVE-2022-41318.patch
|
||||||
|
|
||||||
# cache_swap.sh
|
# cache_swap.sh
|
||||||
Requires: bash gawk
|
Requires: bash gawk
|
||||||
# for httpd conf file - cachemgr script alias
|
# for httpd conf file - cachemgr script alias
|
||||||
Requires: httpd-filesystem
|
Requires: httpd-filesystem
|
||||||
Requires(pre): shadow-utils
|
|
||||||
Requires(post): systemd
|
|
||||||
Requires(preun): systemd
|
|
||||||
Requires(postun): systemd
|
|
||||||
# squid_ldap_auth and other LDAP helpers require OpenLDAP
|
# squid_ldap_auth and other LDAP helpers require OpenLDAP
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: openldap-devel
|
BuildRequires: openldap-devel
|
||||||
@ -85,6 +87,8 @@ BuildRequires: systemd-rpm-macros
|
|||||||
# systemd notify
|
# systemd notify
|
||||||
BuildRequires: systemd-devel
|
BuildRequires: systemd-devel
|
||||||
|
|
||||||
|
%{?systemd_requires}
|
||||||
|
%{?sysusers_requires_compat}
|
||||||
|
|
||||||
# Old NetworkManager expects the dispatcher scripts in a different place
|
# Old NetworkManager expects the dispatcher scripts in a different place
|
||||||
Conflicts: NetworkManager < 1.20
|
Conflicts: NetworkManager < 1.20
|
||||||
@ -108,6 +112,7 @@ lookup program (dnsserver), a program for retrieving FTP data
|
|||||||
# Upstream patches
|
# Upstream patches
|
||||||
|
|
||||||
# Backported patches
|
# Backported patches
|
||||||
|
%patch101 -p1 -b .ip-bind-address-no-port
|
||||||
|
|
||||||
# Local patches
|
# Local patches
|
||||||
%patch201 -p1 -b .config
|
%patch201 -p1 -b .config
|
||||||
@ -120,6 +125,7 @@ lookup program (dnsserver), a program for retrieving FTP data
|
|||||||
%patch208 -p1 -b .test-store-cpp
|
%patch208 -p1 -b .test-store-cpp
|
||||||
|
|
||||||
%patch501 -p1 -b .CVE-2021-46784
|
%patch501 -p1 -b .CVE-2021-46784
|
||||||
|
%patch502 -p1 -b .CVE-2022-41318
|
||||||
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1679526
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1679526
|
||||||
# Patch in the vendor documentation and used different location for documentation
|
# Patch in the vendor documentation and used different location for documentation
|
||||||
@ -239,6 +245,8 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/squid/squid.conf.documented
|
|||||||
# remove unpackaged files from the buildroot
|
# remove unpackaged files from the buildroot
|
||||||
rm -f $RPM_BUILD_ROOT/squid.httpd.tmp
|
rm -f $RPM_BUILD_ROOT/squid.httpd.tmp
|
||||||
|
|
||||||
|
# sysusers.d
|
||||||
|
install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%license COPYING
|
%license COPYING
|
||||||
@ -280,15 +288,10 @@ rm -f $RPM_BUILD_ROOT/squid.httpd.tmp
|
|||||||
%{_libdir}/squid/*
|
%{_libdir}/squid/*
|
||||||
%{_datadir}/snmp/mibs/SQUID-MIB.txt
|
%{_datadir}/snmp/mibs/SQUID-MIB.txt
|
||||||
%{_tmpfilesdir}/squid.conf
|
%{_tmpfilesdir}/squid.conf
|
||||||
|
%{_sysusersdir}/squid.conf
|
||||||
|
|
||||||
%pre
|
%pre
|
||||||
if ! getent group squid >/dev/null 2>&1; then
|
%sysusers_create_compat %{SOURCE9}
|
||||||
/usr/sbin/groupadd -g 23 squid
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! getent passwd squid >/dev/null 2>&1 ; then
|
|
||||||
/usr/sbin/useradd -g 23 -u 23 -d /var/spool/squid -r -s /sbin/nologin squid >/dev/null 2>&1 || exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
for i in /var/log/squid /var/spool/squid ; do
|
for i in /var/log/squid /var/spool/squid ; do
|
||||||
if [ -d $i ] ; then
|
if [ -d $i ] ; then
|
||||||
@ -331,8 +334,6 @@ do
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
%post
|
%post
|
||||||
%systemd_post squid.service
|
%systemd_post squid.service
|
||||||
|
|
||||||
@ -351,6 +352,17 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Dec 06 2022 Tomas Korbar <tkorbar@redhat.com> - 7:5.5-5
|
||||||
|
- Resolves: #2151188 - [RFE] Add the "IP_BIND_ADDRESS_NO_PORT"
|
||||||
|
flag to sockets created for outgoing connections in the squid source code.
|
||||||
|
|
||||||
|
* Mon Nov 07 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-4
|
||||||
|
- Resolves: #2095468 - [RFE] squid use systemd-sysusers
|
||||||
|
|
||||||
|
* Mon Nov 07 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-3
|
||||||
|
- Resolves: #2130253 - CVE-2022-41318 squid: buffer-over-read in SSPI and SMB
|
||||||
|
authentication
|
||||||
|
|
||||||
* Mon Jul 11 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-2
|
* Mon Jul 11 2022 Luboš Uhliarik <luhliari@redhat.com> - 7:5.5-2
|
||||||
- Resolves: #2100785 - CVE-2021-46784 squid: DoS when processing gopher server
|
- Resolves: #2100785 - CVE-2021-46784 squid: DoS when processing gopher server
|
||||||
responses
|
responses
|
||||||
|
Loading…
Reference in New Issue
Block a user