main/squid: security fixes (CVE-2016-4554, CVE-2016-4555, CVE-2016-4556). Fixes #5891

3 files changed, 229 insertions, 1 deletions

diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD
index 6d387335e0..a749db7936 100644
--- a/main/squid/APKBUILD
+++ b/main/squid/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=squid
 pkgver=3.4.14
-pkgrel=1
+pkgrel=2
 pkgdesc="A full-featured Web proxy cache server."
 url="http://www.squid-cache.org"
 install="squid.pre-install squid.pre-upgrade"
@@ -24,6 +24,8 @@ source="http://www.squid-cache.org/Versions/v3/${pkgver%.*}/squid-${pkgver}.tar.
 	bug-3679.patch
 	squid-3.4-13232.patch
 	squid-3.4-13235.patch
+	SQUID-2016_8.patch
+	SQUID-2016_9.patch
 
 	squid.initd
 	squid.confd
@@ -116,6 +118,8 @@ aaa90395f61377c5d0efc6c662cbd643  urlgroup.patch
 9e71076799d334faba6f4954594e7b4a  bug-3679.patch
 1f06c536aeba85c48ef5de0b4e4e49f7  squid-3.4-13232.patch
 e8cb42ff4fece3d34fb18dd9c9de9624  squid-3.4-13235.patch
+5a04690517dbade66ea41aae0db9f3aa  SQUID-2016_8.patch
+fa14289924dea81c3507879376456e66  SQUID-2016_9.patch
 947b668332a205626c854d0aece0f3e0  squid.initd
 73db59e6c1c242dbc748feeb116650e0  squid.confd
 58823e0b86bc2dc71d270208b7b284b4  squid.logrotate"
@@ -125,6 +129,8 @@ c08ffe0bba9b9964540bdc9bbfa2eca233dbb78a55a21537cb257d25070d8a21  urlgroup.patch
 6b08cd129ea5fef019c78f1818c628e1070fe767e362da14844396b671f5a18d  bug-3679.patch
 da44e0e017cc25deb3b221dd0fc7b535c30165cc4eab4752607ad210f60c36b3  squid-3.4-13232.patch
 9039b6632ba91e2c4f8df8b34b4daa9a80692722b0a1ddf8b42dd3c6e31882c1  squid-3.4-13235.patch
+50e0b16ee5f7e5683563c3234695f74d1b18e8fcdcce097dc8eb442fc6606e18  SQUID-2016_8.patch
+9f86e103766a08bb15b06755b6a5b13e5821e89a1472cc0de29b11900c3e6fd0  SQUID-2016_9.patch
 29eb267e6ebf9b409836b35ba37f263924f40c30cd0c24b91b1ddce380f2163b  squid.initd
 4012fc97d7ab653c8a73c4dac09751de80c847a90ee2483ddd41a04168cdeb2b  squid.confd
 b6efdb3261c2e4b5074ef49160af8b96e65f934c7fd64b8954df48aa41cd9b67  squid.logrotate"
@@ -134,6 +140,8 @@ c5a230fe1f4dda8a3ab064f07c2b93a6f6e3ebdf290cb45da262300d06ac28aa4470a80c8f14db5c
 b477397f205ba207502a42aae674c85cad85eec831158ea0834361d98ef09a0f103d7a847e101bdd0ece73bbdda9b545960edd5385042bd593733810977e292a  bug-3679.patch
 05bb99d33dae010c1cfca44dff5e2478d660f700efcf6ffd75de7d1d9c77c28bf9c1f20c0fdc529c0be6c989c35fe06e35bc87b623a67485d37c26b27327a3f0  squid-3.4-13232.patch
 099df7c5cc803e03f3bd77ee20348834b82110a6f7a844512d90dbfb957f1b6da0168a5a31d00b18ab0ccce704a7f97655f1acc84440204b614dc2913d935da8  squid-3.4-13235.patch
+a0ca97c1cb1b04b6e94af55dd67c11f084a07106ad8bb1687d52762b906d8a79247cfde9de4abf1c65da1b0aefacfaae9166ad9c5f6183f5b5dd1ec3ab4ae81b  SQUID-2016_8.patch
+af96a87ad673b38c974b8d9e49a235d65d4a480cae3859d1018bf5fec77c79dffbfa42454937eb309aef5a745a800edfc543ac3d5041d961a094af42a58f91b7  SQUID-2016_9.patch
 3da7673cde48aac9d7f45b0c0208c2608dd66b3fa70f897b83cb3d0a4f9ba88f3e3706cbab65eb811e77a52643d8616350c84ab599d8e617212f934cb44ffc99  squid.initd
 7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9  squid.confd
 89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5  squid.logrotate"
diff --git a/main/squid/SQUID-2016_8.patch b/main/squid/SQUID-2016_8.patch
new file mode 100644
index 0000000000..26a809c7d5
--- /dev/null
+++ b/main/squid/SQUID-2016_8.patch
@@ -0,0 +1,75 @@
+------------------------------------------------------------
+revno: 13236
+revision-id: squid3@treenet.co.nz-20160502034253-axee4hqa4wuhlpkg
+parent: squid3@treenet.co.nz-20160420111514-4hpxglbn9k15l5sa
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.4
+timestamp: Mon 2016-05-02 15:42:53 +1200
+message:
+  Require exact match in Host header name lookup
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160502034253-axee4hqa4wuhlpkg
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# testament_sha1: c50f0048991f1b3e797b164cd0af166e3ea6763a
+# timestamp: 2016-05-02 03:50:58 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# base_revision_id: squid3@treenet.co.nz-20160420111514-\
+#   4hpxglbn9k15l5sa
+# 
+# Begin patch
+=== modified file 'src/mime_header.cc'
+--- a/src/mime_header.cc	2012-08-29 12:36:10 +0000
++++ b/src/mime_header.cc	2016-05-02 03:42:53 +0000
+@@ -62,9 +62,6 @@
+         if (strcmp(p, "\r\n\r\n") == 0 || strcmp(p, "\n\n") == 0)
+             return NULL;
+ 
+-        while (xisspace(*p))
+-            ++p;
+-
+         if (strncasecmp(p, name, namelen))
+             continue;
+ 
+
+------------------------------------------------------------
+revno: 13239
+revision-id: squid3@treenet.co.nz-20160508124218-6vhq4icj0fwu5aof
+parent: squid3@treenet.co.nz-20160506094614-zyjq1i8ym2gcvwbu
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4515
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.4
+timestamp: Mon 2016-05-09 00:42:18 +1200
+message:
+  Bug 4515: regression after CVE-2016-4554 patch
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160508124218-6vhq4icj0fwu5aof
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# testament_sha1: 41116e273d27c1353b02457a2a719251c1a4551c
+# timestamp: 2016-05-08 12:50:09 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# base_revision_id: squid3@treenet.co.nz-20160506094614-\
+#   zyjq1i8ym2gcvwbu
+# 
+# Begin patch
+=== modified file 'src/mime_header.cc'
+--- a/src/mime_header.cc	2016-05-02 03:42:53 +0000
++++ b/src/mime_header.cc	2016-05-08 12:42:18 +0000
+@@ -58,10 +58,13 @@
+ 
+     debugs(25, 5, "mime_get_header: looking for '" << name << "'");
+ 
+-    for (p = mime; *p; p += strcspn(p, "\n\r")) {
+-        if (strcmp(p, "\r\n\r\n") == 0 || strcmp(p, "\n\n") == 0)
++    for (p = mime; *p; p += strcspn(p, "\n")) {
++        if (strcmp(p, "\n\r\n") == 0 || strcmp(p, "\n\n") == 0)
+             return NULL;
+ 
++        if (*p == '\n')
++            ++p;
++
+         if (strncasecmp(p, name, namelen))
+             continue;
+ 
+
diff --git a/main/squid/SQUID-2016_9.patch b/main/squid/SQUID-2016_9.patch
new file mode 100644
index 0000000000..188cd8e58a
--- /dev/null
+++ b/main/squid/SQUID-2016_9.patch
@@ -0,0 +1,145 @@
+------------------------------------------------------------
+revno: 13237
+revision-id: squid3@treenet.co.nz-20160506091244-3td2be9qbzsajxg8
+parent: squid3@treenet.co.nz-20160502034253-axee4hqa4wuhlpkg
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4455
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.4
+timestamp: Fri 2016-05-06 21:12:44 +1200
+message:
+  Bug 4455: SegFault from ESIInclude::Start
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160506091244-3td2be9qbzsajxg8
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# testament_sha1: b9714bc153e5fd6e8fe505a6c1d8a54c88e03a77
+# timestamp: 2016-05-06 09:48:43 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# base_revision_id: squid3@treenet.co.nz-20160502034253-\
+#   axee4hqa4wuhlpkg
+# 
+# Begin patch
+=== modified file 'src/client_side_request.cc'
+--- a/src/client_side_request.cc	2014-04-09 16:53:05 +0000
++++ b/src/client_side_request.cc	2016-05-06 09:12:44 +0000
+@@ -163,13 +163,15 @@
+     start_time = current_time;
+     setConn(aConn);
+     al = new AccessLogEntry;
+-    al->tcpClient = clientConnection = aConn->clientConnection;
++    if (aConn) {
++        al->tcpClient = clientConnection = aConn->clientConnection;
+ #if USE_SSL
+-    if (aConn->clientConnection != NULL && aConn->clientConnection->isOpen()) {
+-        if (SSL *ssl = fd_table[aConn->clientConnection->fd].ssl)
+-            al->cache.sslClientCert.reset(SSL_get_peer_certificate(ssl));
++        if (aConn->clientConnection != NULL && aConn->clientConnection->isOpen()) {
++            if (SSL *ssl = fd_table[aConn->clientConnection->fd].ssl)
++                al->cache.sslClientCert.reset(SSL_get_peer_certificate(ssl));
++        }
++#endif
+     }
+-#endif
+     dlinkAdd(this, &active, &ClientActiveRequests);
+ #if USE_ADAPTATION
+     request_satisfaction_mode = false;
+
+------------------------------------------------------------
+revno: 13238
+revision-id: squid3@treenet.co.nz-20160506094614-zyjq1i8ym2gcvwbu
+parent: squid3@treenet.co.nz-20160506091244-3td2be9qbzsajxg8
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.4
+timestamp: Fri 2016-05-06 21:46:14 +1200
+message:
+  Fix SIGSEGV in ESIContext response handling
+  
+  HttpReply pointer was being unlocked without heving been locked.
