Import from CS git

2025-06-04 12:51:06 +00:00 · 2025-01-28 08:42:44 +00:00
3 changed files with 129 additions and 2 deletions
--- a/SOURCES/squid-4.15-dns-obey-ttl-set-to-zero.patch
+++ b/SOURCES/squid-4.15-dns-obey-ttl-set-to-zero.patch
@ -0,0 +1,61 @@
 diff --git a/src/ipcache.cc b/src/ipcache.cc
 index ea32021..6012f1f 100644
 --- a/src/ipcache.cc
 +++ b/src/ipcache.cc
@@ -103,6 +103,7 @@ public:
     } flags;
     int age() const; ///< time passed since request_time or -1 if unknown
 +    void updateTtl(const unsigned int rrTtl);
 };
 /// \ingroup IPCacheInternal
@@ -338,7 +339,6 @@ ipcacheParse(ipcache_entry *i, const rfc1035_rr * answers, int nr, const char *e
     int k;
     int j = 0;
     int na = 0;
 -    int ttl = 0;
     const char *name = (const char *)i->hash.key;
     int cname_found = 0;
@@ -436,8 +436,8 @@ ipcacheParse(ipcache_entry *i, const rfc1035_rr * answers, int nr, const char *e
             debugs(14, 3, name << " #" << j << " " << i->addrs.in_addrs[j] );
             ++j;
         }
 -        if (ttl == 0 || (int) answers[k].ttl < ttl)
 -            ttl = answers[k].ttl;
 +
 +        i->updateTtl(answers[k].ttl);
     }
     assert(j == na);
@@ -447,17 +447,21 @@ ipcacheParse(ipcache_entry *i, const rfc1035_rr * answers, int nr, const char *e
     else
         i->addrs.count = 255;
 -    if (ttl > Config.positiveDnsTtl)
 -        ttl = Config.positiveDnsTtl;
 -
 -    if (ttl < Config.negativeDnsTtl)
 -        ttl = Config.negativeDnsTtl;
 -
 -    i->expires = squid_curtime + ttl;
 -
     i->flags.negcached = false;
 }
 +void
 +ipcache_entry::updateTtl(const unsigned int rrTtl)
 +{
 +    const time_t ttl = std::min(std::max(
 +                                    Config.negativeDnsTtl, // smallest value allowed
 +                                    static_cast<time_t>(rrTtl)),
 +                                Config.positiveDnsTtl); // largest value allowed
 +    const time_t rrExpires = squid_curtime + ttl;
 +    if (rrExpires < expires)
 +        expires = rrExpires;
 +}
 +
 /// \ingroup IPCacheInternal
 static void
 ipcacheHandleReply(void *data, const rfc1035_rr * answers, int na, const char *error_message)
--- a/SOURCES/squid-4.15-fatal-read-data-from-mem.patch
+++ b/SOURCES/squid-4.15-fatal-read-data-from-mem.patch
@ -0,0 +1,48 @@
 From 6c29ec591b1c777fc9a66f810f0ce5bc5076bc40 Mon Sep 17 00:00:00 2001
 From: Alex Rousskov <rousskov@measurement-factory.com>
 Date: Tue, 14 Nov 2023 18:40:37 +0000
 Subject: [PATCH] Bug 5317: FATAL attempt to read data from memory (#1579)
    FATAL: Squid has attempted to read data ... that is not present.
 Recent commit 122a6e3 attempted to deliver in-memory response body bytes
 to a Store-reading client that requested (at least) response headers.
 That optimization relied on the old canReadFromMemory() logic, but that
 logic results in false positives when the checked read offset falls into
 a gap between stored headers and the first body byte of a Content-Range.
 In that case, a false positive leads to a readFromMemory() call and a
 FATAL mem_hdr::copy() error.
 This workaround disables the above optimization without fixing
 canReadFromMemory(). We believe that a readFromMemory() call that comes
 right after response headers are delivered to the Store-reading client
 will not suffer from the same problem because the client will supply the
 read offset of the first body byte, eliminating the false positive.
 ---
 src/store_client.cc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
 diff --git a/src/store_client.cc b/src/store_client.cc
 index a5f2440..b09f78a 100644
 --- a/src/store_client.cc
 +++ b/src/store_client.cc
@@ -355,8 +355,9 @@ store_client::doCopy(StoreEntry *anEntry)
             return; // failure
     }
 -    // send any immediately available body bytes even if we also sendHttpHeaders
 -    if (canReadFromMemory()) {
 +    // Send any immediately available body bytes unless we sendHttpHeaders.
 +    // TODO: Send those body bytes when we sendHttpHeaders as well.
 +    if (!sendHttpHeaders && canReadFromMemory()) {
         readFromMemory();
         noteNews(); // will sendHttpHeaders (if needed) as well
         flags.store_copying = false;
@@ -442,6 +443,7 @@ store_client::canReadFromMemory() const
 {
     const auto &mem = entry->mem();
     const auto memReadOffset = nextHttpReadOffset();
 +    // XXX: This (lo <= offset < end) logic does not support Content-Range gaps.
     return mem.inmem_lo <= memReadOffset && memReadOffset < mem.endOffset() &&
            parsingBuffer.first.spaceSize();
 }
--- a/SPECS/squid.spec
+++ b/SPECS/squid.spec
@ -2,7 +2,7 @@
 Name:     squid
 Version:  4.15
-Release:  10%{?dist}.3
+Release:  10%{?dist}.6
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@ -40,6 +40,10 @@ Patch208: squid-4.11-convert-ipv4.patch
 Patch209: squid-4.15-ftp-filename-extraction.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2076717
 Patch210: squid-4.15-halfclosed.patch
 # https://issues.redhat.com/browse/RHEL-66120
 Patch211: squid-4.15-dns-obey-ttl-set-to-zero.patch
 # https://issues.redhat.com/browse/RHEL-57030
 Patch212: squid-4.15-fatal-read-data-from-mem.patch
 # Security fixes
 # https://bugzilla.redhat.com/show_bug.cgi?id=1941506
@ -106,7 +110,7 @@ BuildRequires: systemd-devel
 %description
 Squid is a high-performance proxy caching server for Web clients,
-supporting FTP, gopher, and HTTP data objects. Unlike traditional
+supporting FTP and HTTP data objects. Unlike traditional
 caching software, Squid handles all requests in a single,
 non-blocking, I/O-driven process. Squid keeps meta data and especially
 hot objects cached in RAM, caches DNS lookups, supports non-blocking
@ -134,6 +138,7 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch208 -p1 -b .convert-ipv4
 %patch209 -p1 -b .ftp-fn-extraction
 %patch210 -p1 -b .halfclosed
 %patch211 -p1 -b .dns-obey-ttl-set-to-zero
 # Security patches
 %patch300 -p1 -b .CVE-2021-28116
@ -152,6 +157,9 @@ lookup program (dnsserver), a program for retrieving FTP data
 %patch313 -p1 -b .ignore-wsp-chunk-sz
 %patch314 -p1 -b .CVE-2024-23638
 # patch305 follow-up
 %patch212 -p1 -b .fatal-read-data-from-mem
 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526
 # Patch in the vendor documentation and used different location for documentation
 sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented|' src/squid.8.in
@ -367,6 +375,16 @@ fi
 %changelog
 * Wed Mar 26 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.6
 - Resolves: RHEL-84420 - A squid child process causes a memory reference error
  and the squid service terminates abnormally
 * Fri Nov 22 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.5
 - Resolves: RHEL-66120 - squid caches DNS entries despite having TTL set to 0
 * Mon Nov 18 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.4
 - Resolves: RHEL-67870 - Remove gopher mention from spec file
 * Wed Nov 13 2024 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-10.3
 - Resolves: RHEL-22593 - CVE-2024-23638 squid:4/squid: vulnerable to
  a Denial of Service attack against Cache Manager error responses
Author	SHA1	Message	Date
eabdullin	d7b01e3ac3	Import from CS git	2025-06-04 12:51:06 +00:00
eabdullin	c6d920713f	Import from CS git	2025-01-28 08:42:44 +00:00