Resolves: RHEL-122484 - squid: Squid vulnerable to information disclosure via

authentication credential leakage in error handling (CVE-2025-62168)
2025-10-20 14:38:29 +02:00 · 2025-10-20 14:38:29 +02:00 · ec44530003
commit ec44530003
parent c67ec1f2a2
2 changed files with 159 additions and 1 deletions
--- a/squid-4.15-CVE-2025-62168.patch
+++ b/squid-4.15-CVE-2025-62168.patch
@ -0,0 +1,151 @@
+diff --git a/src/HttpRequest.cc b/src/HttpRequest.cc
+index 38b9307..e0278b7 100644
+--- a/src/HttpRequest.cc
+++ b/src/HttpRequest.cc
+@@ -341,7 +341,7 @@ HttpRequest::swapOut(StoreEntry * e)
+ 
+ /* packs request-line and headers, appends <crlf> terminator */
+ void
+-HttpRequest::pack(Packable * p) const
+HttpRequest::pack(Packable * const p, const bool maskSensitiveInfo) const
+ {
+     assert(p);
+     /* pack request-line */
+@@ -349,8 +349,8 @@ HttpRequest::pack(Packable * p) const
+                SQUIDSBUFPRINT(method.image()), SQUIDSBUFPRINT(url.path()),
+                http_ver.major, http_ver.minor);
+     /* headers */
+-    header.packInto(p);
+-    /* trailer */
+    header.packInto(p, maskSensitiveInfo);
+    /* indicate the end of the header section */
+     p->append("\r\n", 2);
+ }
+ 
+diff --git a/src/HttpRequest.h b/src/HttpRequest.h
+index fe706ef..4329d53 100644
+--- a/src/HttpRequest.h
+++ b/src/HttpRequest.h
+@@ -201,7 +201,7 @@ public:
+ 
+     void swapOut(StoreEntry * e);
+ 
+-    void pack(Packable * p) const;
+    void pack(Packable * p, bool maskSensitiveInfo = false) const;
+ 
+     static void httpRequestPack(void *obj, Packable *p);
+ 
+diff --git a/src/cf.data.pre b/src/cf.data.pre
+index d55b870..7b18b0e 100644
+--- a/src/cf.data.pre
+++ b/src/cf.data.pre
+@@ -8319,12 +8319,18 @@ NAME: email_err_data
+ COMMENT: on|off
+ TYPE: onoff
+ LOC: Config.onoff.emailErrData
+-DEFAULT: on
+DEFAULT: off
+ DOC_START
+ 	If enabled, information about the occurred error will be
+ 	included in the mailto links of the ERR pages (if %W is set)
+ 	so that the email body contains the data.
+ 	Syntax is <A HREF="mailto:%w%W">%w</A>
+
+	SECURITY WARNING:
+		Request headers and other included facts may contain
+		sensitive information about transaction history, the
+		Squid instance, and its environment which would be
+		unavailable to error recipients otherwise.
+ DOC_END
+ 
+ NAME: deny_info
+diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc
+index fea5ecb..93692c3 100644
+--- a/src/client_side_reply.cc
+++ b/src/client_side_reply.cc
+@@ -100,7 +100,7 @@ clientReplyContext::clientReplyContext(ClientHttpRequest *clientContext) :
+ void
+ clientReplyContext::setReplyToError(
+     err_type err, Http::StatusCode status, const HttpRequestMethod& method, char const *uri,
+-    Ip::Address &addr, HttpRequest * failedrequest, const char *unparsedrequest,
+    Ip::Address &addr, HttpRequest * failedrequest, const char *,
+ #if USE_AUTH
+     Auth::UserRequest::Pointer auth_user_request
+ #else
+@@ -110,9 +110,6 @@ clientReplyContext::setReplyToError(
+ {
+     ErrorState *errstate = clientBuildError(err, status, uri, addr, failedrequest);
+ 
+-    if (unparsedrequest)
+-        errstate->request_hdrs = xstrdup(unparsedrequest);
+-
+ #if USE_AUTH
+     errstate->auth_user_request = auth_user_request;
+ #endif
+@@ -1078,11 +1075,14 @@ clientReplyContext::traceReply()
+     triggerInitialStoreRead();
+     http->storeEntry()->releaseRequest();
+     http->storeEntry()->buffer();
+    MemBuf content;
+    content.init();
+    http->request->pack(&content, true /* hide authorization data */);
+     HttpReply *rep = new HttpReply;
+-    rep->setHeaders(Http::scOkay, NULL, "text/plain", http->request->prefixLen(), 0, squid_curtime);
