diff options
author | Vijay Anusuri <vanusuri@mvista.com> | 2024-02-02 13:25:58 +0530 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2024-03-03 16:38:27 -0500 |
commit | 9939cf1b69564d30b4ea7b2c92408f8a3356c37d (patch) | |
tree | 3bedd8f550f483602c9ae24d09d83b5f0d6befab | |
parent | 724f1e1a28e1ab45f8c223329e92bcc85a349ea2 (diff) | |
download | meta-openembedded-9939cf1b69564d30b4ea7b2c92408f8a3356c37d.tar.gz |
squid: Fix for CVE-2023-49285 and CVE-2023-49286
Upstream-Status: Backport
[https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b
&
https://github.com/squid-cache/squid/commit/6014c6648a2a54a4ecb7f952ea1163e0798f9264]
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
3 files changed, 124 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-49285.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-49285.patch new file mode 100644 index 000000000..d3cc549f9 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-49285.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From 77b3fb4df0f126784d5fd4967c28ed40eb8d521b Mon Sep 17 00:00:00 2001 | ||
2 | From: Alex Rousskov <rousskov@measurement-factory.com> | ||
3 | Date: Wed, 25 Oct 2023 19:41:45 +0000 | ||
4 | Subject: [PATCH] RFC 1123: Fix date parsing (#1538) | ||
5 | |||
6 | The bug was discovered and detailed by Joshua Rogers at | ||
7 | https://megamansec.github.io/Squid-Security-Audit/datetime-overflow.html | ||
8 | where it was filed as "1-Byte Buffer OverRead in RFC 1123 date/time | ||
9 | Handling". | ||
10 | |||
11 | Upstream-Status: Backport [https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b] | ||
12 | CVE: CVE-2023-49285 | ||
13 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
14 | --- | ||
15 | lib/rfc1123.c | 6 ++++++ | ||
16 | 1 file changed, 6 insertions(+) | ||
17 | |||
18 | diff --git a/lib/rfc1123.c b/lib/rfc1123.c | ||
19 | index e5bf9a4d705..cb484cc002b 100644 | ||
20 | --- a/lib/rfc1123.c | ||
21 | +++ b/lib/rfc1123.c | ||
22 | @@ -50,7 +50,13 @@ make_month(const char *s) | ||
23 | char month[3]; | ||
24 | |||
25 | month[0] = xtoupper(*s); | ||
26 | + if (!month[0]) | ||
27 | + return -1; // protects *(s + 1) below | ||
28 | + | ||
29 | month[1] = xtolower(*(s + 1)); | ||
30 | + if (!month[1]) | ||
31 | + return -1; // protects *(s + 2) below | ||
32 | + | ||
33 | month[2] = xtolower(*(s + 2)); | ||
34 | |||
35 | for (i = 0; i < 12; i++) | ||
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-49286.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-49286.patch new file mode 100644 index 000000000..8e0bdf387 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-49286.patch | |||
@@ -0,0 +1,87 @@ | |||
1 | From 6014c6648a2a54a4ecb7f952ea1163e0798f9264 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alex Rousskov <rousskov@measurement-factory.com> | ||
3 | Date: Fri, 27 Oct 2023 21:27:20 +0000 | ||
4 | Subject: [PATCH] Exit without asserting when helper process startup fails | ||
5 | (#1543) | ||
6 | |||
7 | ... to dup() after fork() and before execvp(). | ||
8 | |||
9 | Assertions are for handling program logic errors. Helper initialization | ||
10 | code already handled system call errors correctly (i.e. by exiting the | ||
11 | newly created helper process with an error), except for a couple of | ||
12 | assert()s that could be triggered by dup(2) failures. | ||
13 | |||
14 | This bug was discovered and detailed by Joshua Rogers at | ||
15 | https://megamansec.github.io/Squid-Security-Audit/ipc-assert.html | ||
