Re: [PATCH] proxy.cgi: Mitigation for CVE-2025-62168 on squid

[Matthias Fischer <matthias.fischer@ipfire.org>]

Hi,

On 20.10.2025 12:48, Adolf Belka wrote:
> - The full fix for CVE-2025-62168 is in version squid-7.2
> - However there are a lot of changes in squid from version 6 to 7 with all the error
>    language files no longer provided directly, they have to be obtained from separate
>    langauage packs now. Also several tools like cachmgr.cgi have been removed as the
>    options can be obtained via different approaches.
> - I have had a look at squid-7.2 and I believe I can do the upgrade but it will take some
>    time to be sure it is working properly.
> - In the interim, this patch adds the mitigation "email_err_data off" into squid.conf
>    that is referenced in the CVE report.
> - If someone else has already worked on squid-7.2 and has it ready to go now or soon,
>    then this patch can be dropped.

Yes, I did it - and I'm testing it with Core 197:

...
2025/10/20 19:52:50 kid1| Processing Configuration File:
/etc/squid/squid.conf (depth 0)
2025/10/20 19:52:50 kid1| Current Directory is /
2025/10/20 19:52:50 kid1| Starting Squid Cache version 7.2 for
x86_64-pc-linux-gnu...
...

But I don't really trust the new 'squid' yet. Building was simple - I
only changed version and checksum in the existing lfs-file, that's all
it needed. And a few changes in the rootfile - as Adolf wrote, several
tools have been removed. By the way: in the current v7.2, the "error
language files" are included, no need to download them seperately! So
upgrading was easy, but... ;-)

Right now, its running without seen problems. What bothers me, is that
the 'proxy.cgi' needs to be adjusted. This seems to be a bit tricky and
I won't have the time for this in the near future. Even if my original
'squid.conf' works fine I don't know what happens if someone needs the
removed "basic_smb_lm_auth and ntlm_smb_lm_auth helpers" (e.g. from
changelog) and clicks on "Save and restart"...

Other changes (v7.0.1):
	- Remove Edge Side Include (ESI) protocol
	- Remove Ident protocol support
	- Remove cache_object protocol support
	- Remove cachemgr.cgi tool
	- Remove tool 'purge' for management of UFS/AUFS/DiskD caches
	- Remove squidclient
And the list goes on...

A change in v7.2 ("Bug 5504: Document that Squid discards invalid
rewrite-url") made an acl necessary (url_rewrite_access deny CONNECT)
because 'squid.conf' was suddenly flooded with errors: "URL-rewrite
produces invalid request: CONNECT
http://[ROUTER_IP_DELETED]:81/images/urlfilter/1x1.gif HTTP/1.1 current
master transaction: master53"
And the v7.1 didn't ran at all, because of similar problems with the
urlfilter. Hm...
So I would recommend that we adjust the 'proxy'cgi' accordingly and test
very carefully, before we upgrade 'squid' to 7.2. I'll test and report...

Jm2c - Regards
Matthias
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
>  html/cgi-bin/proxy.cgi | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
> index fdb7c6a77..f0547e249 100644
> --- a/html/cgi-bin/proxy.cgi
> +++ b/html/cgi-bin/proxy.cgi
> @@ -3109,6 +3109,7 @@ sub writeconfig
>  shutdown_lifetime 5 seconds
>  icp_port 0
>  httpd_suppress_version_string on
> +email_err_data off
>  
>  END
>  	;