+    rep->setHeaders(Http::scOkay, NULL, "message/http", content.contentSize(), 0, squid_curtime);
+    rep->body.set(SBuf(content.buf, content.size));
+     http->storeEntry()->replaceHttpReply(rep);
+-    http->request->swapOut(http->storeEntry());
+-    http->storeEntry()->complete();
+    http->storeEntry()->completeSuccessfully("traceReply() stored the entire response");
+ }
+ 
+ #define SENDING_BODY 0
+diff --git a/src/errorpage.cc b/src/errorpage.cc
+index 72be100..36ce593 100644
+--- a/src/errorpage.cc
+++ b/src/errorpage.cc
+@@ -678,7 +678,6 @@ ErrorState::~ErrorState()
+     HTTPMSGUNLOCK(request);
+     safe_free(redirect_url);
+     safe_free(url);
+-    safe_free(request_hdrs);
+     wordlistDestroy(&ftp.server_msg);
+     safe_free(ftp.request);
+     safe_free(ftp.reply);
+@@ -742,7 +741,10 @@ ErrorState::Dump(MemBuf * mb)
+                     SQUIDSBUFPRINT(request->url.path()),
+                     AnyP::ProtocolType_str[request->http_ver.protocol],
+                     request->http_ver.major, request->http_ver.minor);
+-        request->header.packInto(&str);
+        MemBuf r;
+        r.init();
+        request->pack(&r, true /* hide authorization data */);
+        str.append(r.content(), r.contentSize());
+     }
+ 
+     str.append("\r\n", 2);
+diff --git a/src/errorpage.h b/src/errorpage.h
+index 332e507..bf61b4d 100644
+--- a/src/errorpage.h
+++ b/src/errorpage.h
+@@ -164,7 +164,6 @@ public:
+         MemBuf *listing;
+     } ftp;
+ 
+-    char *request_hdrs;
+     char *err_msg; /* Preformatted error message from the cache */
+ 
+ #if USE_OPENSSL
+diff --git a/src/tests/stub_HttpRequest.cc b/src/tests/stub_HttpRequest.cc
+index cd18d51..495d786 100644
+--- a/src/tests/stub_HttpRequest.cc
+++ b/src/tests/stub_HttpRequest.cc
+@@ -45,7 +45,7 @@ bool HttpRequest::expectingBody(const HttpRequestMethod &, int64_t &) const STUB
+ bool HttpRequest::bodyNibbled() const STUB_RETVAL(false)
+ int HttpRequest::prefixLen() const STUB_RETVAL(0)
+ void HttpRequest::swapOut(StoreEntry *) STUB
+-void HttpRequest::pack(Packable *) const STUB
+void HttpRequest::pack(Packable *, bool) const STUB
+ void HttpRequest::httpRequestPack(void *, Packable *) STUB
+ HttpRequest * HttpRequest::FromUrl(const SBuf &, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr)
+ HttpRequest * HttpRequest::FromUrlXXX(const char *, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr)
--- a/squid.spec
+++ b/squid.spec
@ -2,7 +2,7 @@

 Name:     squid
 Version:  4.15
-Release:  10%{?dist}.6
+Release:  10%{?dist}.7
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@ -78,6 +78,8 @@ Patch312: squid-4.15-CVE-2024-25111.patch
 Patch313: squid-4.15-ignore-wsp-after-chunk-size.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2260051
 Patch314: squid-4.15-CVE-2024-23638.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2404736
+Patch315: squid-4.15-CVE-2025-62168.patch

 Requires: bash >= 2.0
 Requires(pre): shadow-utils
@ -156,6 +158,7 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch312 -p1 -b .CVE-2024-25111
 %patch313 -p1 -b .ignore-wsp-chunk-sz
 %patch314 -p1 -b .CVE-2024-23638
+%patch315 -p1 -b .CVE-2025-62168

 # patch305 follow-up
 %patch212 -p1 -b .fatal-read-data-from-mem
@ -375,6 +378,10 @@ fi


 %changelog
+* Mon Oct 20 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.7
+- Resolves: RHEL-122484 - squid: Squid vulnerable to information disclosure via
+  authentication credential leakage in error handling (CVE-2025-62168)
+
 * Wed Mar 26 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.6
 - Resolves: RHEL-84420 - A squid child process causes a memory reference error
  and the squid service terminates abnormally