diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-05-09 14:21:04 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-05-09 14:21:04 +0000 |
commit | 2b8c949329091e172bb78347c871746fec209ae9 (patch) | |
tree | 2077b8a1d1a40c9634f3cdd4ed9a0af3082f8694 | |
parent | 2e04022d1a3fe8b9e3ff2e830cfeca39b4b610aa (diff) | |
download | aports-2b8c949329091e172bb78347c871746fec209ae9.tar.bz2 aports-2b8c949329091e172bb78347c871746fec209ae9.tar.xz |
main/squid: security fixes (CVE-2016-3947, CVE-2016-4052, CVE-2016-4053, CVE-2016-4054). Fixes #5510
-rw-r--r-- | main/squid/APKBUILD | 10 | ||||
-rw-r--r-- | main/squid/squid-3.4-13232.patch | 51 | ||||
-rw-r--r-- | main/squid/squid-3.4-13235.patch | 97 |
3 files changed, 157 insertions, 1 deletions
diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD index 507ab29af6..6d387335e0 100644 --- a/main/squid/APKBUILD +++ b/main/squid/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=squid pkgver=3.4.14 -pkgrel=0 +pkgrel=1 pkgdesc="A full-featured Web proxy cache server." url="http://www.squid-cache.org" install="squid.pre-install squid.pre-upgrade" @@ -22,6 +22,8 @@ source="http://www.squid-cache.org/Versions/v3/${pkgver%.*}/squid-${pkgver}.tar. urlgroup.patch cf_gen-pthread.patch bug-3679.patch + squid-3.4-13232.patch + squid-3.4-13235.patch squid.initd squid.confd @@ -112,6 +114,8 @@ md5sums="4e7d7d062159484563ef11f69a0df50a squid-3.4.14.tar.xz aaa90395f61377c5d0efc6c662cbd643 urlgroup.patch 473f8f6dabaec2bd73134d8288deea3d cf_gen-pthread.patch 9e71076799d334faba6f4954594e7b4a bug-3679.patch +1f06c536aeba85c48ef5de0b4e4e49f7 squid-3.4-13232.patch +e8cb42ff4fece3d34fb18dd9c9de9624 squid-3.4-13235.patch 947b668332a205626c854d0aece0f3e0 squid.initd 73db59e6c1c242dbc748feeb116650e0 squid.confd 58823e0b86bc2dc71d270208b7b284b4 squid.logrotate" @@ -119,6 +123,8 @@ sha256sums="7f73bc559d35f9770aca48132190fd60fdcfeeb1a6143ecc7167cc002a52b553 sq c08ffe0bba9b9964540bdc9bbfa2eca233dbb78a55a21537cb257d25070d8a21 urlgroup.patch 3b05ebd2d4baeb0e01437de768c8fbe76ff446f126d107b73fad6bd0d1968f0c cf_gen-pthread.patch 6b08cd129ea5fef019c78f1818c628e1070fe767e362da14844396b671f5a18d bug-3679.patch +da44e0e017cc25deb3b221dd0fc7b535c30165cc4eab4752607ad210f60c36b3 squid-3.4-13232.patch +9039b6632ba91e2c4f8df8b34b4daa9a80692722b0a1ddf8b42dd3c6e31882c1 squid-3.4-13235.patch 29eb267e6ebf9b409836b35ba37f263924f40c30cd0c24b91b1ddce380f2163b squid.initd 4012fc97d7ab653c8a73c4dac09751de80c847a90ee2483ddd41a04168cdeb2b squid.confd b6efdb3261c2e4b5074ef49160af8b96e65f934c7fd64b8954df48aa41cd9b67 squid.logrotate" @@ -126,6 +132,8 @@ sha512sums="8fcefbed5d2b7c1417aac530277155f8b7318d9243443a1c12899d145a48272e4866 88004f016431f2d73b308f925c90914f49ad5c2e2f20e8ae1578ed174ebf9f6e74e75c4398db2137fb3f3941c0edac6a78e2b1b9fbc603b3b242ff4601295042 urlgroup.patch c5a230fe1f4dda8a3ab064f07c2b93a6f6e3ebdf290cb45da262300d06ac28aa4470a80c8f14db5c9ff4dcc478933d9882bef638a566fe8ad66aec1f96f80be3 cf_gen-pthread.patch b477397f205ba207502a42aae674c85cad85eec831158ea0834361d98ef09a0f103d7a847e101bdd0ece73bbdda9b545960edd5385042bd593733810977e292a bug-3679.patch +05bb99d33dae010c1cfca44dff5e2478d660f700efcf6ffd75de7d1d9c77c28bf9c1f20c0fdc529c0be6c989c35fe06e35bc87b623a67485d37c26b27327a3f0 squid-3.4-13232.patch +099df7c5cc803e03f3bd77ee20348834b82110a6f7a844512d90dbfb957f1b6da0168a5a31d00b18ab0ccce704a7f97655f1acc84440204b614dc2913d935da8 squid-3.4-13235.patch 3da7673cde48aac9d7f45b0c0208c2608dd66b3fa70f897b83cb3d0a4f9ba88f3e3706cbab65eb811e77a52643d8616350c84ab599d8e617212f934cb44ffc99 squid.initd 7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9 squid.confd 89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5 squid.logrotate" diff --git a/main/squid/squid-3.4-13232.patch b/main/squid/squid-3.4-13232.patch new file mode 100644 index 0000000000..045461ebd2 --- /dev/null +++ b/main/squid/squid-3.4-13232.patch @@ -0,0 +1,51 @@ +------------------------------------------------------------ +revno: 13232 +revision-id: squid3@treenet.co.nz-20160330141410-t6p2dhzr8ri36fap +parent: squid3@treenet.co.nz-20160220150859-3unryicod1rcx9rm +author: Yuriy M. Kaminskiy <yumkam@gmail.com> +committer: Amos Jeffries <squid3@treenet.co.nz> +branch nick: 3.4 +timestamp: Thu 2016-03-31 03:14:10 +1300 +message: + pinger: Fix buffer overflow in Icmp6::Recv +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20160330141410-t6p2dhzr8ri36fap +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 +# testament_sha1: e404755509c03ec58c0c293552a7f2a579810fd3 +# timestamp: 2016-03-30 14:51:02 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 +# base_revision_id: squid3@treenet.co.nz-20160220150859-\ +# 3unryicod1rcx9rm +# +# Begin patch +=== modified file 'src/icmp/Icmp6.cc' +--- a/src/icmp/Icmp6.cc 2014-09-15 05:06:14 +0000 ++++ b/src/icmp/Icmp6.cc 2016-03-30 14:14:10 +0000 +@@ -277,7 +277,7 @@ + #define ip6_hops // HOPS!!! (can it be true??) + + ip = (struct ip6_hdr *) pkt; +- pkt += sizeof(ip6_hdr); ++ NP: echo size needs to +sizeof(ip6_hdr); + + debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt << + ", ip6_plen=" << ip->ip6_plen << +@@ -288,7 +288,6 @@ + */ + + icmp6header = (struct icmp6_hdr *) pkt; +- pkt += sizeof(icmp6_hdr); + + if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) { + +@@ -313,7 +312,7 @@ + return; + } + +- echo = (icmpEchoData *) pkt; ++ echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr)); + + preply.opcode = echo->opcode; + + diff --git a/main/squid/squid-3.4-13235.patch b/main/squid/squid-3.4-13235.patch new file mode 100644 index 0000000000..a3d1bb22d1 --- /dev/null +++ b/main/squid/squid-3.4-13235.patch @@ -0,0 +1,97 @@ +------------------------------------------------------------ +revno: 13235 +revision-id: squid3@treenet.co.nz-20160420111514-4hpxglbn9k15l5sa +parent: squid3@treenet.co.nz-20160420101437-36eofkldxfku61kj +committer: Amos Jeffries <squid3@treenet.co.nz> +branch nick: 3.4 +timestamp: Wed 2016-04-20 23:15:14 +1200 +message: + Fix several ESI element construction issues + + * Do not wrap active logic in assert(). + + * Fix localbuf array bounds checking. + + * Add Must() conditions to verify array writes will succeed +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20160420111514-4hpxglbn9k15l5sa +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 +# testament_sha1: e95687b13c98667ab09966e7f94d511ca3e6ad96 +# timestamp: 2016-04-20 11:18:22 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 +# base_revision_id: squid3@treenet.co.nz-20160420101437-\ +# 36eofkldxfku61kj +# +# Begin patch +=== modified file 'src/esi/Esi.cc' +--- a/src/esi/Esi.cc 2013-06-27 15:58:46 +0000 ++++ b/src/esi/Esi.cc 2016-04-20 11:15:14 +0000 +@@ -991,7 +991,7 @@ + ESIElement::Pointer element; + int specifiedattcount = attrCount * 2; + char *position; +- assert (ellen < sizeof (localbuf)); /* prevent unexpected overruns. */ ++ Must(ellen < sizeof(localbuf)); /* prevent unexpected overruns. */ + + debugs(86, 5, "ESIContext::Start: element '" << el << "' with " << specifiedattcount << " tags"); + +@@ -1005,15 +1005,17 @@ + /* Spit out elements we aren't interested in */ + localbuf[0] = '<'; + localbuf[1] = '\0'; +- assert (xstrncpy (&localbuf[1], el, sizeof(localbuf) - 2)); ++ xstrncpy(&localbuf[1], el, sizeof(localbuf) - 2); + position = localbuf + strlen (localbuf); + + for (i = 0; i < specifiedattcount && attr[i]; i += 2) { ++ Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 1); + *position = ' '; + ++position; + /* TODO: handle thisNode gracefully */ +- assert (xstrncpy (position, attr[i], sizeof(localbuf) + (position - localbuf))); ++ xstrncpy(position, attr[i], sizeof(localbuf) - (position - localbuf)); + position += strlen (position); ++ Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 2); + *position = '='; + ++position; + *position = '\"'; +@@ -1022,18 +1024,21 @@ + char ch; + while ((ch = *chPtr++) != '\0') { + if (ch == '\"') { +- assert( xstrncpy(position, """, sizeof(localbuf) + (position-localbuf)) ); ++ Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 6); ++ xstrncpy(position, """, sizeof(localbuf) - (position-localbuf)); + position += 6; + } else { ++ Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 1); + *position = ch; + ++position; + } + } +- position += strlen (position); ++ Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 1); + *position = '\"'; + ++position; + } + ++ Must(static_cast<size_t>(position - localbuf) < sizeof(localbuf) - 2); + *position = '>'; + ++position; + *position = '\0'; +@@ -1119,11 +1124,11 @@ + switch (ESIElement::IdentifyElement (el)) { + + case ESIElement::ESI_ELEMENT_NONE: +- assert (ellen < sizeof (localbuf)); /* prevent unexpected overruns. */ ++ Must(ellen < sizeof(localbuf) - 3); /* prevent unexpected overruns. */ + /* Add elements we aren't interested in */ + localbuf[0] = '<'; + localbuf[1] = '/'; +- assert (xstrncpy (&localbuf[2], el, sizeof(localbuf) - 3)); ++ xstrncpy(&localbuf[2], el, sizeof(localbuf) - 3); + position = localbuf + strlen (localbuf); + *position = '>'; + ++position; + |