main/squid: security upgrade - fixes #5216

CVE-2016-2571, CVE-2016-2569, CVE-2016-2570
author: Sergey Lukin <sergej.lukin@gmail.com> 2016-12-14 15:00:21 +0000
committer: Timo Teräs <timo.teras@iki.fi> 2016-12-26 09:25:10 +0000
commit: f7fb6eb9c7b2bdc8ac41b605df86bb2fa114e89a (patch)
tree: 9c4dc3dd05840996c1b1e6bfc1fc3e2797746bbf
parent: f64f0773b23ca508f7c24274d5c67d0bb8bbb1bb (diff)
download: aports-f7fb6eb9c7b2bdc8ac41b605df86bb2fa114e89a.tar.bz2
aports-f7fb6eb9c7b2bdc8ac41b605df86bb2fa114e89a.tar.xz
4 files changed, 359 insertions, 5 deletions
diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD
index a749db7936..76247715ef 100644
--- a/main/squid/APKBUILD
+++ b/main/squid/APKBUILD
@@ -1,8 +1,9 @@
 # Contributor: Carlo Landmeter <clandmeter@gmail.com>
+# Contributor: Sergey Lukin <sergej.lukin@gmail.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=squid
 pkgver=3.4.14
-pkgrel=2
+pkgrel=3
 pkgdesc="A full-featured Web proxy cache server."
 url="http://www.squid-cache.org"
 install="squid.pre-install squid.pre-upgrade"
@@ -26,6 +27,9 @@ source="http://www.squid-cache.org/Versions/v3/${pkgver%.*}/squid-${pkgver}.tar.
 	squid-3.4-13235.patch
 	SQUID-2016_8.patch
 	SQUID-2016_9.patch
+	squid-3.5-13990-CVE-2016-2571.patch
+	squid-3.5-13991-CVE-2016-2569.patch
+	squid-3.5-13993-CVE-2016-2570.patch
 
 	squid.initd
 	squid.confd
@@ -35,9 +39,9 @@ source="http://www.squid-cache.org/Versions/v3/${pkgver%.*}/squid-${pkgver}.tar.
 pkgusers="squid"
 pkggroups="squid"
 
-_builddir="$srcdir"/$pkgname-$pkgver
+builddir="$srcdir"/$pkgname-$pkgver
 prepare() {
-	cd "$_builddir"
+	cd "$builddir"
 	for i in $source; do
 		case $i in
 		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
@@ -47,7 +51,7 @@ prepare() {
 }
 
 build() {
-	cd "$_builddir"
+	cd "$builddir"
 
 	./configure \
 		--build=$CBUILD \
@@ -91,7 +95,7 @@ build() {
 }
 
 package() {
-	cd "$_builddir"
+	cd "$builddir"
 	make DESTDIR="$pkgdir" install
 
 	install -m755 -D "$srcdir"/$pkgname.initd "$pkgdir"/etc/init.d/$pkgname
@@ -120,6 +124,9 @@ aaa90395f61377c5d0efc6c662cbd643  urlgroup.patch
 e8cb42ff4fece3d34fb18dd9c9de9624  squid-3.4-13235.patch
 5a04690517dbade66ea41aae0db9f3aa  SQUID-2016_8.patch
 fa14289924dea81c3507879376456e66  SQUID-2016_9.patch
+ffd171f39dd5c0db28f1979c99863472  squid-3.5-13990-CVE-2016-2571.patch
+5dadf06e369f253e077310ded5ede674  squid-3.5-13991-CVE-2016-2569.patch
+5be19e981eb0f2c02c2972882337ad7e  squid-3.5-13993-CVE-2016-2570.patch
 947b668332a205626c854d0aece0f3e0  squid.initd
 73db59e6c1c242dbc748feeb116650e0  squid.confd
 58823e0b86bc2dc71d270208b7b284b4  squid.logrotate"
@@ -131,6 +138,9 @@ da44e0e017cc25deb3b221dd0fc7b535c30165cc4eab4752607ad210f60c36b3  squid-3.4-1323
 9039b6632ba91e2c4f8df8b34b4daa9a80692722b0a1ddf8b42dd3c6e31882c1  squid-3.4-13235.patch
 50e0b16ee5f7e5683563c3234695f74d1b18e8fcdcce097dc8eb442fc6606e18  SQUID-2016_8.patch
 9f86e103766a08bb15b06755b6a5b13e5821e89a1472cc0de29b11900c3e6fd0  SQUID-2016_9.patch
