diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2014-10-01 09:10:24 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2014-10-01 09:10:24 +0000 |
commit | 9776eb2bd0cf7072e7360f5a4650a078eaec2ce8 (patch) | |
tree | 2199f9a39159f4422d7ae06e174e6c63b57223e0 | |
parent | 9eecaa8c1812ea6b2341633a5475c179c4d58917 (diff) | |
download | aports-9776eb2bd0cf7072e7360f5a4650a078eaec2ce8.tar.bz2 aports-9776eb2bd0cf7072e7360f5a4650a078eaec2ce8.tar.xz |
fixes #3388
-rw-r--r-- | main/squid/APKBUILD | 6 | ||||
-rw-r--r-- | main/squid/CVE-2014-6270.patch | 55 | ||||
-rw-r--r-- | main/squid/CVE-2014-7141-CVE-2014-7142.patch | 276 |
3 files changed, 336 insertions, 1 deletions
diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD index a96b7bf7e6..3dd3a4bd6a 100644 --- a/main/squid/APKBUILD +++ b/main/squid/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=squid pkgver=3.2.13 -pkgrel=2 +pkgrel=3 pkgdesc="A full-featured Web proxy cache server." url="http://www.squid-cache.org" install="squid.pre-install squid.pre-upgrade" @@ -24,6 +24,8 @@ source="http://www.squid-cache.org/Versions/v3/3.2/squid-$pkgver.tar.bz2 bug-3679.patch CVE-2014-0128.patch CVE-2014-3609.patch + CVE-2014-6270.patch + CVE-2014-7141-CVE-2014-7142.patch squid.initd squid.confd $pkgname.logrotate @@ -113,6 +115,8 @@ c60237de253c02937f272d3b189d7679 cf_gen-pthread.patch 9e71076799d334faba6f4954594e7b4a bug-3679.patch 7a631b0300d090d89567df8090f5368e CVE-2014-0128.patch 001e68add93e0cea63861f93e698fd49 CVE-2014-3609.patch +07a598c16ffb39eded2cdaf5227ca8b9 CVE-2014-6270.patch +91dda396ace52af1a620096583ad80e6 CVE-2014-7141-CVE-2014-7142.patch 905e57c6d41414f54a75a5c0f9f7fac7 squid.initd 2897c725c201be53d3c9a7db0101bdf0 squid.confd 58823e0b86bc2dc71d270208b7b284b4 squid.logrotate" diff --git a/main/squid/CVE-2014-6270.patch b/main/squid/CVE-2014-6270.patch new file mode 100644 index 0000000000..fb44296048 --- /dev/null +++ b/main/squid/CVE-2014-6270.patch @@ -0,0 +1,55 @@ +------------------------------------------------------------ +revno: 11829 +revision-id: squid3@treenet.co.nz-20140915045953-80r0d5mn4ztghldi +parent: squid3@treenet.co.nz-20140827143622-aj6y1q5khr7txsa7 +author: Sebastian Krahmer <krahmer@suse.com> +committer: Amos Jeffries <squid3@treenet.co.nz> +branch nick: 3.2 +timestamp: Sun 2014-09-14 22:59:53 -0600 +message: + Fix off by one in SNMP subsystem +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20140915045953-80r0d5mn4ztghldi +# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\ +# /SQUID_3_2 +# testament_sha1: 722ff754af8134e95151b02afc67dc3c9f4a32b1 +# timestamp: 2014-09-15 11:09:35 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\ +# /SQUID_3_2 +# base_revision_id: squid3@treenet.co.nz-20140827143622-\ +# aj6y1q5khr7txsa7 +# +# Begin patch +=== modified file 'src/snmp_core.cc' +--- a/src/snmp_core.cc 2012-10-17 00:39:25 +0000 ++++ b/src/snmp_core.cc 2014-09-15 04:59:53 +0000 +@@ -356,7 +356,7 @@ + void + snmpHandleUdp(int sock, void *not_used) + { +- LOCAL_ARRAY(char, buf, SNMP_REQUEST_SIZE); ++ static char buf[SNMP_REQUEST_SIZE]; + Ip::Address from; + snmp_request_t *snmp_rq; + int len; +@@ -365,16 +365,11 @@ + + Comm::SetSelect(sock, COMM_SELECT_READ, snmpHandleUdp, NULL, 0); + +- memset(buf, '\0', SNMP_REQUEST_SIZE); ++ memset(buf, '\0', sizeof(buf)); + +- len = comm_udp_recvfrom(sock, +- buf, +- SNMP_REQUEST_SIZE, +- 0, +- from); ++ len = comm_udp_recvfrom(sock, buf, sizeof(buf)-1, 0, from); + + if (len > 0) { +- buf[len] = '\0'; + debugs(49, 3, "snmpHandleUdp: FD " << sock << ": received " << len << " bytes from " << from << "."); + + snmp_rq = (snmp_request_t *)xcalloc(1, sizeof(snmp_request_t)); + diff --git a/main/squid/CVE-2014-7141-CVE-2014-7142.patch b/main/squid/CVE-2014-7141-CVE-2014-7142.patch new file mode 100644 index 0000000000..92565b72ea --- /dev/null +++ b/main/squid/CVE-2014-7141-CVE-2014-7142.patch @@ -0,0 +1,276 @@ +------------------------------------------------------------ +revno: 11830 +revision-id: squid3@treenet.co.nz-20140915050818-gew57hl047sfjgdq +parent: squid3@treenet.co.nz-20140915045953-80r0d5mn4ztghldi +author: Amos Jeffries <squid3@treenet.co.nz>, Sebastian Krahmer <krahmer@suse.com> +committer: Amos Jeffries <squid3@treenet.co.nz> +branch nick: 3.2 +timestamp: Sun 2014-09-14 23:08:18 -0600 +message: + Fix various ICMP handling issues in Squid pinger + + * ICMP code type logging display could over-read the registered type + string arrays. + + * Malformed ICMP packets were accepted into processing with undefined + and potentially nasty results. + + Both sets of flaws can result in pinger segmentation fault and halting + the Squid functionality relying on pinger for correct operation. + + Thanks to the OpenSUSE project for analysis and resolution of these. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20140915050818-gew57hl047sfjgdq +# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\ +# /SQUID_3_2 +# testament_sha1: 1776c91a347d6f1d76529018f8b39824544b3246 +# timestamp: 2014-09-15 11:09:37 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\ +# /SQUID_3_2 +# base_revision_id: squid3@treenet.co.nz-20140915045953-\ +# 80r0d5mn4ztghldi +# +# Begin patch +=== modified file 'src/icmp/Icmp4.cc' +--- a/src/icmp/Icmp4.cc 2013-01-28 09:59:18 +0000 ++++ b/src/icmp/Icmp4.cc 2014-09-15 05:08:18 +0000 +@@ -42,26 +42,38 @@ + #include "IcmpPinger.h" + #include "Debug.h" + +-const char *icmpPktStr[] = { +- "Echo Reply", +- "ICMP 1", +- "ICMP 2", +- "Destination Unreachable", +- "Source Quench", +- "Redirect", +- "ICMP 6", +- "ICMP 7", +- "Echo", +- "ICMP 9", +- "ICMP 10", +- "Time Exceeded", +- "Parameter Problem", +- "Timestamp", +- "Timestamp Reply", +- "Info Request", +- "Info Reply", +- "Out of Range Type" +-}; ++static const char * ++IcmpPacketType(uint8_t v) ++{ ++ static const char *icmpPktStr[] = { ++ "Echo Reply", ++ "ICMP 1", ++ "ICMP 2", ++ "Destination Unreachable", ++ "Source Quench", ++ "Redirect", ++ "ICMP 6", ++ "ICMP 7", ++ "Echo", ++ "ICMP 9", ++ "ICMP 10", ++ "Time Exceeded", ++ "Parameter Problem", ++ "Timestamp", ++ "Timestamp Reply", ++ "Info Request", ++ "Info Reply", ++ "Out of Range Type" ++ }; ++ ++ if (v > 17) { ++ static char buf[50]; ++ snprintf(buf, sizeof(buf), "ICMP %u (invalid)", v); ++ return buf; ++ } ++ ++ return icmpPktStr[v]; ++} + + Icmp4::Icmp4() : Icmp() + { +@@ -188,6 +200,12 @@ + from->ai_addr, + &from->ai_addrlen); + ++ if (n <= 0) { ++ debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMP socket."); ++ Ip::Address::FreeAddrInfo(from); ++ return; ++ } ++ + preply.from = *from; + + #if GETTIMEOFDAY_NO_TZP +@@ -244,9 +262,15 @@ + + preply.psize = n - iphdrlen - (sizeof(icmpEchoData) - MAX_PKT4_SZ); + ++ if (preply.psize < 0) { ++ debugs(42, DBG_CRITICAL, HERE << "Malformed ICMP packet."); ++ Ip::Address::FreeAddrInfo(from); ++ return; ++ } ++ + control.SendResult(preply, (sizeof(pingerReplyData) - MAX_PKT4_SZ + preply.psize) ); + +- Log(preply.from, icmp->icmp_type, icmpPktStr[icmp->icmp_type], preply.rtt, preply.hops); ++ Log(preply.from, icmp->icmp_type, IcmpPacketType(icmp->icmp_type), preply.rtt, preply.hops); + preply.from.FreeAddrInfo(from); + } + + +=== modified file 'src/icmp/Icmp6.cc' +--- a/src/icmp/Icmp6.cc 2013-01-28 09:59:18 +0000 ++++ b/src/icmp/Icmp6.cc 2014-09-15 05:08:18 +0000 +@@ -51,57 +51,61 @@ + + // Icmp6 OP-Codes + // see http://www.iana.org/assignments/icmpv6-parameters +-// NP: LowPktStr is for codes 0-127 +-static const char *icmp6LowPktStr[] = { +- "ICMP 0", // 0 +- "Destination Unreachable", // 1 - RFC2463 +- "Packet Too Big", // 2 - RFC2463 +- "Time Exceeded", // 3 - RFC2463 +- "Parameter Problem", // 4 - RFC2463 +- "ICMP 5", // 5 +- "ICMP 6", // 6 +- "ICMP 7", // 7 +- "ICMP 8", // 8 +- "ICMP 9", // 9 +- "ICMP 10" // 10 +-}; +- +-// NP: HighPktStr is for codes 128-255 +-static const char *icmp6HighPktStr[] = { +- "Echo Request", // 128 - RFC2463 +- "Echo Reply", // 129 - RFC2463 +- "Multicast Listener Query", // 130 - RFC2710 +- "Multicast Listener Report", // 131 - RFC2710 +- "Multicast Listener Done", // 132 - RFC2710 +- "Router Solicitation", // 133 - RFC4861 +- "Router Advertisement", // 134 - RFC4861 +- "Neighbor Solicitation", // 135 - RFC4861 +- "Neighbor Advertisement", // 136 - RFC4861 +- "Redirect Message", // 137 - RFC4861 +- "Router Renumbering", // 138 - Crawford +- "ICMP Node Information Query", // 139 - RFC4620 +- "ICMP Node Information Response", // 140 - RFC4620 +- "Inverse Neighbor Discovery Solicitation", // 141 - RFC3122 +- "Inverse Neighbor Discovery Advertisement", // 142 - RFC3122 +- "Version 2 Multicast Listener Report", // 143 - RFC3810 +- "Home Agent Address Discovery Request", // 144 - RFC3775 +- "Home Agent Address Discovery Reply", // 145 - RFC3775 +- "Mobile Prefix Solicitation", // 146 - RFC3775 +- "Mobile Prefix Advertisement", // 147 - RFC3775 +- "Certification Path Solicitation", // 148 - RFC3971 +- "Certification Path Advertisement", // 149 - RFC3971 +- "ICMP Experimental (150)", // 150 - RFC4065 +- "Multicast Router Advertisement", // 151 - RFC4286 +- "Multicast Router Solicitation", // 152 - RFC4286 +- "Multicast Router Termination", // 153 - [RFC4286] +- "ICMP 154", +- "ICMP 155", +- "ICMP 156", +- "ICMP 157", +- "ICMP 158", +- "ICMP 159", +- "ICMP 160" +-}; ++static const char * ++IcmpPacketType(uint8_t v) ++{ ++ // NP: LowPktStr is for codes 0-127 ++ static const char *icmp6LowPktStr[] = { ++ "ICMPv6 0", // 0 ++ "Destination Unreachable", // 1 - RFC2463 ++ "Packet Too Big", // 2 - RFC2463 ++ "Time Exceeded", // 3 - RFC2463 ++ "Parameter Problem", // 4 - RFC2463 ++ }; ++ ++ // low codes 1-4 registered ++ if (0 < v && v < 5) ++ return icmp6LowPktStr[(int)(v&0x7f)]; ++ ++ // NP: HighPktStr is for codes 128-255 ++ static const char *icmp6HighPktStr[] = { ++ "Echo Request", // 128 - RFC2463 ++ "Echo Reply", // 129 - RFC2463 ++ "Multicast Listener Query", // 130 - RFC2710 ++ "Multicast Listener Report", // 131 - RFC2710 ++ "Multicast Listener Done", // 132 - RFC2710 ++ "Router Solicitation", // 133 - RFC4861 ++ "Router Advertisement", // 134 - RFC4861 ++ "Neighbor Solicitation", // 135 - RFC4861 ++ "Neighbor Advertisement", // 136 - RFC4861 ++ "Redirect Message", // 137 - RFC4861 ++ "Router Renumbering", // 138 - Crawford ++ "ICMP Node Information Query", // 139 - RFC4620 ++ "ICMP Node Information Response", // 140 - RFC4620 ++ "Inverse Neighbor Discovery Solicitation", // 141 - RFC3122 ++ "Inverse Neighbor Discovery Advertisement", // 142 - RFC3122 ++ "Version 2 Multicast Listener Report", // 143 - RFC3810 ++ "Home Agent Address Discovery Request", // 144 - RFC3775 ++ "Home Agent Address Discovery Reply", // 145 - RFC3775 ++ "Mobile Prefix Solicitation", // 146 - RFC3775 ++ "Mobile Prefix Advertisement", // 147 - RFC3775 ++ "Certification Path Solicitation", // 148 - RFC3971 ++ "Certification Path Advertisement", // 149 - RFC3971 ++ "ICMP Experimental (150)", // 150 - RFC4065 ++ "Multicast Router Advertisement", // 151 - RFC4286 ++ "Multicast Router Solicitation", // 152 - RFC4286 ++ "Multicast Router Termination", // 153 - [RFC4286] ++ }; ++ ++ // high codes 127-153 registered ++ if (127 < v && v < 154) ++ return icmp6HighPktStr[(int)(v&0x7f)]; ++ ++ // give all others a generic display ++ static char buf[50]; ++ snprintf(buf, sizeof(buf), "ICMPv6 %u", v); ++ return buf; ++} + + Icmp6::Icmp6() : Icmp() + { +@@ -238,6 +242,12 @@ + from->ai_addr, + &from->ai_addrlen); + ++ if (n <= 0) { ++ debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMPv6 socket."); ++ Ip::Address::FreeAddrInfo(from); ++ return; ++ } ++ + preply.from = *from; + + #if GETTIMEOFDAY_NO_TZP +@@ -294,8 +304,7 @@ + + default: + debugs(42, 8, HERE << preply.from << " said: " << icmp6header->icmp6_type << "/" << (int)icmp6header->icmp6_code << " " << +- ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] ) +- ); ++ IcmpPacketType(icmp6header->icmp6_type)); + } + preply.from.FreeAddrInfo(from); + return; +@@ -334,7 +343,7 @@ + + Log(preply.from, + icmp6header->icmp6_type, +- ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] ), ++ IcmpPacketType(icmp6header->icmp6_type), + preply.rtt, + preply.hops); + + |