+  Resulting in a double-free. Make it use RefCount instead of
+  manual locking to ensure locked/unlock is always symmetrical.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160506094614-zyjq1i8ym2gcvwbu
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# testament_sha1: 4ff01cd3aaffb8c9b20b8595d2ee0ccfcf434b3f
+# timestamp: 2016-05-06 09:48:45 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# base_revision_id: squid3@treenet.co.nz-20160506091244-\
+#   3td2be9qbzsajxg8
+# 
+# Begin patch
+=== modified file 'src/esi/Context.h'
+--- a/src/esi/Context.h	2013-06-27 15:58:46 +0000
++++ b/src/esi/Context.h	2016-05-06 09:46:14 +0000
+@@ -36,6 +36,7 @@
+ #include "esi/Element.h"
+ #include "clientStream.h"
+ #include "err_type.h"
++#include "HttpReply.h"
+ #include "http/StatusCode.h"
+ 
+ class ESIVarState;
+@@ -114,7 +115,7 @@
+     err_type errorpage; /* if we error what page to use */
+     Http::StatusCode errorstatus; /* if we error, what code to return */
+     char *errormessage; /* error to pass to error page */
+-    HttpReply *rep; /* buffered until we pass data downstream */
++    HttpReply::Pointer rep; /* buffered until we pass data downstream */
+     ESISegment::Pointer buffered; /* unprocessed data - for whatever reason */
+     ESISegment::Pointer incoming;
+     /* processed data we are waiting to send, or for
+
+=== modified file 'src/esi/Esi.cc'
+--- a/src/esi/Esi.cc	2016-04-20 11:15:14 +0000
++++ b/src/esi/Esi.cc	2016-05-06 09:46:14 +0000
+@@ -598,7 +598,7 @@
+ 
+ #endif
+ 
+-    if (!(rep || (outbound.getRaw() &&
++    if (!(rep != NULL || (outbound.getRaw() &&
+                   outbound->len && (outbound_offset <= outbound->len)))) {
+         debugs(86, 5, "ESIContext::send: Nothing to send.");
+         return 0;
+@@ -643,18 +643,18 @@
+     flags.clientwantsdata = 0;
+     debugs(86, 5, "ESIContext::send: this=" << this << " Client no longer wants data ");
+     /* Deal with re-entrancy */
+-    HttpReply *temprep = rep;
++    HttpReply::Pointer temprep = rep;
+     rep = NULL; /* freed downstream */
+ 
+-    if (temprep && varState)
+-        varState->buildVary (temprep);
++    if (temprep != NULL && varState)
++        varState->buildVary(temprep.getRaw());
+ 
+     {
+         StoreIOBuffer tempBuffer;
+         tempBuffer.length = len;
+         tempBuffer.offset = pos - len;
+         tempBuffer.data = next->readBuffer.data;
+-        clientStreamCallback (thisNode, http, temprep, tempBuffer);
++        clientStreamCallback (thisNode, http, temprep.getRaw(), tempBuffer);
+     }
+ 
+     if (len == 0)
+@@ -1284,7 +1284,7 @@
+         ++parserState.stackdepth;
+     }
+ 
+-    if (rep && !parserState.inited())
++    if (rep != NULL && !parserState.inited())
+         parserState.init(this);
+ 
+     /* we have data */
+@@ -1423,7 +1423,7 @@
+ {
+     debugs(86, 5, HERE << "Freeing for this=" << this);
+ 
+-    HTTPMSGUNLOCK(rep);
++    rep = NULL; // refcounted
+ 
+     finishChildren ();
+ 
+