+9f1f95a1471881fe5dd8da3d473376cffbb0a0d484e639474f589d626bfa6dde  squid-3.5-13990-CVE-2016-2571.patch
+34448f24ed73b040ea6c7ef5c18054445ea309104dfdc43f68a4cce7f11362ed  squid-3.5-13991-CVE-2016-2569.patch
+405e3e8d2fbf0f675e17a16f0f6c024e470a01ead17c2b0626a98aee55917b87  squid-3.5-13993-CVE-2016-2570.patch
 29eb267e6ebf9b409836b35ba37f263924f40c30cd0c24b91b1ddce380f2163b  squid.initd
 4012fc97d7ab653c8a73c4dac09751de80c847a90ee2483ddd41a04168cdeb2b  squid.confd
 b6efdb3261c2e4b5074ef49160af8b96e65f934c7fd64b8954df48aa41cd9b67  squid.logrotate"
@@ -142,6 +152,9 @@ b477397f205ba207502a42aae674c85cad85eec831158ea0834361d98ef09a0f103d7a847e101bdd
 099df7c5cc803e03f3bd77ee20348834b82110a6f7a844512d90dbfb957f1b6da0168a5a31d00b18ab0ccce704a7f97655f1acc84440204b614dc2913d935da8  squid-3.4-13235.patch
 a0ca97c1cb1b04b6e94af55dd67c11f084a07106ad8bb1687d52762b906d8a79247cfde9de4abf1c65da1b0aefacfaae9166ad9c5f6183f5b5dd1ec3ab4ae81b  SQUID-2016_8.patch
 af96a87ad673b38c974b8d9e49a235d65d4a480cae3859d1018bf5fec77c79dffbfa42454937eb309aef5a745a800edfc543ac3d5041d961a094af42a58f91b7  SQUID-2016_9.patch
+f59e753fa2c416b57091eede4dfe04c5a6cf72443a0eb7d539b756b2a42d9ff20cfd2616353d256f4670d4c6d3833b3135e8967db5c28f1f5f1b252700dd419d  squid-3.5-13990-CVE-2016-2571.patch
+5874f00c02ced40b5e61ad5e3ef2cb30098f2e941258248779a4c227c819d9ea47be6d8ef143631a0834e99b2b04fa3db3d2e8eab81b329c8c14f7ae78ca3822  squid-3.5-13991-CVE-2016-2569.patch
+501febe38a46e955b1225fddfcbd0e984b16ae94d6f1bff5414c3b5ab28f6c327138108732babcbdc3da8e5596e94aeccf449734c5782d0f5c1fbe97598ebe2f  squid-3.5-13993-CVE-2016-2570.patch
 3da7673cde48aac9d7f45b0c0208c2608dd66b3fa70f897b83cb3d0a4f9ba88f3e3706cbab65eb811e77a52643d8616350c84ab599d8e617212f934cb44ffc99  squid.initd
 7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9  squid.confd
 89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5  squid.logrotate"
diff --git a/main/squid/squid-3.5-13990-CVE-2016-2571.patch b/main/squid/squid-3.5-13990-CVE-2016-2571.patch
new file mode 100644
index 0000000000..675928c6ea
--- /dev/null
+++ b/main/squid/squid-3.5-13990-CVE-2016-2571.patch
@@ -0,0 +1,47 @@
+patch was modified for applying to squid-3.4.14
+------------------------------------------------------------
+revno: 13990
+revision-id: rousskov@measurement-factory.com-20160218041533-8tmtd45c3nky2gyy
+parent: squid3@treenet.co.nz-20160215135848-ms0dmjsfouxcb8g2
+committer: Alex Rousskov <rousskov@measurement-factory.com>
+branch nick: 3.5
+timestamp: Wed 2016-02-17 21:15:33 -0700
+message:
+  Better handling of huge response headers. Fewer "BUG 3279" messages.
+  
+  When we failed to parse a response, do not store the fake half-baked
+  response (via a replaceHttpReply() call). Doing so leads to misleading
+  "BUG 3279: HTTP reply without Date" messages (at best).  The fake
+  response is only meant for continueAfterParsingHeader().
+  
+  Also removed a misleading XXX that may have caused Bug 4432 in v4.0
+  (trunk r14548).
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: rousskov@measurement-factory.com-20160218041533-\
+#   8tmtd45c3nky2gyy
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 0a7978c0442191d33a9472c6185692a78da6c0b0
+# timestamp: 2016-02-18 04:50:56 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20160215135848-\
+#   ms0dmjsfouxcb8g2
+# 
+# Begin patch
+=== modified file 'src/http.cc'
+--- a/src/http.cc
++++ b/src/http.cc
+@@ -719,11 +719,8 @@
+         if (!parsed && error > 0) { // unrecoverable parsing error
+             debugs(11, 3, "processReplyHeader: Non-HTTP-compliant header: '" <<  readBuf->content() << "'");
+             flags.headers_parsed = true;
+-            // XXX: when sanityCheck is gone and Http::StatusLine is used to parse,
+-            //   the sline should be already set the appropriate values during that parser stage
+             newrep->sline.set(Http::ProtocolVersion(1,1), error);
+-            HttpReply *vrep = setVirginReply(newrep);
+-            entry->replaceHttpReply(vrep);
++            setVirginReply(newrep);
+             ctx_exit(ctx);
+             return;
+         }
+
diff --git a/main/squid/squid-3.5-13991-CVE-2016-2569.patch b/main/squid/squid-3.5-13991-CVE-2016-2569.patch
new file mode 100644
index 0000000000..2f813ec835
--- /dev/null
+++ b/main/squid/squid-3.5-13991-CVE-2016-2569.patch
@@ -0,0 +1,223 @@
+patch was modified for applying to squid-3.4.14
+------------------------------------------------------------
+revno: 13991
+revision-id: rousskov@measurement-factory.com-20160219231541-syrgnvl1av8bbn8d
+parent: rousskov@measurement-factory.com-20160218041533-8tmtd45c3nky2gyy
+committer: Alex Rousskov <rousskov@measurement-factory.com>
+branch nick: 3.5
+timestamp: Fri 2016-02-19 16:15:41 -0700
+message:
+  Throw instead of asserting on some String overflows.
+  
+  Note that Client-caught exceptions result in HTTP 500 (Internal Server
+  Error) responses with X-Squid-Error set to "ERR_CANNOT_FORWARD 0".
+  
+  Also avoid stuck Client jobs on exceptions. 
+  
+  Also unified String size limit checks.
+  
+  Essentially trunk r14552, which has a detailed commit message.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: rousskov@measurement-factory.com-20160219231541-\
+#   syrgnvl1av8bbn8d
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 3a9c41e0584065e737250cf9f8eb9eea7a85e9ba
+# timestamp: 2016-02-19 23:50:57 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: rousskov@measurement-factory.com-20160218041533-\
+#   8tmtd45c3nky2gyy
+# 
+# Begin patch
+=== modified file 'src/SquidString.h'
+--- a/src/SquidString.h
++++ b/src/SquidString.h
+@@ -80,6 +80,13 @@
+     _SQUID_INLINE_ int caseCmp(char const *, size_type count) const;
+     _SQUID_INLINE_ int caseCmp(String const &) const;
+ 
++    /// Whether creating a totalLen-character string is safe (i.e., unlikely to assert).
++    /// Optional extras can be used for overflow-safe length addition.
++    /// Implementation has to add 1 because many String allocation methods do.
++    static bool CanGrowTo(size_type totalLen, const size_type extras = 0) { return SafeAdd(totalLen, extras) && SafeAdd(totalLen, 1); }
++    /// whether appending growthLen characters is safe (i.e., unlikely to assert)
++    bool canGrowBy(const size_type growthLen) const { return CanGrowTo(size(), growthLen); }
++
+     String substr(size_type from, size_type to) const;
+ 
+     _SQUID_INLINE_ void cut(size_type newLength);
+@@ -95,10 +102,14 @@
+     _SQUID_INLINE_ bool nilCmp(bool, bool, int &) const;
+ 
+     /* never reference these directly! */
+-    size_type size_; /* buffer size; 64K limit */
++    size_type size_; /* buffer size; limited by SizeMax_ */
+ 
+     size_type len_;  /* current length  */
+ 
++    static const size_type SizeMax_ = 65535; ///< 64K limit protects some fixed-size buffers
++    /// returns true after increasing the first argument by extra if the sum does not exceed SizeMax_
++    static bool SafeAdd(size_type &base, size_type extra) { if (extra <= SizeMax_ && base <= SizeMax_ - extra) { base += extra; return true; } return false; }
++
+     char *buf_;
+ 
+     _SQUID_INLINE_ void set(char const *loc, char const ch);
+
+=== modified file 'src/StrList.cc'
+--- a/src/StrList.cc
++++ b/src/StrList.cc
+@@ -11,20 +11,24 @@
+ #include "squid.h"
+ #include "SquidString.h"
+ #include "StrList.h"
++#include "base/TextException.h" 
+ 
+ /** appends an item to the list */
+ void
+ strListAdd(String * str, const char *item, char del)
+ {
+     assert(str && item);
++    const String::size_type itemSize = strlen(item);
+     if (str->size()) {
+         char buf[3];
+         buf[0] = del;
+         buf[1] = ' ';
+         buf[2] = '\0';
++        Must(str->canGrowBy(2));
+         str->append(buf, 2);
+     }
+-    str->append(item, strlen(item));
++    Must(str->canGrowBy(itemSize));
++    str->append(item, itemSize);
+ }
+ 
+ /** returns true iff "m" is a member of the list */
+
+=== modified file 'src/String.cc'
+--- a/src/String.cc
++++ b/src/String.cc
+@@ -42,7 +42,7 @@
+ String::setBuffer(char *aBuf, String::size_type aSize)
+ {
+     assert(undefined());
+-    assert(aSize < 65536);
++    assert(aSize <= SizeMax_);
+     buf_ = aBuf;
+     size_ = aSize;
+ }
+@@ -171,7 +171,7 @@
+     } else {
+         // Create a temporary string and absorb it later.
+         String snew;
+-        assert(len_ + len < 65536); // otherwise snew.len_ overflows below
++        assert(canGrowBy(len)); // otherwise snew.len_ may overflow below
+         snew.len_ = len_ + len;
+         snew.allocBuffer(snew.len_ + 1);
+ 
+
+=== modified file 'src/Server.cc'
+--- a/src/Server.cc
++++ b/src/Server.cc
+@@ -49,6 +49,7 @@
+         startedAdaptation(false),
+ #endif
+         receivedWholeRequestBody(false),
++        doneWithFwd(NULL),
+         theVirginReply(NULL),
+         theFinalReply(NULL)
+ {
+@@ -74,8 +75,6 @@
+     HTTPMSGUNLOCK(theVirginReply);
+     HTTPMSGUNLOCK(theFinalReply);
+ 
+-    fwd = NULL; // refcounted
+-
+     if (responseBodyBuffer != NULL) {
+         delete responseBodyBuffer;
+         responseBodyBuffer = NULL;
+@@ -93,6 +92,14 @@
+     cleanAdaptation();
+ #endif
+ 
++    if (!doneWithServer())
++        closeServer();
++
++    if (!doneWithFwd) {
++        doneWithFwd = "swanSong()";
++        fwd->handleUnregisteredServerEnd();
++    }
++
+     BodyConsumer::swanSong();
+ #if USE_ADAPTATION
+     Initiator::swanSong();
+@@ -218,6 +225,7 @@
+ {
+     debugs(11,5, HERE << "completing forwarding for "  << fwd);
+     assert(fwd != NULL);
++    doneWithFwd = "completeForwarding()";
+     fwd->complete();
+ }
+ 
+
+=== modified file 'src/Server.h'
+--- a/src/Server.h
++++ b/src/Server.h
+@@ -176,6 +176,10 @@
+ #endif
+     bool receivedWholeRequestBody; ///< handleRequestBodyProductionEnded called
+ 
++    /// whether we should not be talking to FwdState; XXX: clear fwd instead
++    /// points to a string literal which is used only for debugging
++    const char *doneWithFwd;
++
+ private:
+     void sendBodyIsTooLargeError();
+     void maybePurgeOthers();
+
+=== modified file 'src/ftp.cc'
+--- a/src/ftp.cc
++++ b/src/ftp.cc
+@@ -839,6 +839,7 @@
+ {
+     debugs(9, 4, HERE);
+     ctrl.clear();
++    doneWithFwd = "ctrlClosed()"; // assume FwdState is monitoring too
+     mustStop("FtpStateData::ctrlClosed");
+ }
+ 
+
+=== modified file 'src/http.cc'
+--- a/src/http.cc
++++ b/src/http.cc
+@@ -152,6 +152,7 @@
+ HttpStateData::httpStateConnClosed(const CommCloseCbParams &params)
+ {
+     debugs(11, 5, "httpStateFree: FD " << params.fd << ", httpState=" << params.data);
++    doneWithFwd = "httpStateConnClosed()"; // assume FwdState is monitoring too
+     mustStop("HttpStateData::httpStateConnClosed");
+ }
+ 
+@@ -2407,21 +2409,11 @@
+     ServerStateData::sentRequestBody(io);
+ }
+ 
+-// Quickly abort the transaction
+-// TODO: destruction should be sufficient as the destructor should cleanup,
+-// including canceling close handlers
+ void
+ HttpStateData::abortTransaction(const char *reason)
+ {
+     debugs(11,5, HERE << "aborting transaction for " << reason <<
+            "; " << serverConnection << ", this " << this);
+-
+-    if (Comm::IsConnOpen(serverConnection)) {
+-        serverConnection->close();
+-        return;
+-    }
+-
+-    fwd->handleUnregisteredServerEnd();
+-    mustStop("HttpStateData::abortTransaction");
++    mustStop(reason);
+ }
+ 
+
