From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] squid 3.5.27: latest patch from upstream (2018_1))
Date: Mon, 22 Jan 2018 11:21:22 +0100 [thread overview]
Message-ID: <d6f4a268-c0cb-b2ea-a000-68c04bf564b6@ipfire.org> (raw)
In-Reply-To: <1516561605.2373.4.camel@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 6864 bytes --]
Hi,
On 21.01.2018 20:06, Michael Tremer wrote:
> Do we even use ESI?
Still don't know if we are affected by this. In the meantime I got two
more detailed annoncements concerning this.
This is the one I sent in for 3.5.27:
***SNIP***
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2018:1
__________________________________________________________________
Advisory ID: SQUID-2018:1
Date: Jan 19, 2018
Summary: Denial of Service issue
in ESI Response processing.
Affected versions: Squid 3.x -> 3.5.27
Squid 4.x -> 4.0.22
Fixed in version: Squid 4.0.23
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2018_1.txt
__________________________________________________________________
Problem Description:
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses.
_________________________________________________________________
Severity:
This problem allows a remote server delivering certain ESI
response syntax to trigger a denial of service for all clients
accessing the Squid service.
This problem is limited to the Squid custom ESI parser.
Squid built to use libxml2 or libexpat XML parsers do not have
this problem.
***SNAP***
The next one - also for 3.5.27 - came today, 'Devel' is running:
***SNIP***
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2018:2
__________________________________________________________________
Advisory ID: SQUID-2018:2
Date: Jan 19, 2018
Summary: Denial of Service issue
in HTTP Message processing.
Affected versions: Squid 3.x -> 3.5.27
Squid 4.x -> 4.0.22
Fixed in version: Squid 4.0.23
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2018_2.txt
__________________________________________________________________
Problem Description:
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses or downloading
intermediate CA certificates.
__________________________________________________________________
Severity:
This problem allows a remote client delivering certain HTTP
requests in conjunction with certain trusted server responses to
trigger a denial of service for all clients accessing the Squid
service.
...
***SNAP***
Besides, they are "planning to remove the Custom XML parser used for ESI
processing from the next Squid version" and have therefore launched a
survey (RFC). No statement as to when this will happen.
Best,
Matthias
> On Sat, 2018-01-20 at 18:50 +0100, Matthias Fischer wrote:
>> First patch after a long time, for details see:
>> http://www.squid-cache.org/Versions/v3/3.5/changesets/
>>
>> Best,
>> Matthias
>>
>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>> ---
>> lfs/squid | 5 ++--
>> src/patches/squid/SQUID-2018_1.patch | 28 ++++++++++++++++++++++
>> .../squid-3.5.27-fix-max-file-descriptors.patch | 0
>> 3 files changed, 31 insertions(+), 2 deletions(-)
>> create mode 100644 src/patches/squid/SQUID-2018_1.patch
>> rename src/patches/{ => squid}/squid-3.5.27-fix-max-file-descriptors.patch (100%)
>>
>> diff --git a/lfs/squid b/lfs/squid
>> index 08583d0b9..ae4d7ea44 100644
>> --- a/lfs/squid
>> +++ b/lfs/squid
>> @@ -1,7 +1,7 @@
>> ###############################################################################
>> # #
>> # IPFire.org - A linux based firewall #
>> -# Copyright (C) 2007-2017 IPFire Team <info(a)ipfire.org> #
>> +# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> #
>> # #
>> # This program is free software: you can redistribute it and/or modify #
>> # it under the terms of the GNU General Public License as published by #
>> @@ -70,7 +70,8 @@ $(subst %,%_MD5,$(objects)) :
>> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>> @$(PREBUILD)
>> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
>> - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.27-fix-max-file-descriptors.patch
>> + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/SQUID-2018_1.patch
>> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5.27-fix-max-file-descriptors.patch
>>
>> cd $(DIR_APP) && autoreconf -vfi
>> cd $(DIR_APP)/libltdl && autoreconf -vfi
>> diff --git a/src/patches/squid/SQUID-2018_1.patch b/src/patches/squid/SQUID-2018_1.patch
>> new file mode 100644
>> index 000000000..9392219a9
>> --- /dev/null
>> +++ b/src/patches/squid/SQUID-2018_1.patch
>> @@ -0,0 +1,28 @@
>> +commit eb2db98a676321b814fc4a51c4fb7928a8bb45d9 (refs/remotes/origin/v3.5)
>> +Author: Amos Jeffries <yadij(a)users.noreply.github.com>
>> +Date: 2018-01-19 13:54:14 +1300
>> +
>> + ESI: make sure endofName never exceeds tagEnd (#130)
>> +
>> +diff --git a/src/esi/CustomParser.cc b/src/esi/CustomParser.cc
>> +index d86d2d3..db634d9 100644
>> +--- a/src/esi/CustomParser.cc
>> ++++ b/src/esi/CustomParser.cc
>> +@@ -121,7 +121,7 @@ ESICustomParser::parse(char const *dataToParse, size_t const lengthOfData, bool
>> +
>> + char * endofName = strpbrk(const_cast<char *>(tag), w_space);
>> +
>> +- if (endofName > tagEnd)
>> ++ if (!endofName || endofName > tagEnd)
>> + endofName = const_cast<char *>(tagEnd);
>> +
>> + *endofName = '\0';
>> +@@ -214,7 +214,7 @@ ESICustomParser::parse(char const *dataToParse, size_t const lengthOfData, bool
>> +
>> + char * endofName = strpbrk(const_cast<char *>(tag), w_space);
>> +
>> +- if (endofName > tagEnd)
>> ++ if (!endofName || endofName > tagEnd)
>> + endofName = const_cast<char *>(tagEnd);
>> +
>> + *endofName = '\0';
>> diff --git a/src/patches/squid-3.5.27-fix-max-file-descriptors.patch b/src/patches/squid/squid-3.5.27-fix-max-file-descriptors.patch
>> similarity index 100%
>> rename from src/patches/squid-3.5.27-fix-max-file-descriptors.patch
>> rename to src/patches/squid/squid-3.5.27-fix-max-file-descriptors.patch
>
next prev parent reply other threads:[~2018-01-22 10:21 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-20 17:50 Matthias Fischer
2018-01-21 19:06 ` Michael Tremer
2018-01-21 20:37 ` Matthias Fischer
2018-01-22 10:21 ` Matthias Fischer [this message]
2018-01-22 13:29 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d6f4a268-c0cb-b2ea-a000-68c04bf564b6@ipfire.org \
--to=matthias.fischer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox