[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 7323724196db7b63d83bea9774e2b1356b1854aa - IPFire-SCM

7 Aug 2013

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
       via  7323724196db7b63d83bea9774e2b1356b1854aa (commit)
      from  726a85b8c10d4b991c7944b19a1f4c54621c5079 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 7323724196db7b63d83bea9774e2b1356b1854aa
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Wed Aug 7 22:15:31 2013 +0200
squid: Fix two security issues.
* CVE-2013-4115
    * CVE-2013-4123
http://www.squid-cache.org/Versions/v3/3.1/changesets/
-----------------------------------------------------------------------
Summary of changes:
 config/rootfiles/core/{71 => 72}/filelists/squid |  0
 lfs/squid                                        |  3 +
 src/patches/squid-3.1-10486.patch                | 54 ++++++++++++++++++
 src/patches/squid-3.1-10487.patch                | 73 ++++++++++++++++++++++++
 4 files changed, 130 insertions(+)
 copy config/rootfiles/core/{71 => 72}/filelists/squid (100%)
 create mode 100644 src/patches/squid-3.1-10486.patch
 create mode 100644 src/patches/squid-3.1-10487.patch
Difference in files:

diff --git a/config/rootfiles/core/72/filelists/squid b/config/rootfiles/core/72/filelists/squid
new file mode 120000
index 0000000..2dc8372
--- /dev/null
+++ b/config/rootfiles/core/72/filelists/squid
@@ -0,0 +1 @@
+../../../common/squid
\ No newline at end of file
diff --git a/lfs/squid b/lfs/squid
index fde8606..81118c2 100644
--- a/lfs/squid
+++ b/lfs/squid
@@ -71,6 +71,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
    @$(PREBUILD)
    @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xjf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.1-10486.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.1-10487.patch
+
    cd $(DIR_APP) && ./configure --prefix=/usr --disable-nls \
       --datadir=/usr/lib/squid \
       --mandir=/usr/share/man --libexecdir=/usr/lib/squid \
diff --git a/src/patches/squid-3.1-10486.patch b/src/patches/squid-3.1-10486.patch
new file mode 100644
index 0000000..6a0388e
--- /dev/null
+++ b/src/patches/squid-3.1-10486.patch
@@ -0,0 +1,54 @@
+------------------------------------------------------------
+revno: 10486
+revision-id: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h
+parent: squid3@treenet.co.nz-20130109021503-hqg7ufldrudpzr9l
+fixes bug(s): http://bugs.squid-cache.org/show_bug.cgi?id=3790
+author: Reinhard Sojka reinhard.sojka@parlament.gv.at
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: SQUID_3_1
+timestamp: Fri 2013-02-22 04:13:25 -0700
+message:
+  Bug 3790: cachemgr.cgi crash with authentication
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches%5C
+#   /SQUID_3_1
+# testament_sha1: 121adf68a9c3b2eca766cfb768256b6b57d9816b
+# timestamp: 2013-02-22 11:17:18 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches%5C
+#   /SQUID_3_1
+# base_revision_id: squid3@treenet.co.nz-20130109021503-\
+#   hqg7ufldrudpzr9l
+# 
+# Begin patch
+=== modified file 'tools/cachemgr.cc'
+--- tools/cachemgr.cc	2013-01-08 23:11:51 +0000
++++ tools/cachemgr.cc	2013-02-22 11:13:25 +0000
+@@ -1162,7 +1162,6 @@
+ {
+     static char buf[1024];
+     size_t stringLength = 0;
+-    const char *str64;
+ 
+     if (!req->passwd)
+         return "";
+@@ -1171,15 +1170,12 @@
+              req->user_name ? req->user_name : "",
+              req->passwd);
+ 
+-    str64 = base64_encode(buf);
+-
+-    stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", str64);
++    stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", base64_encode(buf));
+ 
+     assert(stringLength < sizeof(buf));
+ 
+-    snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", str64);
++    snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", base64_encode(buf));
+ 
+-    xxfree(str64);
+     return buf;
+ }
+ 
+
diff --git a/src/patches/squid-3.1-10487.patch b/src/patches/squid-3.1-10487.patch
new file mode 100644
index 0000000..2ca4848
--- /dev/null
+++ b/src/patches/squid-3.1-10487.patch
@@ -0,0 +1,73 @@
+------------------------------------------------------------
+revno: 10487
+revision-id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx
+parent: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h
+author: Nathan Hoad nathan@getoffmalawn.com
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: SQUID_3_1
+timestamp: Wed 2013-07-10 06:47:48 -0600
+message:
+  Protect against buffer overrun in DNS query generation
+  
+  see SQUID-2013:2.
+  
+  This bug has been present as long as the internal DNS component however
+  most code reaching this point is passing through URL validation first.
+  With Squid-3.2 Host header verification using DNS directly we may have
+  problems.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches%5C
+#   /SQUID_3_1
+# testament_sha1: b5be85c8876ce15ec8fa173845e61755b6942fe0
+# timestamp: 2013-07-10 12:48:57 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches%5C
+#   /SQUID_3_1
+# base_revision_id: squid3@treenet.co.nz-20130222111325-\
+#   zizr296kq3te4g7h
+# 
+# Begin patch
+=== modified file 'src/dns_internal.cc'
+--- src/dns_internal.cc	2011-10-11 02:12:56 +0000
++++ src/dns_internal.cc	2013-07-10 12:47:48 +0000
+@@ -1532,22 +1532,26 @@
+ void
+ idnsALookup(const char *name, IDNSCB * callback, void *data)
+ {
+-    unsigned int i;
++    size_t nameLength = strlen(name);
++
++    // Prevent buffer overflow on q->name
++    if (nameLength > NS_MAXDNAME) {
++        debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details.");
++        callback(data, NULL, 0, "Internal error");
++        return;
++    }
++
++    if (idnsCachedLookup(name, callback, data))
++        return;
++
++    idns_query *q = cbdataAlloc(idns_query);
++    q->id = idnsQueryID();
+     int nd = 0;
+-    idns_query *q;
+-
+-    if (idnsCachedLookup(name, callback, data))
+-        return;
+-
+-    q = cbdataAlloc(idns_query);
+-
+-    q->id = idnsQueryID();
+-
+-    for (i = 0; i < strlen(name); i++)
++    for (unsigned int i = 0; i < nameLength; ++i)
+         if (name[i] == '.')
+             nd++;
+ 
+-    if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') {
++    if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') {
+         q->do_searchpath = 1;
+     } else {
+         q->do_searchpath = 0;
+
hooks/post-receive
--
IPFire 2.x development tree

    