16 | where it was filed as 'Assertion in Squid "Helper" Process Creator'. | ||
17 | |||
18 | Origin: http://www.squid-cache.org/Versions/v6/SQUID-2023_8.patch | ||
19 | |||
20 | Upstream-Status: Backport [https://github.com/squid-cache/squid/commit/6014c6648a2a54a4ecb7f952ea1163e0798f9264] | ||
21 | CVE: CVE-2023-49286 | ||
22 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
23 | --- | ||
24 | src/ipc.cc | 33 +++++++++++++++++++++++++++------ | ||
25 | 1 file changed, 27 insertions(+), 6 deletions(-) | ||
26 | |||
27 | --- a/src/ipc.cc | ||
28 | +++ b/src/ipc.cc | ||
29 | @@ -20,6 +20,12 @@ | ||
30 | #include "SquidIpc.h" | ||
31 | #include "tools.h" | ||
32 | |||
33 | +#include <cstdlib> | ||
34 | + | ||
35 | +#if HAVE_UNISTD_H | ||
36 | +#include <unistd.h> | ||
37 | +#endif | ||
38 | + | ||
39 | static const char *hello_string = "hi there\n"; | ||
40 | #ifndef HELLO_BUF_SZ | ||
41 | #define HELLO_BUF_SZ 32 | ||
42 | @@ -365,6 +371,22 @@ | ||
43 | } | ||
44 | |||
45 | PutEnvironment(); | ||
46 | + | ||
47 | + // A dup(2) wrapper that reports and exits the process on errors. The | ||
48 | + // exiting logic is only suitable for this child process context. | ||
49 | + const auto dupOrExit = [prog,name](const int oldFd) { | ||
50 | + const auto newFd = dup(oldFd); | ||
51 | + if (newFd < 0) { | ||
52 | + const auto savedErrno = errno; | ||
53 | + debugs(54, DBG_CRITICAL, "ERROR: Helper process initialization failure: " << name); | ||
54 | + debugs(54, DBG_CRITICAL, "helper (CHILD) PID: " << getpid()); | ||
55 | + debugs(54, DBG_CRITICAL, "helper program name: " << prog); | ||
56 | + debugs(54, DBG_CRITICAL, "dup(2) system call error for FD " << oldFd << ": " << xstrerr(savedErrno)); | ||
57 | + _exit(1); | ||
58 | + } | ||
59 | + return newFd; | ||
60 | + }; | ||
61 | + | ||
62 | /* | ||
63 | * This double-dup stuff avoids problems when one of | ||
64 | * crfd, cwfd, or debug_log are in the rage 0-2. | ||
65 | @@ -372,17 +394,16 @@ | ||
66 | |||
67 | do { | ||
68 | /* First make sure 0-2 is occupied by something. Gets cleaned up later */ | ||
69 | - x = dup(crfd); | ||
70 | - assert(x > -1); | ||
71 | - } while (x < 3 && x > -1); | ||
72 | + x = dupOrExit(crfd); | ||
73 | + } while (x < 3); | ||
74 | |||
75 | close(x); | ||
76 | |||
77 | - t1 = dup(crfd); | ||
78 | + t1 = dupOrExit(crfd); | ||
79 | |||
80 | - t2 = dup(cwfd); | ||
81 | + t2 = dupOrExit(cwfd); | ||
82 | |||
83 | - t3 = dup(fileno(debug_log)); | ||
84 | + t3 = dupOrExit(fileno(debug_log)); | ||
85 | |||
86 | assert(t1 > 2 && t2 > 2 && t3 > 2); | ||
87 | |||
diff --git a/meta-networking/recipes-daemons/squid/squid_4.9.bb b/meta-networking/recipes-daemons/squid/squid_4.9.bb index 98257e54c..482ce76d1 100644 --- a/meta-networking/recipes-daemons/squid/squid_4.9.bb +++ b/meta-networking/recipes-daemons/squid/squid_4.9.bb | |||
@@ -28,6 +28,8 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${BPN}-${PV}.tar.bz2 | |||
28 | file://CVE-2023-46728.patch \ | 28 | file://CVE-2023-46728.patch \ |
29 | file://CVE-2023-46846-pre1.patch \ | 29 | file://CVE-2023-46846-pre1.patch \ |
30 | file://CVE-2023-46846.patch \ | 30 | file://CVE-2023-46846.patch \ |
31 | file://CVE-2023-49285.patch \ | ||
32 | file://CVE-2023-49286.patch \ | ||
31 | " | 33 | " |
32 | 34 | ||
33 | SRC_URI_remove_toolchain-clang = "file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch" | 35 | SRC_URI_remove_toolchain-clang = "file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch" |