Re: [PATCH] squid 3.5.27: latest patch from upstream (2018_1))

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 7544 bytes --]

Why in gods name do they use their own XML parser?

On Mon, 2018-01-22 at 11:21 +0100, Matthias Fischer wrote:
> Hi,
> 
> On 21.01.2018 20:06, Michael Tremer wrote:
> > Do we even use ESI?
> 
> Still don't know if we are affected by this. In the meantime I got two
> more detailed annoncements concerning this.
> 
> This is the one I sent in for 3.5.27:
> 
> ***SNIP***
> __________________________________________________________________
> 
>      Squid Proxy Cache Security Update Advisory SQUID-2018:1
> __________________________________________________________________
> 
> Advisory ID:        SQUID-2018:1
> Date:               Jan 19, 2018
> Summary:            Denial of Service issue
>                      in ESI Response processing.
> Affected versions:  Squid 3.x -> 3.5.27
>                      Squid 4.x -> 4.0.22
> Fixed in version:   Squid 4.0.23
> __________________________________________________________________
> 
>      http://www.squid-cache.org/Advisories/SQUID-2018_1.txt
> __________________________________________________________________
> 
> Problem Description:
> 
>   Due to incorrect pointer handling Squid is vulnerable to denial
>   of service attack when processing ESI responses.
> 
> _________________________________________________________________
> 
> Severity:
> 
>   This problem allows a remote server delivering certain ESI
>   response syntax to trigger a denial of service for all clients
>   accessing the Squid service.
> 
>   This problem is limited to the Squid custom ESI parser.
>   Squid built to use libxml2 or libexpat XML parsers do not have
>   this problem.
> ***SNAP***
> 
> The next one - also for 3.5.27 - came today, 'Devel' is running:
> 
> ***SNIP***
> __________________________________________________________________
> 
>      Squid Proxy Cache Security Update Advisory SQUID-2018:2
> __________________________________________________________________
> 
> Advisory ID:        SQUID-2018:2
> Date:               Jan 19, 2018
> Summary:            Denial of Service issue
>                      in HTTP Message processing.
> Affected versions:  Squid 3.x -> 3.5.27
>                      Squid 4.x -> 4.0.22
> Fixed in version:   Squid 4.0.23
> __________________________________________________________________
> 
>      http://www.squid-cache.org/Advisories/SQUID-2018_2.txt
> __________________________________________________________________
> 
> Problem Description:
> 
>   Due to incorrect pointer handling Squid is vulnerable to denial
>   of service attack when processing ESI responses or downloading
>   intermediate CA certificates.
> 
> __________________________________________________________________
> 
> Severity:
> 
>   This problem allows a remote client delivering certain HTTP
>   requests in conjunction with certain trusted server responses to
>   trigger a denial of service for all clients accessing the Squid
>   service.
> ...
> ***SNAP***
> 
> Besides, they are "planning to remove the Custom XML parser used for ESI
> processing from the next Squid version" and have therefore launched a
> survey (RFC). No statement as to when this will happen.
> 
> Best,
> Matthias
> 
> > On Sat, 2018-01-20 at 18:50 +0100, Matthias Fischer wrote:
> > > First patch after a long time, for details see:
> > > http://www.squid-cache.org/Versions/v3/3.5/changesets/
> > > 
> > > Best,
> > > Matthias
> > > 
> > > Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> > > ---
> > >  lfs/squid                                          |  5 ++--
> > >  src/patches/squid/SQUID-2018_1.patch               | 28
> > > ++++++++++++++++++++++
> > >  .../squid-3.5.27-fix-max-file-descriptors.patch    |  0
> > >  3 files changed, 31 insertions(+), 2 deletions(-)
> > >  create mode 100644 src/patches/squid/SQUID-2018_1.patch
> > >  rename src/patches/{ => squid}/squid-3.5.27-fix-max-file-
> > > descriptors.patch (100%)
> > > 
> > > diff --git a/lfs/squid b/lfs/squid
> > > index 08583d0b9..ae4d7ea44 100644
> > > --- a/lfs/squid
> > > +++ b/lfs/squid
> > > @@ -1,7 +1,7 @@
> > >  #########################################################################
> > > ######
> > >  #                                                                        
> > >      #
> > >  # IPFire.org - A linux based
> > > firewall                                         #
> > > -# Copyright (C) 2007-2017  IPFire Team  <info(a)ipfire.org>                
> > >      #
> > > +# Copyright (C) 2007-2018  IPFire Team  <info(a)ipfire.org>                
> > >      #
> > >  #                                                                        
> > >      #
> > >  # This program is free software: you can redistribute it and/or
> > > modify        #
> > >  # it under the terms of the GNU General Public License as published
> > > by        #
> > > @@ -70,7 +70,8 @@ $(subst %,%_MD5,$(objects)) :
> > >  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> > >  	@$(PREBUILD)
> > >  	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf
> > > $(DIR_DL)/$(DL_FILE)
> > > -	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-
> > > 3.5.27-fix-max-file-descriptors.patch
> > > +	cd $(DIR_APP) && patch -Np1 -i
> > > $(DIR_SRC)/src/patches/squid/SQUID-2018_1.patch
> > > +	cd $(DIR_APP) && patch -Np0 -i
> > > $(DIR_SRC)/src/patches/squid/squid-3.5.27-fix-max-file-descriptors.patch
> > >  
> > >  	cd $(DIR_APP) && autoreconf -vfi
> > >  	cd $(DIR_APP)/libltdl && autoreconf -vfi
> > > diff --git a/src/patches/squid/SQUID-2018_1.patch
> > > b/src/patches/squid/SQUID-2018_1.patch
> > > new file mode 100644
> > > index 000000000..9392219a9
> > > --- /dev/null
> > > +++ b/src/patches/squid/SQUID-2018_1.patch
> > > @@ -0,0 +1,28 @@
> > > +commit eb2db98a676321b814fc4a51c4fb7928a8bb45d9
> > > (refs/remotes/origin/v3.5)
> > > +Author: Amos Jeffries <yadij(a)users.noreply.github.com>
> > > +Date:   2018-01-19 13:54:14 +1300
> > > +
> > > +    ESI: make sure endofName never exceeds tagEnd (#130)
> > > +
> > > +diff --git a/src/esi/CustomParser.cc b/src/esi/CustomParser.cc
> > > +index d86d2d3..db634d9 100644
> > > +--- a/src/esi/CustomParser.cc
> > > ++++ b/src/esi/CustomParser.cc
> > > +@@ -121,7 +121,7 @@ ESICustomParser::parse(char const *dataToParse,
> > > size_t const lengthOfData, bool
> > > + 
> > > +             char * endofName = strpbrk(const_cast<char *>(tag),
> > > w_space);
> > > + 
> > > +-            if (endofName > tagEnd)
> > > ++            if (!endofName || endofName > tagEnd)
> > > +                 endofName = const_cast<char *>(tagEnd);
> > > + 
> > > +             *endofName = '\0';
> > > +@@ -214,7 +214,7 @@ ESICustomParser::parse(char const *dataToParse,
> > > size_t const lengthOfData, bool
> > > + 
> > > +             char * endofName = strpbrk(const_cast<char *>(tag),
> > > w_space);
> > > + 
> > > +-            if (endofName > tagEnd)
> > > ++            if (!endofName || endofName > tagEnd)
> > > +                 endofName = const_cast<char *>(tagEnd);
> > > + 
> > > +             *endofName = '\0';
> > > diff --git a/src/patches/squid-3.5.27-fix-max-file-descriptors.patch
> > > b/src/patches/squid/squid-3.5.27-fix-max-file-descriptors.patch
> > > similarity index 100%
> > > rename from src/patches/squid-3.5.27-fix-max-file-descriptors.patch
> > > rename to src/patches/squid/squid-3.5.27-fix-max-file-descriptors.patch
> 
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]