squid: fix CVE-2023-46847 Denial of Service in HTTP Digest Authentication

Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: vkumbhar <vkumbhar@mvista.com> 2023-11-29 15:21:21 +0530
committer: Armin Kuster <akuster808@gmail.com> 2023-12-13 13:35:51 -0500
commit: 402affcc073db39f782c1ebfd718edd5f11eed4c (patch)
tree: 83b0bf5e10eba994ba9a8c742f5b783114b52369
parent: 1117be8983eb2441ee9721abd7665cc071c38c70 (diff)
download: meta-openembedded-402affcc073db39f782c1ebfd718edd5f11eed4c.tar.gz
2 files changed, 48 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-46847.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-46847.patch
new file mode 100644
index 0000000000..9071872c01
--- /dev/null
+++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-46847.patch
@@ -0,0 +1,47 @@
+From 052cf082b0faaef4eaaa4e94119d7a1437aac4a3 Mon Sep 17 00:00:00 2001
+From: squidadm <squidadm@users.noreply.github.com>
+Date: Wed, 18 Oct 2023 04:50:56 +1300
+Subject: [PATCH] Fix stack buffer overflow when parsing Digest Authorization
+ (#1517)
+The bug was discovered and detailed by Joshua Rogers at
+https://megamansec.github.io/Squid-Security-Audit/digest-overflow.html
+where it was filed as "Stack Buffer Overflow in Digest Authentication".
+---------
+Co-authored-by: Alex Bason <nonsleepr@gmail.com>
+Co-authored-by: Amos Jeffries <yadij@users.noreply.github.com>
+Upstream-Status: Backport [https://github.com/squid-cache/squid/commit/052cf082b0faaef4eaaa4e94119d7a1437aac4a3]
+CVE: CVE-2023-46847
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/auth/digest/Config.cc | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
+index 6a9736f..0a883fa 100644
+--- a/src/auth/digest/Config.cc
+++ b/src/auth/digest/Config.cc
+@@ -847,11 +847,15 @@ Auth::Digest::Config::decode(char const *proxy_auth, const char *aRequestRealm)
+             break;
+         case DIGEST_NC:
+-            if (value.size() != 8) {
+            if (value.size() == 8) {
+                // for historical reasons, the nc value MUST be exactly 8 bytes
+                static_assert(sizeof(digest_request->nc) == 8 + 1, "bad nc buffer size");
+                xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
+                debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
+            } else {
+                 debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'");
+                digest_request->nc[0] = 0;
+             }
+-            xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
+-            debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
+             break;
+         case DIGEST_CNONCE:
+--
+2.40.1
diff --git a/meta-networking/recipes-daemons/squid/squid_4.15.bb b/meta-networking/recipes-daemons/squid/squid_4.15.bb
index a1122a3cd4..3027806742 100644
--- a/meta-networking/recipes-daemons/squid/squid_4.15.bb
+++ b/meta-networking/recipes-daemons/squid/squid_4.15.bb
@@ -25,6 +25,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${BPN}-${PV}.tar.bz2
           file://0001-tools.cc-fixed-unused-result-warning.patch \
           file://0001-splay.cc-fix-bind-is-not-a-member-of-std.patch \
           file://0001-Fix-build-on-Fedora-Rawhide-772.patch \
+           file://CVE-2023-46847.patch \
           "
 SRC_URI:remove:toolchain-clang = "file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch"
author	vkumbhar <vkumbhar@mvista.com>	2023-11-29 15:21:21 +0530
committer	Armin Kuster <akuster808@gmail.com>	2023-12-13 13:35:51 -0500
commit	402affcc073db39f782c1ebfd718edd5f11eed4c (patch)
tree	83b0bf5e10eba994ba9a8c742f5b783114b52369
parent	1117be8983eb2441ee9721abd7665cc071c38c70 (diff)
download	meta-openembedded-402affcc073db39f782c1ebfd718edd5f11eed4c.tar.gz

diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-46847.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-46847.patch new file mode 100644 index 0000000000..9071872c01 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-46847.patch
@@ -0,0 +1,47 @@
		1	From 052cf082b0faaef4eaaa4e94119d7a1437aac4a3 Mon Sep 17 00:00:00 2001
		2	From: squidadm <squidadm@users.noreply.github.com>
		3	Date: Wed, 18 Oct 2023 04:50:56 +1300
		4	Subject: [PATCH] Fix stack buffer overflow when parsing Digest Authorization
		5	(#1517)
		6
		7	The bug was discovered and detailed by Joshua Rogers at
		8	https://megamansec.github.io/Squid-Security-Audit/digest-overflow.html
		9	where it was filed as "Stack Buffer Overflow in Digest Authentication".
		10
		11	---------
		12
		13	Co-authored-by: Alex Bason <nonsleepr@gmail.com>
		14	Co-authored-by: Amos Jeffries <yadij@users.noreply.github.com>
		15
		16	Upstream-Status: Backport [https://github.com/squid-cache/squid/commit/052cf082b0faaef4eaaa4e94119d7a1437aac4a3]
		17	CVE: CVE-2023-46847
		18	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
		19	---
		20	src/auth/digest/Config.cc \| 10 +++++++---
		21	1 file changed, 7 insertions(+), 3 deletions(-)
		22
		23	diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
		24	index 6a9736f..0a883fa 100644
		25	--- a/src/auth/digest/Config.cc
		26	+++ b/src/auth/digest/Config.cc
		27	@@ -847,11 +847,15 @@ Auth::Digest::Config::decode(char const proxy_auth, const char aRequestRealm)
		28	break;
		29
		30	case DIGEST_NC:
		31	- if (value.size() != 8) {
		32	+ if (value.size() == 8) {
		33	+ // for historical reasons, the nc value MUST be exactly 8 bytes
		34	+ static_assert(sizeof(digest_request->nc) == 8 + 1, "bad nc buffer size");
		35	+ xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
		36	+ debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
		37	+ } else {
		38	debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'");
		39	+ digest_request->nc[0] = 0;
		40	}
		41	- xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
		42	- debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
		43	break;
		44
		45	case DIGEST_CNONCE:
		46	--
		47	2.40.1


diff --git a/meta-networking/recipes-daemons/squid/squid_4.15.bb b/meta-networking/recipes-daemons/squid/squid_4.15.bb index a1122a3cd4..3027806742 100644 --- a/meta-networking/recipes-daemons/squid/squid_4.15.bb +++ b/meta-networking/recipes-daemons/squid/squid_4.15.bb
@@ -25,6 +25,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${BPN}-${PV}.tar.bz2
25	file://0001-tools.cc-fixed-unused-result-warning.patch \	25	file://0001-tools.cc-fixed-unused-result-warning.patch \
26	file://0001-splay.cc-fix-bind-is-not-a-member-of-std.patch \	26	file://0001-splay.cc-fix-bind-is-not-a-member-of-std.patch \
27	file://0001-Fix-build-on-Fedora-Rawhide-772.patch \	27	file://0001-Fix-build-on-Fedora-Rawhide-772.patch \
		28	file://CVE-2023-46847.patch \
28	"	29	"
29		30
30	SRC_URI:remove:toolchain-clang = "file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch"	31	SRC_URI:remove:toolchain-clang = "file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch"