squid: CVE-2016-4553

client_side.cc in Squid before 3.5.18 and 4.x before 4.0.10 does not properly ignore the Host header when absolute-URI is provided, which allows remote attackers to conduct cache-poisoning attacks via an HTTP request. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4553 Backported upstream patch: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> (cherry picked from commit d46c89ae44c811b64b117613072698601e483b32) Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Catalin Enache <catalin.enache@windriver.com> 2016-05-23 15:49:34 +0300
committer: Armin Kuster <akuster808@gmail.com> 2016-08-16 10:29:39 -0700
commit: 7166a2daecfbb4528fa410670adcc7f241715bd5 (patch)
tree: b0991fb67152a1ea96b725b71887b003bcdbdd5e
parent: bee5bfb29d582e6c31a875b6905558d15cec8767 (diff)
download: meta-openembedded-7166a2daecfbb4528fa410670adcc7f241715bd5.tar.gz
2 files changed, 52 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch
new file mode 100644
index 000000000..497ace444
--- /dev/null
+++ b/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch
@@ -0,0 +1,51 @@
+From 41ccaa04bb445f52bdb671ef6fbf994634b6efbe Mon Sep 17 00:00:00 2001
+From: Catalin Enache <catalin.enache@windriver.com>
+Date: Mon, 23 May 2016 12:47:39 +0300
+Subject: [PATCH] Bug 4501: HTTP/1.1: normalize Host header
+Upstream-Status: Backport
+CVE: CVE-2016-4553
+When absolute-URI is provided Host header should be ignored. However some
+code still uses Host directly so normalize it using the URL authority
+value before doing any further request processing.
+For now preserve the case where Host is completely absent. That matters
+to the CVE-2009-0801 protection.
+This also has the desirable side effect of removing multiple or duplicate
+Host header entries, and invalid port values.
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ src/client_side.cc | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+diff --git a/src/client_side.cc b/src/client_side.cc
+index 8c41c21..36a27de 100644
+--- a/src/client_side.cc
+++ b/src/client_side.cc
+@@ -2652,6 +2652,20 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c
+             clientProcessRequestFinished(conn, request);
+             return;
+         }
+
+        // when absolute-URI is provided Host header should be ignored. However
+        // some code still uses Host directly so normalize it.
+        // For now preserve the case where Host is completely absent. That matters.
+        if (request->header.has(HDR_HOST)) {
+            const char *host = request->header.getStr(HDR_HOST);
+            SBuf authority(request->GetHost());
+            if (request->port != urlDefaultPort(request->url.getScheme()))
+                authority.appendf(":%d", request->port);
+            debugs(33, 5, "URL domain " << authority << " overrides header Host: " << host);
+            // URL authority overrides Host header
+            request->header.delById(HDR_HOST);
+            request->header.putStr(HDR_HOST, authority.c_str());
+        }
+     }
+ 
+     // Some blobs below are still HTTP-specific, but we would have to rewrite
+-- 
+2.7.4
diff --git a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
index e35aad7cf..93f69c1a1 100644
--- a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
+++ b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${MIN_VER}/${BPN}-${P
           file://run-ptest \
           file://volatiles.03_squid \
           file://CVE-2016-3947.patch \
+           file://CVE-2016-4553.patch \
 "
 LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \
author	Catalin Enache <catalin.enache@windriver.com>	2016-05-23 15:49:34 +0300
committer	Armin Kuster <akuster808@gmail.com>	2016-08-16 10:29:39 -0700
commit	7166a2daecfbb4528fa410670adcc7f241715bd5 (patch)
tree	b0991fb67152a1ea96b725b71887b003bcdbdd5e
parent	bee5bfb29d582e6c31a875b6905558d15cec8767 (diff)
download	meta-openembedded-7166a2daecfbb4528fa410670adcc7f241715bd5.tar.gz

diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch new file mode 100644 index 000000000..497ace444 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch
@@ -0,0 +1,51 @@
		1	From 41ccaa04bb445f52bdb671ef6fbf994634b6efbe Mon Sep 17 00:00:00 2001
		2	From: Catalin Enache <catalin.enache@windriver.com>
		3	Date: Mon, 23 May 2016 12:47:39 +0300
		4	Subject: [PATCH] Bug 4501: HTTP/1.1: normalize Host header
		5
		6	Upstream-Status: Backport
		7	CVE: CVE-2016-4553
		8
		9	When absolute-URI is provided Host header should be ignored. However some
		10	code still uses Host directly so normalize it using the URL authority
		11	value before doing any further request processing.
		12
		13	For now preserve the case where Host is completely absent. That matters
		14	to the CVE-2009-0801 protection.
		15
		16	This also has the desirable side effect of removing multiple or duplicate
		17	Host header entries, and invalid port values.
		18
		19	Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
		20	---
		21	src/client_side.cc \| 14 ++++++++++++++
		22	1 file changed, 14 insertions(+)
		23
		24	diff --git a/src/client_side.cc b/src/client_side.cc
		25	index 8c41c21..36a27de 100644
		26	--- a/src/client_side.cc
		27	+++ b/src/client_side.cc
		28	@@ -2652,6 +2652,20 @@ clientProcessRequest(ConnStateData conn, HttpParser hp, ClientSocketContext *c
		29	clientProcessRequestFinished(conn, request);
		30	return;
		31	}
		32	+
		33	+ // when absolute-URI is provided Host header should be ignored. However
		34	+ // some code still uses Host directly so normalize it.
		35	+ // For now preserve the case where Host is completely absent. That matters.
		36	+ if (request->header.has(HDR_HOST)) {
		37	+ const char *host = request->header.getStr(HDR_HOST);
		38	+ SBuf authority(request->GetHost());
		39	+ if (request->port != urlDefaultPort(request->url.getScheme()))
		40	+ authority.appendf(":%d", request->port);
		41	+ debugs(33, 5, "URL domain " << authority << " overrides header Host: " << host);
		42	+ // URL authority overrides Host header
		43	+ request->header.delById(HDR_HOST);
		44	+ request->header.putStr(HDR_HOST, authority.c_str());
		45	+ }
		46	}
		47
		48	// Some blobs below are still HTTP-specific, but we would have to rewrite
		49	--
		50	2.7.4
		51


diff --git a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb index e35aad7cf..93f69c1a1 100644 --- a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb +++ b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${MIN_VER}/${BPN}-${P
20	file://run-ptest \	20	file://run-ptest \
21	file://volatiles.03_squid \	21	file://volatiles.03_squid \
22	file://CVE-2016-3947.patch \	22	file://CVE-2016-3947.patch \
		23	file://CVE-2016-4553.patch \
23	"	24	"
24		25
25	LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \	26	LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \