diff options
author | vkumbhar <vkumbhar@mvista.com> | 2023-11-29 15:21:21 +0530 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2023-12-13 13:35:51 -0500 |
commit | 402affcc073db39f782c1ebfd718edd5f11eed4c (patch) | |
tree | 83b0bf5e10eba994ba9a8c742f5b783114b52369 | |
parent | 1117be8983eb2441ee9721abd7665cc071c38c70 (diff) | |
download | meta-openembedded-402affcc073db39f782c1ebfd718edd5f11eed4c.tar.gz |
squid: fix CVE-2023-46847 Denial of Service in HTTP Digest Authentication
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-networking/recipes-daemons/squid/files/CVE-2023-46847.patch | 47 | ||||
-rw-r--r-- | meta-networking/recipes-daemons/squid/squid_4.15.bb | 1 |
2 files changed, 48 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-46847.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-46847.patch new file mode 100644 index 000000000..9071872c0 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-46847.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | From 052cf082b0faaef4eaaa4e94119d7a1437aac4a3 Mon Sep 17 00:00:00 2001 | ||
2 | From: squidadm <squidadm@users.noreply.github.com> | ||
3 | Date: Wed, 18 Oct 2023 04:50:56 +1300 | ||
4 | Subject: [PATCH] Fix stack buffer overflow when parsing Digest Authorization | ||
5 | (#1517) | ||
6 | |||
7 | The bug was discovered and detailed by Joshua Rogers at | ||
8 | https://megamansec.github.io/Squid-Security-Audit/digest-overflow.html | ||
9 | where it was filed as "Stack Buffer Overflow in Digest Authentication". | ||
10 | |||
11 | --------- | ||
12 | |||
13 | Co-authored-by: Alex Bason <nonsleepr@gmail.com> | ||
14 | Co-authored-by: Amos Jeffries <yadij@users.noreply.github.com> | ||
15 | |||
16 | Upstream-Status: Backport [https://github.com/squid-cache/squid/commit/052cf082b0faaef4eaaa4e94119d7a1437aac4a3] | ||
17 | CVE: CVE-2023-46847 | ||
18 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
19 | --- | ||
20 | src/auth/digest/Config.cc | 10 +++++++--- | ||
21 | 1 file changed, 7 insertions(+), 3 deletions(-) | ||
22 | |||
23 | diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc | ||
24 | index 6a9736f..0a883fa 100644 | ||
25 | --- a/src/auth/digest/Config.cc | ||
26 | +++ b/src/auth/digest/Config.cc | ||
27 | @@ -847,11 +847,15 @@ Auth::Digest::Config::decode(char const *proxy_auth, const char *aRequestRealm) | ||
28 | break; | ||
29 | |||
30 | case DIGEST_NC: | ||
31 | - if (value.size() != 8) { | ||
32 | + if (value.size() == 8) { | ||
33 | + // for historical reasons, the nc value MUST be exactly 8 bytes | ||
34 | + static_assert(sizeof(digest_request->nc) == 8 + 1, "bad nc buffer size"); | ||
35 | + xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1); | ||
36 | + debugs(29, 9, "Found noncecount '" << digest_request->nc << "'"); | ||
37 | + } else { | ||
38 | debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'"); | ||
39 | + digest_request->nc[0] = 0; | ||
40 | } | ||
41 | - xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1); | ||
42 | - debugs(29, 9, "Found noncecount '" << digest_request->nc << "'"); | ||
43 | break; | ||
44 | |||
45 | case DIGEST_CNONCE: | ||
46 | -- | ||
47 | 2.40.1 | ||
diff --git a/meta-networking/recipes-daemons/squid/squid_4.15.bb b/meta-networking/recipes-daemons/squid/squid_4.15.bb index a1122a3cd..302780674 100644 --- a/meta-networking/recipes-daemons/squid/squid_4.15.bb +++ b/meta-networking/recipes-daemons/squid/squid_4.15.bb | |||
@@ -25,6 +25,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${BPN}-${PV}.tar.bz2 | |||
25 | file://0001-tools.cc-fixed-unused-result-warning.patch \ | 25 | file://0001-tools.cc-fixed-unused-result-warning.patch \ |
26 | file://0001-splay.cc-fix-bind-is-not-a-member-of-std.patch \ | 26 | file://0001-splay.cc-fix-bind-is-not-a-member-of-std.patch \ |
27 | file://0001-Fix-build-on-Fedora-Rawhide-772.patch \ | 27 | file://0001-Fix-build-on-Fedora-Rawhide-772.patch \ |
28 | file://CVE-2023-46847.patch \ | ||
28 | " | 29 | " |
29 | 30 | ||
30 | SRC_URI:remove:toolchain-clang = "file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch" | 31 | SRC_URI:remove:toolchain-clang = "file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch" |