From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] squid 3.5.27: latest patch from upstream (2018_1))
Date: Mon, 22 Jan 2018 13:29:27 +0000
Message-ID: <1516627767.3647.172.camel@ipfire.org>
In-Reply-To: <d6f4a268-c0cb-b2ea-a000-68c04bf564b6@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2701118951283442901=="
List-Id: <development.lists.ipfire.org>

--===============2701118951283442901==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Why in gods name do they use their own XML parser?

On Mon, 2018-01-22 at 11:21 +0100, Matthias Fischer wrote:
> Hi,
>=20
> On 21.01.2018 20:06, Michael Tremer wrote:
> > Do we even use ESI?
>=20
> Still don't know if we are affected by this. In the meantime I got two
> more detailed annoncements concerning this.
>=20
> This is the one I sent in for 3.5.27:
>=20
> ***SNIP***
> __________________________________________________________________
>=20
>      Squid Proxy Cache Security Update Advisory SQUID-2018:1
> __________________________________________________________________
>=20
> Advisory ID:        SQUID-2018:1
> Date:               Jan 19, 2018
> Summary:            Denial of Service issue
>                      in ESI Response processing.
> Affected versions:  Squid 3.x -> 3.5.27
>                      Squid 4.x -> 4.0.22
> Fixed in version:   Squid 4.0.23
> __________________________________________________________________
>=20
>      http://www.squid-cache.org/Advisories/SQUID-2018_1.txt
> __________________________________________________________________
>=20
> Problem Description:
>=20
>   Due to incorrect pointer handling Squid is vulnerable to denial
>   of service attack when processing ESI responses.
>=20
> _________________________________________________________________
>=20
> Severity:
>=20
>   This problem allows a remote server delivering certain ESI
>   response syntax to trigger a denial of service for all clients
>   accessing the Squid service.
>=20
>   This problem is limited to the Squid custom ESI parser.
>   Squid built to use libxml2 or libexpat XML parsers do not have
>   this problem.
> ***SNAP***
>=20
> The next one - also for 3.5.27 - came today, 'Devel' is running:
>=20
> ***SNIP***
> __________________________________________________________________
>=20
>      Squid Proxy Cache Security Update Advisory SQUID-2018:2
> __________________________________________________________________
>=20
> Advisory ID:        SQUID-2018:2
> Date:               Jan 19, 2018
> Summary:            Denial of Service issue
>                      in HTTP Message processing.
> Affected versions:  Squid 3.x -> 3.5.27
>                      Squid 4.x -> 4.0.22
> Fixed in version:   Squid 4.0.23
> __________________________________________________________________
>=20
>      http://www.squid-cache.org/Advisories/SQUID-2018_2.txt
> __________________________________________________________________
>=20
> Problem Description:
>=20
>   Due to incorrect pointer handling Squid is vulnerable to denial
>   of service attack when processing ESI responses or downloading
>   intermediate CA certificates.
>=20
> __________________________________________________________________
>=20
> Severity:
>=20
>   This problem allows a remote client delivering certain HTTP
>   requests in conjunction with certain trusted server responses to
>   trigger a denial of service for all clients accessing the Squid
>   service.
> ...
> ***SNAP***
>=20
> Besides, they are "planning to remove the Custom XML parser used for ESI
> processing from the next Squid version" and have therefore launched a
> survey (RFC). No statement as to when this will happen.
>=20
> Best,
> Matthias
>=20
> > On Sat, 2018-01-20 at 18:50 +0100, Matthias Fischer wrote:
> > > First patch after a long time, for details see:
> > > http://www.squid-cache.org/Versions/v3/3.5/changesets/
> > >=20
> > > Best,
> > > Matthias
> > >=20
> > > Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> > > ---
> > >  lfs/squid                                          |  5 ++--
> > >  src/patches/squid/SQUID-2018_1.patch               | 28
> > > ++++++++++++++++++++++
> > >  .../squid-3.5.27-fix-max-file-descriptors.patch    |  0
> > >  3 files changed, 31 insertions(+), 2 deletions(-)
> > >  create mode 100644 src/patches/squid/SQUID-2018_1.patch
> > >  rename src/patches/{ =3D> squid}/squid-3.5.27-fix-max-file-
> > > descriptors.patch (100%)
> > >=20
> > > diff --git a/lfs/squid b/lfs/squid
> > > index 08583d0b9..ae4d7ea44 100644
> > > --- a/lfs/squid
> > > +++ b/lfs/squid
> > > @@ -1,7 +1,7 @@
> > >  ######################################################################=
###
> > > ######
> > >  #                                                                     =
  =20
> > >      #
> > >  # IPFire.org - A linux based
> > > firewall                                         #
> > > -# Copyright (C) 2007-2017  IPFire Team  <info(a)ipfire.org>           =
    =20
> > >      #
> > > +# Copyright (C) 2007-2018  IPFire Team  <info(a)ipfire.org>           =
    =20
> > >      #
> > >  #                                                                     =
  =20
> > >      #
> > >  # This program is free software: you can redistribute it and/or
> > > modify        #
> > >  # it under the terms of the GNU General Public License as published
> > > by        #
> > > @@ -70,7 +70,8 @@ $(subst %,%_MD5,$(objects)) :
> > >  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> > >  	@$(PREBUILD)
> > >  	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf
> > > $(DIR_DL)/$(DL_FILE)
> > > -	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-
> > > 3.5.27-fix-max-file-descriptors.patch
> > > +	cd $(DIR_APP) && patch -Np1 -i
> > > $(DIR_SRC)/src/patches/squid/SQUID-2018_1.patch
> > > +	cd $(DIR_APP) && patch -Np0 -i
> > > $(DIR_SRC)/src/patches/squid/squid-3.5.27-fix-max-file-descriptors.patch
> > > =20
> > >  	cd $(DIR_APP) && autoreconf -vfi
> > >  	cd $(DIR_APP)/libltdl && autoreconf -vfi
> > > diff --git a/src/patches/squid/SQUID-2018_1.patch
> > > b/src/patches/squid/SQUID-2018_1.patch
> > > new file mode 100644
> > > index 000000000..9392219a9
> > > --- /dev/null
> > > +++ b/src/patches/squid/SQUID-2018_1.patch
> > > @@ -0,0 +1,28 @@
> > > +commit eb2db98a676321b814fc4a51c4fb7928a8bb45d9
> > > (refs/remotes/origin/v3.5)
> > > +Author: Amos Jeffries <yadij(a)users.noreply.github.com>
> > > +Date:   2018-01-19 13:54:14 +1300
> > > +
> > > +    ESI: make sure endofName never exceeds tagEnd (#130)
> > > +
> > > +diff --git a/src/esi/CustomParser.cc b/src/esi/CustomParser.cc
> > > +index d86d2d3..db634d9 100644
> > > +--- a/src/esi/CustomParser.cc
> > > ++++ b/src/esi/CustomParser.cc
> > > +@@ -121,7 +121,7 @@ ESICustomParser::parse(char const *dataToParse,
> > > size_t const lengthOfData, bool
> > > +=20
> > > +             char * endofName =3D strpbrk(const_cast<char *>(tag),
> > > w_space);
> > > +=20
> > > +-            if (endofName > tagEnd)
> > > ++            if (!endofName || endofName > tagEnd)
> > > +                 endofName =3D const_cast<char *>(tagEnd);
> > > +=20
> > > +             *endofName =3D '\0';
> > > +@@ -214,7 +214,7 @@ ESICustomParser::parse(char const *dataToParse,
> > > size_t const lengthOfData, bool
> > > +=20
> > > +             char * endofName =3D strpbrk(const_cast<char *>(tag),
> > > w_space);
> > > +=20
> > > +-            if (endofName > tagEnd)
> > > ++            if (!endofName || endofName > tagEnd)
> > > +                 endofName =3D const_cast<char *>(tagEnd);
> > > +=20
> > > +             *endofName =3D '\0';
> > > diff --git a/src/patches/squid-3.5.27-fix-max-file-descriptors.patch
> > > b/src/patches/squid/squid-3.5.27-fix-max-file-descriptors.patch
> > > similarity index 100%
> > > rename from src/patches/squid-3.5.27-fix-max-file-descriptors.patch
> > > rename to src/patches/squid/squid-3.5.27-fix-max-file-descriptors.patch
>=20
>=20

