Hi,
On 21.01.2018 20:06, Michael Tremer wrote:
Do we even use ESI?
Still don't know if we are affected by this. In the meantime I got two more detailed annoncements concerning this.
This is the one I sent in for 3.5.27:
***SNIP*** __________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2018:1 __________________________________________________________________
Advisory ID: SQUID-2018:1 Date: Jan 19, 2018 Summary: Denial of Service issue in ESI Response processing. Affected versions: Squid 3.x -> 3.5.27 Squid 4.x -> 4.0.22 Fixed in version: Squid 4.0.23 __________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2018_1.txt __________________________________________________________________
Problem Description:
Due to incorrect pointer handling Squid is vulnerable to denial of service attack when processing ESI responses.
_________________________________________________________________
Severity:
This problem allows a remote server delivering certain ESI response syntax to trigger a denial of service for all clients accessing the Squid service.
This problem is limited to the Squid custom ESI parser. Squid built to use libxml2 or libexpat XML parsers do not have this problem. ***SNAP***
The next one - also for 3.5.27 - came today, 'Devel' is running:
***SNIP*** __________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2018:2 __________________________________________________________________
Advisory ID: SQUID-2018:2 Date: Jan 19, 2018 Summary: Denial of Service issue in HTTP Message processing. Affected versions: Squid 3.x -> 3.5.27 Squid 4.x -> 4.0.22 Fixed in version: Squid 4.0.23 __________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2018_2.txt __________________________________________________________________
Problem Description:
Due to incorrect pointer handling Squid is vulnerable to denial of service attack when processing ESI responses or downloading intermediate CA certificates.
__________________________________________________________________
Severity:
This problem allows a remote client delivering certain HTTP requests in conjunction with certain trusted server responses to trigger a denial of service for all clients accessing the Squid service. ... ***SNAP***
Besides, they are "planning to remove the Custom XML parser used for ESI processing from the next Squid version" and have therefore launched a survey (RFC). No statement as to when this will happen.
Best, Matthias
On Sat, 2018-01-20 at 18:50 +0100, Matthias Fischer wrote:
First patch after a long time, for details see: http://www.squid-cache.org/Versions/v3/3.5/changesets/
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
lfs/squid | 5 ++-- src/patches/squid/SQUID-2018_1.patch | 28 ++++++++++++++++++++++ .../squid-3.5.27-fix-max-file-descriptors.patch | 0 3 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 src/patches/squid/SQUID-2018_1.patch rename src/patches/{ => squid}/squid-3.5.27-fix-max-file-descriptors.patch (100%)
diff --git a/lfs/squid b/lfs/squid index 08583d0b9..ae4d7ea44 100644 --- a/lfs/squid +++ b/lfs/squid @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2017 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -70,7 +70,8 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.27-fix-max-file-descriptors.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/SQUID-2018_1.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5.27-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi cd $(DIR_APP)/libltdl && autoreconf -vfi
diff --git a/src/patches/squid/SQUID-2018_1.patch b/src/patches/squid/SQUID-2018_1.patch new file mode 100644 index 000000000..9392219a9 --- /dev/null +++ b/src/patches/squid/SQUID-2018_1.patch @@ -0,0 +1,28 @@ +commit eb2db98a676321b814fc4a51c4fb7928a8bb45d9 (refs/remotes/origin/v3.5) +Author: Amos Jeffries yadij@users.noreply.github.com +Date: 2018-01-19 13:54:14 +1300
- ESI: make sure endofName never exceeds tagEnd (#130)
+diff --git a/src/esi/CustomParser.cc b/src/esi/CustomParser.cc +index d86d2d3..db634d9 100644 +--- a/src/esi/CustomParser.cc ++++ b/src/esi/CustomParser.cc +@@ -121,7 +121,7 @@ ESICustomParser::parse(char const *dataToParse, size_t const lengthOfData, bool
char * endofName = strpbrk(const_cast<char *>(tag), w_space);
+- if (endofName > tagEnd) ++ if (!endofName || endofName > tagEnd)
endofName = const_cast<char *>(tagEnd);
*endofName = '\0';
+@@ -214,7 +214,7 @@ ESICustomParser::parse(char const *dataToParse, size_t const lengthOfData, bool
char * endofName = strpbrk(const_cast<char *>(tag), w_space);
+- if (endofName > tagEnd) ++ if (!endofName || endofName > tagEnd)
endofName = const_cast<char *>(tagEnd);
*endofName = '\0';
diff --git a/src/patches/squid-3.5.27-fix-max-file-descriptors.patch b/src/patches/squid/squid-3.5.27-fix-max-file-descriptors.patch similarity index 100% rename from src/patches/squid-3.5.27-fix-max-file-descriptors.patch rename to src/patches/squid/squid-3.5.27-fix-max-file-descriptors.patch