For details see: http://www.squid-cache.org/Versions/v3/3.5/changesets/
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org --- lfs/squid | 2 + ...via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch | 72 +++++++++++++++++++ ...ry_leak_when_parsing_SNMP_packet_313.patch | 22 ++++++ 3 files changed, 96 insertions(+) create mode 100644 src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch create mode 100644 src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
diff --git a/lfs/squid b/lfs/squid index cae56407c..11b84d719 100644 --- a/lfs/squid +++ b/lfs/squid @@ -72,6 +72,8 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5.28-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi diff --git a/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch b/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch new file mode 100644 index 000000000..fadb1d48c --- /dev/null +++ b/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch @@ -0,0 +1,72 @@ +commit f1657a9decc820f748fa3aff68168d3145258031 +Author: Christos Tsantilas christos@chtsanti.net +Date: 2018-10-17 15:14:07 +0000 + + Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306) + + %ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL template. This bug affects all + ERR_SECURE_CONNECT_FAIL page templates containing %D, including the default template. + + Other error pages are not vulnerable because Squid does not populate %D with certificate details in other contexts (yet). + + Thanks to Nikolas Lohmann [eBlocker] for identifying the problem. + + TODO: If those certificate details become needed for ACL checks or other non-HTML purposes, make their HTML-escaping conditional. + + This is a Measurement Factory project. + +diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc +index b5030e3..314e998 100644 +--- a/src/ssl/ErrorDetail.cc ++++ b/src/ssl/ErrorDetail.cc +@@ -8,6 +8,8 @@ + + #include "squid.h" + #include "errorpage.h" ++#include "fatal.h" ++#include "html_quote.h" + #include "ssl/ErrorDetail.h" + + #include <climits> +@@ -432,8 +434,11 @@ const char *Ssl::ErrorDetail::subject() const + { + if (broken_cert.get()) { + static char tmpBuffer[256]; // A temporary buffer +- if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) +- return tmpBuffer; ++ if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) { ++ // quote to avoid possible html code injection through ++ // certificate subject ++ return html_quote(tmpBuffer); ++ } + } + return "[Not available]"; + } +@@ -461,8 +466,11 @@ const char *Ssl::ErrorDetail::cn() const + static String tmpStr; ///< A temporary string buffer + tmpStr.clean(); + Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn); +- if (tmpStr.size()) +- return tmpStr.termedBuf(); ++ if (tmpStr.size()) { ++ // quote to avoid possible html code injection through ++ // certificate subject ++ return html_quote(tmpStr.termedBuf()); ++ } + } + return "[Not available]"; + } +@@ -474,8 +482,11 @@ const char *Ssl::ErrorDetail::ca_name() const + { + if (broken_cert.get()) { + static char tmpBuffer[256]; // A temporary buffer +- if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) +- return tmpBuffer; ++ if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) { ++ // quote to avoid possible html code injection through ++ // certificate issuer subject ++ return html_quote(tmpBuffer); ++ } + } + return "[Not available]"; + } diff --git a/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch b/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch new file mode 100644 index 000000000..2ae034c20 --- /dev/null +++ b/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch @@ -0,0 +1,22 @@ +commit bc9786119f058a76ddf0625424bc33d36460b9a2 (refs/remotes/origin/v3.5) +Author: flozilla fishyflow@gmail.com +Date: 2018-10-24 14:12:01 +0200 + + Fix memory leak when parsing SNMP packet (#313) + + SNMP queries denied by snmp_access rules and queries with certain + unsupported SNMPv2 commands were leaking a few hundred bytes each. Such + queries trigger "SNMP agent query DENIED from..." WARNINGs in cache.log. + +diff --git a/src/snmp_core.cc b/src/snmp_core.cc +index c4d21c1..16c2993 100644 +--- a/src/snmp_core.cc ++++ b/src/snmp_core.cc +@@ -409,6 +409,7 @@ snmpDecodePacket(SnmpRequest * rq) + snmpConstructReponse(rq); + } else { + debugs(49, DBG_IMPORTANT, "WARNING: SNMP agent query DENIED from : " << rq->from); ++ snmp_free_pdu(PDU); + } + xfree(Community); +