squid: Backport fix for CVE-2023-50269

import patch from ubuntu to fix CVE-2023-50269 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa Upstream commit https://github.com/squid-cache/squid/commit/9f7136105bff920413042a8806cc5de3f6086d6d] Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2024-02-12 09:26:24 +0530
committer: Armin Kuster <akuster808@gmail.com> 2024-03-03 16:38:27 -0500
commit: e30e0c309465de4e52addf008ab4404580c0026e (patch)
tree: a47b19497958041520c2b5d6fa6503879e4f7393
parent: de497fb40998a1b89f6b23083264bfa4c2a70504 (diff)
download: meta-openembedded-e30e0c309465de4e52addf008ab4404580c0026e.tar.gz
2 files changed, 63 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch
new file mode 100644
index 000000000..51c895e0e
--- /dev/null
+++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch
@@ -0,0 +1,62 @@
+From: Markus Koschany <apo@debian.org>
+Date: Tue, 26 Dec 2023 19:58:12 +0100
+Subject: CVE-2023-50269
+Bug-Debian: https://bugs.debian.org/1058721
+Origin: http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches/CVE-2023-50269.patch?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa
+Upstream commit https://github.com/squid-cache/squid/commit/9f7136105bff920413042a8806cc5de3f6086d6d]
+CVE: CVE-2023-50269
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/ClientRequestContext.h |  4 ++++
+ src/client_side_request.cc | 17 +++++++++++++++--
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+--- a/src/ClientRequestContext.h
+++ b/src/ClientRequestContext.h
+@@ -81,6 +81,10 @@
+ #endif
+     ErrorState *error; ///< saved error page for centralized/delayed processing
+     bool readNextRequest; ///< whether Squid should read after error handling
+
+#if FOLLOW_X_FORWARDED_FOR
+    size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far
+#endif
+ };
+ 
+ #endif /* SQUID_CLIENTREQUESTCONTEXT_H */
+--- a/src/client_side_request.cc
+++ b/src/client_side_request.cc
+@@ -78,6 +78,11 @@
+ static const char *const crlf = "\r\n";
+ 
+ #if FOLLOW_X_FORWARDED_FOR
+
+#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX)
+#define SQUID_X_FORWARDED_FOR_HOP_MAX 64
+#endif
+
+ static void clientFollowXForwardedForCheck(allow_t answer, void *data);
+ #endif /* FOLLOW_X_FORWARDED_FOR */
+ 
+@@ -485,8 +490,16 @@
+                 /* override the default src_addr tested if we have to go deeper than one level into XFF */
+                 Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr;
+             }
+-            calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
+-            return;
+            if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) {
+                calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
+                return;
+            }
+            const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name;
+            debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses");
+            debugs(28, DBG_CRITICAL, "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber);
+            debugs(28, DBG_CRITICAL, "last/accepted address: " << request->indirect_client_addr);
+            debugs(28, DBG_CRITICAL, "ignored trailing addresses: " << request->x_forwarded_for_iterator);
+            // fall through to resume clientAccessCheck() processing
+         }
+     }
+ 
diff --git a/meta-networking/recipes-daemons/squid/squid_4.9.bb b/meta-networking/recipes-daemons/squid/squid_4.9.bb
index 482ce76d1..09c0a2cd7 100644
--- a/meta-networking/recipes-daemons/squid/squid_4.9.bb
+++ b/meta-networking/recipes-daemons/squid/squid_4.9.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${BPN}-${PV}.tar.bz2
           file://CVE-2023-46846.patch \
           file://CVE-2023-49285.patch \
           file://CVE-2023-49286.patch \
+           file://CVE-2023-50269.patch \
           "
 SRC_URI_remove_toolchain-clang = "file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch"
author	Vijay Anusuri <vanusuri@mvista.com>	2024-02-12 09:26:24 +0530
committer	Armin Kuster <akuster808@gmail.com>	2024-03-03 16:38:27 -0500
commit	e30e0c309465de4e52addf008ab4404580c0026e (patch)
tree	a47b19497958041520c2b5d6fa6503879e4f7393
parent	de497fb40998a1b89f6b23083264bfa4c2a70504 (diff)
download	meta-openembedded-e30e0c309465de4e52addf008ab4404580c0026e.tar.gz

diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch new file mode 100644 index 000000000..51c895e0e --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch
@@ -0,0 +1,62 @@
		1	From: Markus Koschany <apo@debian.org>
		2	Date: Tue, 26 Dec 2023 19:58:12 +0100
		3	Subject: CVE-2023-50269
		4
		5	Bug-Debian: https://bugs.debian.org/1058721
		6	Origin: http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch
		7
		8	Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches/CVE-2023-50269.patch?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa
		9	Upstream commit https://github.com/squid-cache/squid/commit/9f7136105bff920413042a8806cc5de3f6086d6d]
		10	CVE: CVE-2023-50269
		11	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		12	---
		13	src/ClientRequestContext.h \| 4 ++++
		14	src/client_side_request.cc \| 17 +++++++++++++++--
		15	2 files changed, 19 insertions(+), 2 deletions(-)
		16
		17	--- a/src/ClientRequestContext.h
		18	+++ b/src/ClientRequestContext.h
		19	@@ -81,6 +81,10 @@
		20	#endif
		21	ErrorState *error; ///< saved error page for centralized/delayed processing
		22	bool readNextRequest; ///< whether Squid should read after error handling
		23	+
		24	+#if FOLLOW_X_FORWARDED_FOR
		25	+ size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far
		26	+#endif
		27	};
		28
		29	#endif /* SQUID_CLIENTREQUESTCONTEXT_H */
		30	--- a/src/client_side_request.cc
		31	+++ b/src/client_side_request.cc
		32	@@ -78,6 +78,11 @@
		33	static const char *const crlf = "\r\n";
		34
		35	#if FOLLOW_X_FORWARDED_FOR
		36	+
		37	+#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX)
		38	+#define SQUID_X_FORWARDED_FOR_HOP_MAX 64
		39	+#endif
		40	+
		41	static void clientFollowXForwardedForCheck(allow_t answer, void *data);
		42	#endif /* FOLLOW_X_FORWARDED_FOR */
		43
		44	@@ -485,8 +490,16 @@
		45	/* override the default src_addr tested if we have to go deeper than one level into XFF */
		46	Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr;
		47	}
		48	- calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
		49	- return;
		50	+ if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) {
		51	+ calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
		52	+ return;
		53	+ }
		54	+ const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name;
		55	+ debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses");
		56	+ debugs(28, DBG_CRITICAL, "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber);
		57	+ debugs(28, DBG_CRITICAL, "last/accepted address: " << request->indirect_client_addr);
		58	+ debugs(28, DBG_CRITICAL, "ignored trailing addresses: " << request->x_forwarded_for_iterator);
		59	+ // fall through to resume clientAccessCheck() processing
		60	}
		61	}
		62


diff --git a/meta-networking/recipes-daemons/squid/squid_4.9.bb b/meta-networking/recipes-daemons/squid/squid_4.9.bb index 482ce76d1..09c0a2cd7 100644 --- a/meta-networking/recipes-daemons/squid/squid_4.9.bb +++ b/meta-networking/recipes-daemons/squid/squid_4.9.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${BPN}-${PV}.tar.bz2
30	file://CVE-2023-46846.patch \	30	file://CVE-2023-46846.patch \
31	file://CVE-2023-49285.patch \	31	file://CVE-2023-49285.patch \
32	file://CVE-2023-49286.patch \	32	file://CVE-2023-49286.patch \
		33	file://CVE-2023-50269.patch \
33	"	34	"
34		35
35	SRC_URI_remove_toolchain-clang = "file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch"	36	SRC_URI_remove_toolchain-clang = "file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch"