main/sqiod: fix CVE-2014-6270, CVE-2014-7141 and CVE-2014-7142

fixes #3388

3 files changed, 336 insertions, 1 deletions

diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD
index a96b7bf7e6..3dd3a4bd6a 100644
--- a/main/squid/APKBUILD
+++ b/main/squid/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=squid
 pkgver=3.2.13
-pkgrel=2
+pkgrel=3
 pkgdesc="A full-featured Web proxy cache server."
 url="http://www.squid-cache.org"
 install="squid.pre-install squid.pre-upgrade"
@@ -24,6 +24,8 @@ source="http://www.squid-cache.org/Versions/v3/3.2/squid-$pkgver.tar.bz2
 	bug-3679.patch
 	CVE-2014-0128.patch
 	CVE-2014-3609.patch
+	CVE-2014-6270.patch
+	CVE-2014-7141-CVE-2014-7142.patch
 	squid.initd
 	squid.confd
 	$pkgname.logrotate
@@ -113,6 +115,8 @@ c60237de253c02937f272d3b189d7679  cf_gen-pthread.patch
 9e71076799d334faba6f4954594e7b4a  bug-3679.patch
 7a631b0300d090d89567df8090f5368e  CVE-2014-0128.patch
 001e68add93e0cea63861f93e698fd49  CVE-2014-3609.patch
+07a598c16ffb39eded2cdaf5227ca8b9  CVE-2014-6270.patch
+91dda396ace52af1a620096583ad80e6  CVE-2014-7141-CVE-2014-7142.patch
 905e57c6d41414f54a75a5c0f9f7fac7  squid.initd
 2897c725c201be53d3c9a7db0101bdf0  squid.confd
 58823e0b86bc2dc71d270208b7b284b4  squid.logrotate"
diff --git a/main/squid/CVE-2014-6270.patch b/main/squid/CVE-2014-6270.patch
new file mode 100644
index 0000000000..fb44296048
--- /dev/null
+++ b/main/squid/CVE-2014-6270.patch
@@ -0,0 +1,55 @@
+------------------------------------------------------------
+revno: 11829
+revision-id: squid3@treenet.co.nz-20140915045953-80r0d5mn4ztghldi
+parent: squid3@treenet.co.nz-20140827143622-aj6y1q5khr7txsa7
+author: Sebastian Krahmer <krahmer@suse.com>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.2
+timestamp: Sun 2014-09-14 22:59:53 -0600
+message:
+  Fix off by one in SNMP subsystem
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20140915045953-80r0d5mn4ztghldi
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
+#   /SQUID_3_2
+# testament_sha1: 722ff754af8134e95151b02afc67dc3c9f4a32b1
+# timestamp: 2014-09-15 11:09:35 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
+#   /SQUID_3_2
+# base_revision_id: squid3@treenet.co.nz-20140827143622-\
+#   aj6y1q5khr7txsa7
+# 
+# Begin patch
+=== modified file 'src/snmp_core.cc'
+--- a/src/snmp_core.cc	2012-10-17 00:39:25 +0000
++++ b/src/snmp_core.cc	2014-09-15 04:59:53 +0000
+@@ -356,7 +356,7 @@
+ void
+ snmpHandleUdp(int sock, void *not_used)
+ {
+-    LOCAL_ARRAY(char, buf, SNMP_REQUEST_SIZE);
++    static char buf[SNMP_REQUEST_SIZE];
+     Ip::Address from;
+     snmp_request_t *snmp_rq;
+     int len;
+@@ -365,16 +365,11 @@
+ 
+     Comm::SetSelect(sock, COMM_SELECT_READ, snmpHandleUdp, NULL, 0);
+ 
+-    memset(buf, '\0', SNMP_REQUEST_SIZE);
++    memset(buf, '\0', sizeof(buf));
+ 
+-    len = comm_udp_recvfrom(sock,
+-                            buf,
+-                            SNMP_REQUEST_SIZE,
+-                            0,
+-                            from);
++    len = comm_udp_recvfrom(sock, buf, sizeof(buf)-1, 0, from);
+ 
+     if (len > 0) {
+-        buf[len] = '\0';
+         debugs(49, 3, "snmpHandleUdp: FD " << sock << ": received " << len << " bytes from " << from << ".");
+ 
+         snmp_rq = (snmp_request_t *)xcalloc(1, sizeof(snmp_request_t));
+
diff --git a/main/squid/CVE-2014-7141-CVE-2014-7142.patch b/main/squid/CVE-2014-7141-CVE-2014-7142.patch
new file mode 100644
index 0000000000..92565b72ea
--- /dev/null
+++ b/main/squid/CVE-2014-7141-CVE-2014-7142.patch
@@ -0,0 +1,276 @@
+------------------------------------------------------------
+revno: 11830
+revision-id: squid3@treenet.co.nz-20140915050818-gew57hl047sfjgdq
+parent: squid3@treenet.co.nz-20140915045953-80r0d5mn4ztghldi
+author: Amos Jeffries <squid3@treenet.co.nz>, Sebastian Krahmer <krahmer@suse.com>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.2
+timestamp: Sun 2014-09-14 23:08:18 -0600
+message:
+  Fix various ICMP handling issues in Squid pinger
+  
+  * ICMP code type logging display could over-read the registered type
+    string arrays.
+  
+  * Malformed ICMP packets were accepted into processing with undefined
+    and potentially nasty results.
+  
+  Both sets of flaws can result in pinger segmentation fault and halting
+  the Squid functionality relying on pinger for correct operation.
+  
+   Thanks to the OpenSUSE project for analysis and resolution of these.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20140915050818-gew57hl047sfjgdq
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
+#   /SQUID_3_2
+# testament_sha1: 1776c91a347d6f1d76529018f8b39824544b3246
+# timestamp: 2014-09-15 11:09:37 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
+#   /SQUID_3_2
+# base_revision_id: squid3@treenet.co.nz-20140915045953-\
+#   80r0d5mn4ztghldi
+# 
+# Begin patch
+=== modified file 'src/icmp/Icmp4.cc'
+--- a/src/icmp/Icmp4.cc	2013-01-28 09:59:18 +0000
++++ b/src/icmp/Icmp4.cc	2014-09-15 05:08:18 +0000
+@@ -42,26 +42,38 @@
+ #include "IcmpPinger.h"
+ #include "Debug.h"
+ 
+-const char *icmpPktStr[] = {
+-    "Echo Reply",
+-    "ICMP 1",
+-    "ICMP 2",
+-    "Destination Unreachable",
+-    "Source Quench",
+-    "Redirect",
+-    "ICMP 6",
+-    "ICMP 7",
+-    "Echo",
+-    "ICMP 9",
+-    "ICMP 10",
+-    "Time Exceeded",
+-    "Parameter Problem",
+-    "Timestamp",
+-    "Timestamp Reply",
+-    "Info Request",
+-    "Info Reply",
+-    "Out of Range Type"
+-};
++static const char *
++IcmpPacketType(uint8_t v)
++{
++    static const char *icmpPktStr[] = {
++        "Echo Reply",
++        "ICMP 1",
++        "ICMP 2",
++        "Destination Unreachable",
++        "Source Quench",
++        "Redirect",
++        "ICMP 6",
++        "ICMP 7",
++        "Echo",
++        "ICMP 9",
++        "ICMP 10",
++        "Time Exceeded",
++        "Parameter Problem",
++        "Timestamp",
++        "Timestamp Reply",
++        "Info Request",
++        "Info Reply",
++        "Out of Range Type"
++    };
++
++    if (v > 17) {
++        static char buf[50];
++        snprintf(buf, sizeof(buf), "ICMP %u (invalid)", v);
++        return buf;
++    }
++
++    return icmpPktStr[v];
++}
+ 
+ Icmp4::Icmp4() : Icmp()
+ {
+@@ -188,6 +200,12 @@
+                  from->ai_addr,
+                  &from->ai_addrlen);
+ 
++    if (n <= 0) {
++        debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMP socket.");
++        Ip::Address::FreeAddrInfo(from);
++        return;
++    }
++
+     preply.from = *from;
+ 
+ #if GETTIMEOFDAY_NO_TZP
+@@ -244,9 +262,15 @@
+ 
+     preply.psize = n - iphdrlen - (sizeof(icmpEchoData) - MAX_PKT4_SZ);
+ 
++    if (preply.psize < 0) {
++        debugs(42, DBG_CRITICAL, HERE << "Malformed ICMP packet.");
++        Ip::Address::FreeAddrInfo(from);
++        return;
++    }
++
+     control.SendResult(preply, (sizeof(pingerReplyData) - MAX_PKT4_SZ + preply.psize) );
+ 
+-    Log(preply.from, icmp->icmp_type, icmpPktStr[icmp->icmp_type], preply.rtt, preply.hops);
++    Log(preply.from, icmp->icmp_type, IcmpPacketType(icmp->icmp_type), preply.rtt, preply.hops);
+     preply.from.FreeAddrInfo(from);
+ }
+ 
+
+=== modified file 'src/icmp/Icmp6.cc'
+--- a/src/icmp/Icmp6.cc	2013-01-28 09:59:18 +0000
++++ b/src/icmp/Icmp6.cc	2014-09-15 05:08:18 +0000
+@@ -51,57 +51,61 @@
+ 
+ // Icmp6 OP-Codes
+ // see http://www.iana.org/assignments/icmpv6-parameters
+-// NP: LowPktStr is for codes 0-127
+-static const char *icmp6LowPktStr[] = {
+-    "ICMP 0",			// 0
+-    "Destination Unreachable",	// 1 - RFC2463
+-    "Packet Too Big", 		// 2 - RFC2463
+-    "Time Exceeded",		// 3 - RFC2463
+-    "Parameter Problem",		// 4 - RFC2463
+-    "ICMP 5",			// 5
+-    "ICMP 6",			// 6
+-    "ICMP 7",			// 7
+-    "ICMP 8",			// 8
+-    "ICMP 9",			// 9
+-    "ICMP 10"			// 10
+-};
+-
+-// NP: HighPktStr is for codes 128-255
+-static const char *icmp6HighPktStr[] = {
+-    "Echo Request",					// 128 - RFC2463
+-    "Echo Reply",					// 129 - RFC2463
+-    "Multicast Listener Query",			// 130 - RFC2710
+-    "Multicast Listener Report",			// 131 - RFC2710
+-    "Multicast Listener Done",			// 132 - RFC2710
+-    "Router Solicitation",				// 133 - RFC4861
+-    "Router Advertisement",				// 134 - RFC4861
+-    "Neighbor Solicitation",			// 135 - RFC4861
+-    "Neighbor Advertisement",			// 136 - RFC4861
+-    "Redirect Message",				// 137 - RFC4861
+-    "Router Renumbering",				// 138 - Crawford
+-    "ICMP Node Information Query",			// 139 - RFC4620
+-    "ICMP Node Information Response",		// 140 - RFC4620
+-    "Inverse Neighbor Discovery Solicitation",	// 141 - RFC3122
+-    "Inverse Neighbor Discovery Advertisement",	// 142 - RFC3122
+-    "Version 2 Multicast Listener Report",		// 143 - RFC3810
+-    "Home Agent Address Discovery Request",		// 144 - RFC3775
+-    "Home Agent Address Discovery Reply",		// 145 - RFC3775
+-    "Mobile Prefix Solicitation",			// 146 - RFC3775
+-    "Mobile Prefix Advertisement",			// 147 - RFC3775
+-    "Certification Path Solicitation",		// 148 - RFC3971
+-    "Certification Path Advertisement",		// 149 - RFC3971
+-    "ICMP Experimental (150)",			// 150 - RFC4065
+-    "Multicast Router Advertisement",		// 151 - RFC4286
+-    "Multicast Router Solicitation",		// 152 - RFC4286
+-    "Multicast Router Termination",			// 153 - [RFC4286]
+-    "ICMP 154",
+-    "ICMP 155",
+-    "ICMP 156",
+-    "ICMP 157",
+-    "ICMP 158",
+-    "ICMP 159",
+-    "ICMP 160"
+-};
++static const char *
++IcmpPacketType(uint8_t v)
++{
++    // NP: LowPktStr is for codes 0-127
++    static const char *icmp6LowPktStr[] = {
++        "ICMPv6 0",			// 0
++        "Destination Unreachable",	// 1 - RFC2463
++        "Packet Too Big", 		// 2 - RFC2463
++        "Time Exceeded",		// 3 - RFC2463
++        "Parameter Problem",		// 4 - RFC2463
++    };
++
++    // low codes 1-4 registered
++    if (0 < v && v < 5)
++        return icmp6LowPktStr[(int)(v&0x7f)];
++
++    // NP: HighPktStr is for codes 128-255
++    static const char *icmp6HighPktStr[] = {
++        "Echo Request",					// 128 - RFC2463
++        "Echo Reply",					// 129 - RFC2463
++        "Multicast Listener Query",			// 130 - RFC2710
++        "Multicast Listener Report",			// 131 - RFC2710
++        "Multicast Listener Done",			// 132 - RFC2710
++        "Router Solicitation",				// 133 - RFC4861
++        "Router Advertisement",				// 134 - RFC4861
++        "Neighbor Solicitation",			// 135 - RFC4861
++        "Neighbor Advertisement",			// 136 - RFC4861
++        "Redirect Message",				// 137 - RFC4861
++        "Router Renumbering",				// 138 - Crawford
++        "ICMP Node Information Query",			// 139 - RFC4620
++        "ICMP Node Information Response",		// 140 - RFC4620
++        "Inverse Neighbor Discovery Solicitation",	// 141 - RFC3122
++        "Inverse Neighbor Discovery Advertisement",	// 142 - RFC3122
++        "Version 2 Multicast Listener Report",		// 143 - RFC3810
++        "Home Agent Address Discovery Request",		// 144 - RFC3775
++        "Home Agent Address Discovery Reply",		// 145 - RFC3775
++        "Mobile Prefix Solicitation",			// 146 - RFC3775
++        "Mobile Prefix Advertisement",			// 147 - RFC3775
++        "Certification Path Solicitation",		// 148 - RFC3971
++        "Certification Path Advertisement",		// 149 - RFC3971
++        "ICMP Experimental (150)",			// 150 - RFC4065
++        "Multicast Router Advertisement",		// 151 - RFC4286
++        "Multicast Router Solicitation",		// 152 - RFC4286
++        "Multicast Router Termination",			// 153 - [RFC4286]
++    };
++
++    // high codes 127-153 registered
++    if (127 < v && v < 154)
++        return icmp6HighPktStr[(int)(v&0x7f)];
++
++    // give all others a generic display
++    static char buf[50];
++    snprintf(buf, sizeof(buf), "ICMPv6 %u", v);
++    return buf;
++}
+ 
+ Icmp6::Icmp6() : Icmp()
+ {
+@@ -238,6 +242,12 @@
+                  from->ai_addr,
+                  &from->ai_addrlen);
+ 
++    if (n <= 0) {
++        debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMPv6 socket.");
++        Ip::Address::FreeAddrInfo(from);
++        return;
++    }
++
+     preply.from = *from;
+ 
+ #if GETTIMEOFDAY_NO_TZP
+@@ -294,8 +304,7 @@
+ 
+         default:
+             debugs(42, 8, HERE << preply.from << " said: " << icmp6header->icmp6_type << "/" << (int)icmp6header->icmp6_code << " " <<
+-                   ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] )
+-                  );
++                   IcmpPacketType(icmp6header->icmp6_type));
+         }
+         preply.from.FreeAddrInfo(from);
+         return;
+@@ -334,7 +343,7 @@
+ 
+     Log(preply.from,
+         icmp6header->icmp6_type,
+-        ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] ),
++        IcmpPacketType(icmp6header->icmp6_type),
+         preply.rtt,
+         preply.hops);
+ 
+