main/squid: security fixes (CVE-2016-3947, CVE-2016-4052, CVE-2016-4053, CVE-2016-4054). Fixes #5511

(cherry picked from commit 2b8c949329091e172bb78347c871746fec209ae9)

3 files changed, 158 insertions, 1 deletions

diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD
index ab545f0838..6d387335e0 100644
--- a/main/squid/APKBUILD
+++ b/main/squid/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=squid
 pkgver=3.4.14
-pkgrel=0
+pkgrel=1
 pkgdesc="A full-featured Web proxy cache server."
 url="http://www.squid-cache.org"
 install="squid.pre-install squid.pre-upgrade"
@@ -22,6 +22,9 @@ source="http://www.squid-cache.org/Versions/v3/${pkgver%.*}/squid-${pkgver}.tar.
 	urlgroup.patch
 	cf_gen-pthread.patch
 	bug-3679.patch
+	squid-3.4-13232.patch
+	squid-3.4-13235.patch
+
 	squid.initd
 	squid.confd
 	$pkgname.logrotate
@@ -111,6 +114,8 @@ md5sums="4e7d7d062159484563ef11f69a0df50a  squid-3.4.14.tar.xz
 aaa90395f61377c5d0efc6c662cbd643  urlgroup.patch
 473f8f6dabaec2bd73134d8288deea3d  cf_gen-pthread.patch
 9e71076799d334faba6f4954594e7b4a  bug-3679.patch
+1f06c536aeba85c48ef5de0b4e4e49f7  squid-3.4-13232.patch
+e8cb42ff4fece3d34fb18dd9c9de9624  squid-3.4-13235.patch
 947b668332a205626c854d0aece0f3e0  squid.initd
 73db59e6c1c242dbc748feeb116650e0  squid.confd
 58823e0b86bc2dc71d270208b7b284b4  squid.logrotate"
@@ -118,6 +123,8 @@ sha256sums="7f73bc559d35f9770aca48132190fd60fdcfeeb1a6143ecc7167cc002a52b553  sq
 c08ffe0bba9b9964540bdc9bbfa2eca233dbb78a55a21537cb257d25070d8a21  urlgroup.patch
 3b05ebd2d4baeb0e01437de768c8fbe76ff446f126d107b73fad6bd0d1968f0c  cf_gen-pthread.patch
 6b08cd129ea5fef019c78f1818c628e1070fe767e362da14844396b671f5a18d  bug-3679.patch
+da44e0e017cc25deb3b221dd0fc7b535c30165cc4eab4752607ad210f60c36b3  squid-3.4-13232.patch
+9039b6632ba91e2c4f8df8b34b4daa9a80692722b0a1ddf8b42dd3c6e31882c1  squid-3.4-13235.patch
 29eb267e6ebf9b409836b35ba37f263924f40c30cd0c24b91b1ddce380f2163b  squid.initd
 4012fc97d7ab653c8a73c4dac09751de80c847a90ee2483ddd41a04168cdeb2b  squid.confd
 b6efdb3261c2e4b5074ef49160af8b96e65f934c7fd64b8954df48aa41cd9b67  squid.logrotate"
@@ -125,6 +132,8 @@ sha512sums="8fcefbed5d2b7c1417aac530277155f8b7318d9243443a1c12899d145a48272e4866
 88004f016431f2d73b308f925c90914f49ad5c2e2f20e8ae1578ed174ebf9f6e74e75c4398db2137fb3f3941c0edac6a78e2b1b9fbc603b3b242ff4601295042  urlgroup.patch
 c5a230fe1f4dda8a3ab064f07c2b93a6f6e3ebdf290cb45da262300d06ac28aa4470a80c8f14db5c9ff4dcc478933d9882bef638a566fe8ad66aec1f96f80be3  cf_gen-pthread.patch
 b477397f205ba207502a42aae674c85cad85eec831158ea0834361d98ef09a0f103d7a847e101bdd0ece73bbdda9b545960edd5385042bd593733810977e292a  bug-3679.patch
+05bb99d33dae010c1cfca44dff5e2478d660f700efcf6ffd75de7d1d9c77c28bf9c1f20c0fdc529c0be6c989c35fe06e35bc87b623a67485d37c26b27327a3f0  squid-3.4-13232.patch
+099df7c5cc803e03f3bd77ee20348834b82110a6f7a844512d90dbfb957f1b6da0168a5a31d00b18ab0ccce704a7f97655f1acc84440204b614dc2913d935da8  squid-3.4-13235.patch
 3da7673cde48aac9d7f45b0c0208c2608dd66b3fa70f897b83cb3d0a4f9ba88f3e3706cbab65eb811e77a52643d8616350c84ab599d8e617212f934cb44ffc99  squid.initd
 7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9  squid.confd
 89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5  squid.logrotate"
diff --git a/main/squid/squid-3.4-13232.patch b/main/squid/squid-3.4-13232.patch
new file mode 100644
index 0000000000..045461ebd2
--- /dev/null
+++ b/main/squid/squid-3.4-13232.patch
@@ -0,0 +1,51 @@
+------------------------------------------------------------
+revno: 13232
+revision-id: squid3@treenet.co.nz-20160330141410-t6p2dhzr8ri36fap
+parent: squid3@treenet.co.nz-20160220150859-3unryicod1rcx9rm
+author: Yuriy M. Kaminskiy <yumkam@gmail.com>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.4
+timestamp: Thu 2016-03-31 03:14:10 +1300
+message:
+  pinger: Fix buffer overflow in Icmp6::Recv
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160330141410-t6p2dhzr8ri36fap
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# testament_sha1: e404755509c03ec58c0c293552a7f2a579810fd3
+# timestamp: 2016-03-30 14:51:02 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# base_revision_id: squid3@treenet.co.nz-20160220150859-\
+#   3unryicod1rcx9rm
+# 
+# Begin patch
+=== modified file 'src/icmp/Icmp6.cc'
+--- a/src/icmp/Icmp6.cc	2014-09-15 05:06:14 +0000
++++ b/src/icmp/Icmp6.cc	2016-03-30 14:14:10 +0000
+@@ -277,7 +277,7 @@
+     #define ip6_hops	// HOPS!!!  (can it be true??)
+ 
+         ip = (struct ip6_hdr *) pkt;
+-        pkt += sizeof(ip6_hdr);
++        NP: echo size needs to +sizeof(ip6_hdr);
+ 
+     debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt <<
+     		", ip6_plen=" << ip->ip6_plen <<
+@@ -288,7 +288,6 @@
+     */
+ 
+     icmp6header = (struct icmp6_hdr *) pkt;
+-    pkt += sizeof(icmp6_hdr);
+ 
+     if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) {
+ 
+@@ -313,7 +312,7 @@
+         return;
+     }
+ 
+-    echo = (icmpEchoData *) pkt;
++    echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr));
+ 
+     preply.opcode = echo->opcode;
+ 
+
diff --git a/main/squid/squid-3.4-13235.patch b/main/squid/squid-3.4-13235.patch
new file mode 100644
index 0000000000..a3d1bb22d1
--- /dev/null
+++ b/main/squid/squid-3.4-13235.patch
@@ -0,0 +1,97 @@
+------------------------------------------------------------
+revno: 13235
+revision-id: squid3@treenet.co.nz-20160420111514-4hpxglbn9k15l5sa
+parent: squid3@treenet.co.nz-20160420101437-36eofkldxfku61kj
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.4
+timestamp: Wed 2016-04-20 23:15:14 +1200
+message:
+  Fix several ESI element construction issues
+  
+  * Do not wrap active logic in assert().
+  
+  * Fix localbuf array bounds checking.
+  
+  * Add Must() conditions to verify array writes will succeed
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160420111514-4hpxglbn9k15l5sa
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# testament_sha1: e95687b13c98667ab09966e7f94d511ca3e6ad96
+# timestamp: 2016-04-20 11:18:22 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# base_revision_id: squid3@treenet.co.nz-20160420101437-\
+#   36eofkldxfku61kj
+# 
+# Begin patch
+=== modified file 'src/esi/Esi.cc'
+--- a/src/esi/Esi.cc	2013-06-27 15:58:46 +0000
++++ b/src/esi/Esi.cc	2016-04-20 11:15:14 +0000
+@@ -991,7 +991,7 @@
+     ESIElement::Pointer element;
+     int specifiedattcount = attrCount * 2;
+     char *position;
+-    assert (ellen < sizeof (localbuf)); /* prevent unexpected overruns. */
++    Must(ellen < sizeof(localbuf)); /* prevent unexpected overruns. */
+ 
+     debugs(86, 5, "ESIContext::Start: element '" << el << "' with " << specifiedattcount << " tags");
+ 
+@@ -1005,15 +1005,17 @@
+         /* Spit out elements we aren't interested in */
+         localbuf[0] = '<';
+         localbuf[1] = '\0';
+-        assert (xstrncpy (&localbuf[1], el, sizeof(localbuf) - 2));
++        xstrncpy(&localbuf[1], el, sizeof(localbuf) - 2);
+         position = localbuf + strlen (localbuf);
+ 
+         for (i = 0; i < specifiedattcount && attr[i]; i += 2) {
++            Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 1);
+             *position = ' ';
+             ++position;
+             /* TODO: handle thisNode gracefully */
+-            assert (xstrncpy (position, attr[i], sizeof(localbuf) + (position - localbuf)));
++            xstrncpy(position, attr[i], sizeof(localbuf) - (position - localbuf));
+             position += strlen (position);
++            Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 2);
+             *position = '=';
+             ++position;
+             *position = '\"';
+@@ -1022,18 +1024,21 @@
+             char ch;
+             while ((ch = *chPtr++) != '\0') {
+                 if (ch == '\"') {
+-                    assert( xstrncpy(position, "&quot;", sizeof(localbuf) + (position-localbuf)) );
++                    Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 6);
++                    xstrncpy(position, "&quot;", sizeof(localbuf) - (position-localbuf));
+                     position += 6;
+                 } else {
++                    Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 1);
+                     *position = ch;
+                     ++position;
+                 }
+             }
+-            position += strlen (position);
++            Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 1);
+             *position = '\"';
+             ++position;
+         }
+ 
++        Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 2);
+         *position = '>';
+         ++position;
+         *position = '\0';
+@@ -1119,11 +1124,11 @@
+     switch (ESIElement::IdentifyElement (el)) {
+ 
+     case ESIElement::ESI_ELEMENT_NONE:
+-        assert (ellen < sizeof (localbuf)); /* prevent unexpected overruns. */
++        Must(ellen < sizeof(localbuf) - 3); /* prevent unexpected overruns. */
+         /* Add elements we aren't interested in */
+         localbuf[0] = '<';
+         localbuf[1] = '/';
+-        assert (xstrncpy (&localbuf[2], el, sizeof(localbuf) - 3));
++        xstrncpy(&localbuf[2], el, sizeof(localbuf) - 3);
+         position = localbuf + strlen (localbuf);
+         *position = '>';
+         ++position;
+