diff --git a/main/squid/squid-3.5-13993-CVE-2016-2570.patch b/main/squid/squid-3.5-13993-CVE-2016-2570.patch
new file mode 100644
index 0000000000..5568dc3c50
--- /dev/null
+++ b/main/squid/squid-3.5-13993-CVE-2016-2570.patch
@@ -0,0 +1,71 @@
+patch was modified for applying to squid-3.4.14
+------------------------------------------------------------
+revno: 13993
+revision-id: squid3@treenet.co.nz-20160223154710-wcrkwwyohp2f263g
+parent: squidadm@squid-cache.org-20160220001407-1ejhjctyaf86oame
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3870
+author: William Lima <william.lima@hscbrasil.com.br>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Wed 2016-02-24 04:47:10 +1300
+message:
+  Bug 3870: assertion failed: String.cc: 'len_ + len <65536' in ESI::CustomParser
+  
+  The custom ESI parser used in absence of libxml2 or libexpat parsers was
+  restricted to handling 64KB buffers but under some conditions could expand
+  to over 64KB during the parse process. Hitting this assertion.
+  
+  TODO: the parser can now be redesigned to make use of Tokenizer and
+        CharacterSet parsing tools. But that is left for later work.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20160223154710-wcrkwwyohp2f263g
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: d8513f84eb3af6881e9264e9e4a4b0b3c6302caf
+# timestamp: 2016-02-23 15:50:48 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squidadm@squid-cache.org-20160220001407-\
+#   1ejhjctyaf86oame
+# 
+# Begin patch
+=== modified file 'src/esi/CustomParser.cc'
+--- a/src/esi/CustomParser.cc
++++ b/src/esi/CustomParser.cc
+@@ -89,9 +89,11 @@
+     }
+ 
+     size_t openESITags (0);
+-    //erring on the safe side. Probably rawBuf would be ok too
+-    char const *currentPos = content.termedBuf();
+-    size_t remainingCount = content.size();
++    // TODO: convert to Tokenizer parse
++    // erring on the safe side for now. Probably rawContent would be ok too
++    // note that operations below do *X='\0' ... altering the 'const' buffer content.
++    char const *currentPos = content.c_str();
++    SBuf::size_type remainingCount = content.length();
+     char const *tag = NULL;
+ 
+     while ((tag = findTag(currentPos, remainingCount))) {
+
+=== modified file 'src/esi/CustomParser.h'
+--- a/src/esi/CustomParser.h
++++ b/src/esi/CustomParser.h
+@@ -14,7 +14,7 @@
+ /* inherits from */
+ #include "esi/Parser.h"
+ 
+-/* for String variables */
++#include "SBuf.h"
+ #include "SquidString.h"
+ 
+ /**
+@@ -46,7 +46,7 @@
+     ESIParserClient *theClient;
+     String error;
+     /* cheap n dirty - buffer it all */
+-    String content;
++    SBuf content;
+     /* TODO: make a class of this type code */
+     ESITAG_t lastTag;
+ };
+
author	Sergey Lukin <sergej.lukin@gmail.com>	2016-12-14 15:00:21 +0000
committer	Timo Teräs <timo.teras@iki.fi>	2016-12-26 09:25:10 +0000
commit	f7fb6eb9c7b2bdc8ac41b605df86bb2fa114e89a (patch)
tree	9c4dc3dd05840996c1b1e6bfc1fc3e2797746bbf
parent	f64f0773b23ca508f7c24274d5c67d0bb8bbb1bb (diff)
download	aports-f7fb6eb9c7b2bdc8ac41b605df86bb2fa114e89a.tar.bz2 aports-f7fb6eb9c7b2bdc8ac41b605df86bb2fa114e89a.tar.xz