squid: CVE-2016-4553

client_side.cc in Squid before 3.5.18 and 4.x before 4.0.10 does not properly ignore the Host header when absolute-URI is provided, which allows remote attackers to conduct cache-poisoning attacks via an HTTP request. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4553 Backported upstream patch: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
author: Catalin Enache <catalin.enache@windriver.com> 2016-05-23 15:49:34 +0300
committer: Joe MacDonald <joe_macdonald@mentor.com> 2016-06-01 19:35:50 -0400
commit: d46c89ae44c811b64b117613072698601e483b32 (patch)
tree: 6e77c4047c77d5ae42f413f65da0ee77abb3e5aa /meta-networking/recipes-daemons
parent: 9a13040d7b10b9f7221f8190e75aa249bfacee9d (diff)
download: meta-openembedded-d46c89ae44c811b64b117613072698601e483b32.tar.gz
2 files changed, 52 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch
new file mode 100644
index 000000000..497ace444
--- /dev/null
+++ b/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch
@@ -0,0 +1,51 @@
+From 41ccaa04bb445f52bdb671ef6fbf994634b6efbe Mon Sep 17 00:00:00 2001
+From: Catalin Enache <catalin.enache@windriver.com>
+Date: Mon, 23 May 2016 12:47:39 +0300
+Subject: [PATCH] Bug 4501: HTTP/1.1: normalize Host header
+Upstream-Status: Backport
+CVE: CVE-2016-4553
+When absolute-URI is provided Host header should be ignored. However some
+code still uses Host directly so normalize it using the URL authority
+value before doing any further request processing.
+For now preserve the case where Host is completely absent. That matters
+to the CVE-2009-0801 protection.
+This also has the desirable side effect of removing multiple or duplicate
+Host header entries, and invalid port values.
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ src/client_side.cc | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+diff --git a/src/client_side.cc b/src/client_side.cc
+index 8c41c21..36a27de 100644
+--- a/src/client_side.cc
+++ b/src/client_side.cc
+@@ -2652,6 +2652,20 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c
+             clientProcessRequestFinished(conn, request);
+             return;
+         }
+
+        // when absolute-URI is provided Host header should be ignored. However
+        // some code still uses Host directly so normalize it.
+        // For now preserve the case where Host is completely absent. That matters.
+        if (request->header.has(HDR_HOST)) {
+            const char *host = request->header.getStr(HDR_HOST);
+            SBuf authority(request->GetHost());
+            if (request->port != urlDefaultPort(request->url.getScheme()))
+                authority.appendf(":%d", request->port);
+            debugs(33, 5, "URL domain " << authority << " overrides header Host: " << host);
+            // URL authority overrides Host header
+            request->header.delById(HDR_HOST);
+            request->header.putStr(HDR_HOST, authority.c_str());
+        }
+     }
+ 
+     // Some blobs below are still HTTP-specific, but we would have to rewrite
+-- 
+2.7.4
diff --git a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
index 750484a7b..b571e29a3 100644
--- a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
+++ b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${MIN_VER}/${BPN}-${P
           file://run-ptest \
           file://volatiles.03_squid \
           file://CVE-2016-3947.patch \
+           file://CVE-2016-4553.patch \
 "
 LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \
author	Catalin Enache <catalin.enache@windriver.com>	2016-05-23 15:49:34 +0300
committer	Joe MacDonald <joe_macdonald@mentor.com>	2016-06-01 19:35:50 -0400
commit	d46c89ae44c811b64b117613072698601e483b32 (patch)
tree	6e77c4047c77d5ae42f413f65da0ee77abb3e5aa /meta-networking/recipes-daemons
parent	9a13040d7b10b9f7221f8190e75aa249bfacee9d (diff)
download	meta-openembedded-d46c89ae44c811b64b117613072698601e483b32.tar.gz

diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch new file mode 100644 index 000000000..497ace444 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch
@@ -0,0 +1,51 @@
		1	From 41ccaa04bb445f52bdb671ef6fbf994634b6efbe Mon Sep 17 00:00:00 2001
		2	From: Catalin Enache <catalin.enache@windriver.com>
		3	Date: Mon, 23 May 2016 12:47:39 +0300
		4	Subject: [PATCH] Bug 4501: HTTP/1.1: normalize Host header
		5
		6	Upstream-Status: Backport
		7	CVE: CVE-2016-4553
		8
		9	When absolute-URI is provided Host header should be ignored. However some
		10	code still uses Host directly so normalize it using the URL authority
		11	value before doing any further request processing.
		12
		13	For now preserve the case where Host is completely absent. That matters
		14	to the CVE-2009-0801 protection.
		15
		16	This also has the desirable side effect of removing multiple or duplicate
		17	Host header entries, and invalid port values.
		18
		19	Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
		20	---
		21	src/client_side.cc \| 14 ++++++++++++++
		22	1 file changed, 14 insertions(+)
		23
		24	diff --git a/src/client_side.cc b/src/client_side.cc
		25	index 8c41c21..36a27de 100644
		26	--- a/src/client_side.cc
		27	+++ b/src/client_side.cc
		28	@@ -2652,6 +2652,20 @@ clientProcessRequest(ConnStateData conn, HttpParser hp, ClientSocketContext *c
		29	clientProcessRequestFinished(conn, request);
		30	return;
		31	}
		32	+
		33	+ // when absolute-URI is provided Host header should be ignored. However
		34	+ // some code still uses Host directly so normalize it.
		35	+ // For now preserve the case where Host is completely absent. That matters.
		36	+ if (request->header.has(HDR_HOST)) {
		37	+ const char *host = request->header.getStr(HDR_HOST);
		38	+ SBuf authority(request->GetHost());
		39	+ if (request->port != urlDefaultPort(request->url.getScheme()))
		40	+ authority.appendf(":%d", request->port);
		41	+ debugs(33, 5, "URL domain " << authority << " overrides header Host: " << host);
		42	+ // URL authority overrides Host header
		43	+ request->header.delById(HDR_HOST);
		44	+ request->header.putStr(HDR_HOST, authority.c_str());
		45	+ }
		46	}
		47
		48	// Some blobs below are still HTTP-specific, but we would have to rewrite
		49	--
		50	2.7.4
		51


diff --git a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb index 750484a7b..b571e29a3 100644 --- a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb +++ b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${MIN_VER}/${BPN}-${P
20	file://run-ptest \	20	file://run-ptest \
21	file://volatiles.03_squid \	21	file://volatiles.03_squid \
22	file://CVE-2016-3947.patch \	22	file://CVE-2016-3947.patch \
		23	file://CVE-2016-4553.patch \
23	"	24	"
24		25
25	LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \	26	LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \