diff options
| author | Vijay Anusuri <vanusuri@mvista.com> | 2024-02-12 09:29:19 +0530 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2024-02-28 08:18:18 -0500 |
| commit | 5800571ad7adb79186a79d96b89de2f43b86a21d (patch) | |
| tree | 7d42ca3899d01dc44bb64221c5aca5f730bcdc18 /meta-networking | |
| parent | 7f2e0e1d38773965941f18b2666e97ba6213efc2 (diff) | |
| download | meta-openembedded-5800571ad7adb79186a79d96b89de2f43b86a21d.tar.gz | |
squid: Backport fix for CVE-2023-49286 and CVE-2023-50269
import patches from ubuntu to fix
CVE-2023-49286
CVE-2023-50269
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa
Upstream commit
https://github.com/squid-cache/squid/commit/6014c6648a2a54a4ecb7f952ea1163e0798f9264
&
https://github.com/squid-cache/squid/commit/9f7136105bff920413042a8806cc5de3f6086d6d]
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-networking')
3 files changed, 151 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-49286.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-49286.patch new file mode 100644 index 0000000000..8e0bdf387c --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-49286.patch | |||
| @@ -0,0 +1,87 @@ | |||
| 1 | From 6014c6648a2a54a4ecb7f952ea1163e0798f9264 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Alex Rousskov <rousskov@measurement-factory.com> | ||
| 3 | Date: Fri, 27 Oct 2023 21:27:20 +0000 | ||
| 4 | Subject: [PATCH] Exit without asserting when helper process startup fails | ||
| 5 | (#1543) | ||
| 6 | |||
| 7 | ... to dup() after fork() and before execvp(). | ||
| 8 | |||
| 9 | Assertions are for handling program logic errors. Helper initialization | ||
| 10 | code already handled system call errors correctly (i.e. by exiting the | ||
| 11 | newly created helper process with an error), except for a couple of | ||
| 12 | assert()s that could be triggered by dup(2) failures. | ||
| 13 | |||
| 14 | This bug was discovered and detailed by Joshua Rogers at | ||
| 15 | https://megamansec.github.io/Squid-Security-Audit/ipc-assert.html | ||
| 16 | where it was filed as 'Assertion in Squid "Helper" Process Creator'. | ||
| 17 | |||
| 18 | Origin: http://www.squid-cache.org/Versions/v6/SQUID-2023_8.patch | ||
| 19 | |||
| 20 | Upstream-Status: Backport [https://github.com/squid-cache/squid/commit/6014c6648a2a54a4ecb7f952ea1163e0798f9264] | ||
| 21 | CVE: CVE-2023-49286 | ||
| 22 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 23 | --- | ||
| 24 | src/ipc.cc | 33 +++++++++++++++++++++++++++------ | ||
| 25 | 1 file changed, 27 insertions(+), 6 deletions(-) | ||
| 26 | |||
| 27 | --- a/src/ipc.cc | ||
| 28 | +++ b/src/ipc.cc | ||
| 29 | @@ -20,6 +20,12 @@ | ||
| 30 | #include "SquidIpc.h" | ||
| 31 | #include "tools.h" | ||
| 32 | |||
| 33 | +#include <cstdlib> | ||
| 34 | + | ||
| 35 | +#if HAVE_UNISTD_H | ||
| 36 | +#include <unistd.h> | ||
| 37 | +#endif | ||
| 38 | + | ||
| 39 | static const char *hello_string = "hi there\n"; | ||
| 40 | #ifndef HELLO_BUF_SZ | ||
| 41 | #define HELLO_BUF_SZ 32 | ||
| 42 | @@ -365,6 +371,22 @@ | ||
| 43 | } | ||
| 44 | |||
| 45 | PutEnvironment(); | ||
| 46 | + | ||
| 47 | + // A dup(2) wrapper that reports and exits the process on errors. The | ||
| 48 | + // exiting logic is only suitable for this child process context. | ||
| 49 | + const auto dupOrExit = [prog,name](const int oldFd) { | ||
| 50 | + const auto newFd = dup(oldFd); | ||
| 51 | + if (newFd < 0) { | ||
| 52 | + const auto savedErrno = errno; | ||
| 53 | + debugs(54, DBG_CRITICAL, "ERROR: Helper process initialization failure: " << name); | ||
| 54 | + debugs(54, DBG_CRITICAL, "helper (CHILD) PID: " << getpid()); | ||
| 55 | + debugs(54, DBG_CRITICAL, "helper program name: " << prog); | ||
| 56 | + debugs(54, DBG_CRITICAL, "dup(2) system call error for FD " << oldFd << ": " << xstrerr(savedErrno)); | ||
| 57 | + _exit(1); | ||
| 58 | + } | ||
| 59 | + return newFd; | ||
| 60 | + }; | ||
| 61 | + | ||
| 62 | /* | ||
| 63 | * This double-dup stuff avoids problems when one of | ||
| 64 | * crfd, cwfd, or debug_log are in the rage 0-2. | ||
| 65 | @@ -372,17 +394,16 @@ | ||
| 66 | |||
| 67 | do { | ||
| 68 | /* First make sure 0-2 is occupied by something. Gets cleaned up later */ | ||
| 69 | - x = dup(crfd); | ||
| 70 | - assert(x > -1); | ||
| 71 | - } while (x < 3 && x > -1); | ||
| 72 | + x = dupOrExit(crfd); | ||
| 73 | + } while (x < 3); | ||
| 74 | |||
| 75 | close(x); | ||
| 76 | |||
| 77 | - t1 = dup(crfd); | ||
| 78 | + t1 = dupOrExit(crfd); | ||
| 79 | |||
| 80 | - t2 = dup(cwfd); | ||
| 81 | + t2 = dupOrExit(cwfd); | ||
| 82 | |||
| 83 | - t3 = dup(fileno(debug_log)); | ||
| 84 | + t3 = dupOrExit(fileno(debug_log)); | ||
| 85 | |||
| 86 | assert(t1 > 2 && t2 > 2 && t3 > 2); | ||
| 87 | |||
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch new file mode 100644 index 0000000000..51c895e0ef --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch | |||
| @@ -0,0 +1,62 @@ | |||
| 1 | From: Markus Koschany <apo@debian.org> | ||
| 2 | Date: Tue, 26 Dec 2023 19:58:12 +0100 | ||
| 3 | Subject: CVE-2023-50269 | ||
| 4 | |||
| 5 | Bug-Debian: https://bugs.debian.org/1058721 | ||
| 6 | Origin: http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch | ||
| 7 | |||
| 8 | Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches/CVE-2023-50269.patch?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa | ||
| 9 | Upstream commit https://github.com/squid-cache/squid/commit/9f7136105bff920413042a8806cc5de3f6086d6d] | ||
| 10 | CVE: CVE-2023-50269 | ||
| 11 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 12 | --- | ||
| 13 | src/ClientRequestContext.h | 4 ++++ | ||
| 14 | src/client_side_request.cc | 17 +++++++++++++++-- | ||
| 15 | 2 files changed, 19 insertions(+), 2 deletions(-) | ||
| 16 | |||
| 17 | --- a/src/ClientRequestContext.h | ||
| 18 | +++ b/src/ClientRequestContext.h | ||
| 19 | @@ -81,6 +81,10 @@ | ||
| 20 | #endif | ||
| 21 | ErrorState *error; ///< saved error page for centralized/delayed processing | ||
| 22 | bool readNextRequest; ///< whether Squid should read after error handling | ||
| 23 | + | ||
| 24 | +#if FOLLOW_X_FORWARDED_FOR | ||
| 25 | + size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far | ||
| 26 | +#endif | ||
| 27 | }; | ||
| 28 | |||
| 29 | #endif /* SQUID_CLIENTREQUESTCONTEXT_H */ | ||
| 30 | --- a/src/client_side_request.cc | ||
| 31 | +++ b/src/client_side_request.cc | ||
| 32 | @@ -78,6 +78,11 @@ | ||
| 33 | static const char *const crlf = "\r\n"; | ||
| 34 | |||
| 35 | #if FOLLOW_X_FORWARDED_FOR | ||
| 36 | + | ||
| 37 | +#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX) | ||
| 38 | +#define SQUID_X_FORWARDED_FOR_HOP_MAX 64 | ||
| 39 | +#endif | ||
| 40 | + | ||
| 41 | static void clientFollowXForwardedForCheck(allow_t answer, void *data); | ||
| 42 | #endif /* FOLLOW_X_FORWARDED_FOR */ | ||
| 43 | |||
| 44 | @@ -485,8 +490,16 @@ | ||
| 45 | /* override the default src_addr tested if we have to go deeper than one level into XFF */ | ||
| 46 | Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr; | ||
| 47 | } | ||
| 48 | - calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); | ||
| 49 | - return; | ||
| 50 | + if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) { | ||
| 51 | + calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); | ||
| 52 | + return; | ||
| 53 | + } | ||
| 54 | + const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name; | ||
| 55 | + debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses"); | ||
| 56 | + debugs(28, DBG_CRITICAL, "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber); | ||
| 57 | + debugs(28, DBG_CRITICAL, "last/accepted address: " << request->indirect_client_addr); | ||
| 58 | + debugs(28, DBG_CRITICAL, "ignored trailing addresses: " << request->x_forwarded_for_iterator); | ||
| 59 | + // fall through to resume clientAccessCheck() processing | ||
| 60 | } | ||
| 61 | } | ||
| 62 | |||
diff --git a/meta-networking/recipes-daemons/squid/squid_4.15.bb b/meta-networking/recipes-daemons/squid/squid_4.15.bb index d0cf596fa0..69b62aa5a5 100644 --- a/meta-networking/recipes-daemons/squid/squid_4.15.bb +++ b/meta-networking/recipes-daemons/squid/squid_4.15.bb | |||
| @@ -30,6 +30,8 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${BPN}-${PV}.tar.bz2 | |||
| 30 | file://CVE-2023-46728.patch \ | 30 | file://CVE-2023-46728.patch \ |
| 31 | file://CVE-2023-46846-pre1.patch \ | 31 | file://CVE-2023-46846-pre1.patch \ |
| 32 | file://CVE-2023-46846.patch \ | 32 | file://CVE-2023-46846.patch \ |
| 33 | file://CVE-2023-49286.patch \ | ||
| 34 | file://CVE-2023-50269.patch \ | ||
| 33 | " | 35 | " |
| 34 | 36 | ||
| 35 | SRC_URI:remove:toolchain-clang = "file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch" | 37 | SRC_URI:remove:toolchain-clang = "file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch" |