--===============2701118951283442901==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl
Mnlwa3R4Z0hudy8yK1FDUWNGQWxwbDV6Y0FDZ2tRZ0hudy8yK1EKQ1FjM1B3LytKczhQUXdUZ1NU
V212Vm1GUDJvdW9nTzQ4aDYxcFFFQWhpd3Z5UXAwekhJTGlTVEhzV0hDOTFxdQpkWGdCaGEwUU12
UTQ0VFBwVklKOGMwWG54TzQwNTdVa3V5eXd0VENGaERhTHBUTVYzeEtQaGJzYTFocWk1ZGhTCllI
ejBnZnNiQkNPQXlqeDNyY2puSXZhNmNTRnEvQnR0RjFNdDd0TlBocGpxMGtlMHdiM05xUTFaU2xN
TnE3N3UKdnJOQVEvcU5DN3NaeXFoV1BWS1o4OWpRK2ZYZmVQUmp0U0ZiS1o5RTUvMFM0cUtkUTJ5
ZzhxdDIyZmNmNVhpRApTaVJCRGZia0t2aFBVM0dDb2c3eEpxUUsxL2tXbVAzWncwQUI1Z1VEZlk5
OXNYcENyYU9PZWtUNlltME84QnU2CmZsZmNLaGw2bjQvTlA2QUljT3hyWksrbXp6Y1NyeGhzNUlG
bmx0WldRd0JMdk5aVkwycmJZeWhVeWtWMCtnKzUKYlNyRzBiNkY0TGc4QXlZNTZFV2NkaFJoM0Rv
RUhWZlpCaFE1Umhqdy9WcFlmRTZqa2JtV1BYckdnMXdNZ0JMeQphWDkwZSs4LzFIKzFxOWIvNzRq
ajU4OGJYUEcvYlRhd2YzS2s5UWpXZE5GSDRTSEdkZ0tXdXlabGNxMWo1aENRCkVWTFVxQjh6SUFu
TDUrVCt4bXFhK1dMd09PV2NoOXdkQXhHMndmRFpLSzdQbVV6Rm1PQ05sZDREWGk2QWxES2wKUHpn
STM1WXZ5NzE5SjRwNVBsa3haNWVNVVBmT3h5OGdHb2lMd216NEN6RXZHalZWU20yOGo1aGJlOEcz
TXFJTgpGMmFjNFk1eUswSUNFYlpWUk50Y0kxalp3a24zK3VsL24zM2hsdDNKK0xiODREc1hpS2c9
Cj1JNzhHCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============2701118951283442901==--