main/squid: various secfixes

CVE-2020-8449, CVE-2020-8450, CVE-2020-8517, CVE-2019-12528 fixes #11248
author: Natanael Copa <ncopa@alpinelinux.org> 2020-04-02 17:32:43 +0200
committer: Natanael Copa <ncopa@alpinelinux.org> 2020-04-02 17:32:43 +0200
commit: 3db264c1978654cc19d61a5feaf1b0ee54e0a85b (patch)
tree: 83e52af694374e899ca8aaff33931096c2187b13 /main
parent: 248b3fa9ef3ac2d1eecc6514fa4e1e9368fa4d86 (diff)
download: aports-3db264c1978654cc19d61a5feaf1b0ee54e0a85b.tar.bz2
aports-3db264c1978654cc19d61a5feaf1b0ee54e0a85b.tar.xz
4 files changed, 307 insertions, 1 deletions
diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD
index 8c4798f4ff..97de7a3546 100644
--- a/main/squid/APKBUILD
+++ b/main/squid/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=squid
 pkgver=3.5.27
-pkgrel=3
+pkgrel=4
 pkgdesc="A full-featured Web proxy cache server."
 url="http://www.squid-cache.org"
 install="squid.pre-install squid.pre-upgrade"
@@ -24,6 +24,9 @@ source="http://www.squid-cache.org/Versions/v3/${pkgver%.*}/squid-${pkgver}.tar.
 	bug-3679.patch
 	CVE-2019-13345.patch
 	CVE-2019-18679.patch
+	CVE-2019-12528.patch
+	CVE-2020-8517.patch
+	SQUID-2020_1.patch
 
 	squid.initd
 	squid.confd
@@ -34,6 +37,11 @@ pkggroups="squid"
 builddir="$srcdir"/$pkgname-$pkgver
 
 # secfixes:
+#   3.5.27-r4:
+#     - CVE-2019-12528
+#     - CVE-2020-8449
+#     - CVE-2020-8450
+#     - CVE-2020-8517
 #   3.5.27-r3:
 #     - CVE-2019-13345
 #   3.5.27-r2:
@@ -126,6 +134,9 @@ d08d87d4cf97e794735e29ed2a273e27757a9ef95059cf6a2e2855a0c56e92d9e665b85115c9f3b6
 d44d0688a416ce993e186afe77051f764c7b01f452cfe27474a7876bc7f58e36c15c06978eedb189b98e276f512aa3bd58992a08668e89a5ef9cd843c22af72a  bug-3679.patch
 9ca3f86fbce36f109a35c35cdb0a9ed21a6fe5cbe7bbb4b92f4527fedd57c19599d338087b099e048084db0374b2ea28bdcbe1798fa37aea8a13d54f6cc0d6a4  CVE-2019-13345.patch
 92ca019640d8aecf8b5ed8a1a03a040089ea5e5529fe36aa4b8cb457a4514b00ee1676b559b62efe1309a43b9932c1a1d85b3dd0ce09ff4e503f5bc26260d1f7  CVE-2019-18679.patch
+f651183f885a7d43ec9fd8f452c4399a7119ba66e9dbca6f995ea5741f2825437de7248b2c40235a7d4c4f05125f302c068a624d6494e6b03df2cee4600a91a0  CVE-2019-12528.patch
+fca27d9dd00f9d080b1bf666392830cc38d4ae7854410f7d5c53ddb54e40216a6bef217b10fa8f4c7c6c6dda317d8071f7814ab9639937c30024085674c28463  CVE-2020-8517.patch
+697ce7af015a1ca3147ef58e4d1cd15bfbd70f1d032d76122f038223287c7b54cd1cd1f16c1405420233afbdd11a73c43b5e2bbba0c5bb3f749e253b979df928  SQUID-2020_1.patch
 15d95f7d787be8c2e6619ef1661fd8aae8d2c1ede706748764644c7dc3d7c34515ef6e8b7543295fddc4e767bbd74a7cf8c42e77cf60b3d574ff11b3f6e336c9  squid.initd
 7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9  squid.confd
 89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5  squid.logrotate"
diff --git a/main/squid/CVE-2019-12528.patch b/main/squid/CVE-2019-12528.patch
new file mode 100644
index 0000000000..67a307273e
--- /dev/null
+++ b/main/squid/CVE-2019-12528.patch
@@ -0,0 +1,169 @@
+commit 8cdb18ca1829a0b7faa1c9e472604ed0e7e105ac
+Author: Christos Tsantilas <christos@chtsanti.net>
+Date:   2019-12-20 07:29:58 +0000
+
+    Fix FTP buffers handling (#521)
+    
+    Fix the parsing of the received listing from FTP services.
+    Also relaxed size/filename grammar used for DOS listings: Tolerate
+    multiple spaces between the size and the filename.
+    
+    This is a Measurement Factory project
+
+diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc
+index 2e50ad9..5bac13b 100644
+--- a/src/clients/FtpGateway.cc
++++ b/src/clients/FtpGateway.cc
+@@ -539,8 +539,10 @@ ftpListParseParts(const char *buf, struct Ftp::GatewayFlags flags)
+ {
+     ftpListParts *p = NULL;
+     char *t = NULL;
+-    const char *ct = NULL;
+-    char *tokens[MAX_TOKENS];
++    struct FtpLineToken {
++        char *token = NULL; ///< token image copied from the received line
++        size_t pos = 0;  ///< token offset on the received line
++    } tokens[MAX_TOKENS];
+     int i;
+     int n_tokens;
+     static char tbuf[128];
+@@ -581,7 +583,8 @@ ftpListParseParts(const char *buf, struct Ftp::GatewayFlags flags)
+     }
+ 
+     for (t = strtok(xbuf, w_space); t && n_tokens < MAX_TOKENS; t = strtok(NULL, w_space)) {
+-        tokens[n_tokens] = xstrdup(t);
++        tokens[n_tokens].token = xstrdup(t);
++        tokens[n_tokens].pos = t - xbuf;
+         ++n_tokens;
+     }
+ 
+@@ -589,10 +592,10 @@ ftpListParseParts(const char *buf, struct Ftp::GatewayFlags flags)
+ 
+     /* locate the Month field */
+     for (i = 3; i < n_tokens - 2; ++i) {
+-        char *size = tokens[i - 1];
+-        char *month = tokens[i];
+-        char *day = tokens[i + 1];
+-        char *year = tokens[i + 2];
++        const char *size = tokens[i - 1].token;
++        char *month = tokens[i].token;
++        char *day = tokens[i + 1].token;
++        char *year = tokens[i + 2].token;
+ 
+         if (!is_month(month))
+             continue;
+@@ -606,23 +609,27 @@ ftpListParseParts(const char *buf, struct Ftp::GatewayFlags flags)
+         if (regexec(&scan_ftp_time, year, 0, NULL, 0) != 0) /* Yr | hh:mm */
+             continue;
+ 
+-        snprintf(tbuf, 128, "%s %2s %5s",
+-                 month, day, year);
++        const char *copyFrom = buf + tokens[i].pos;
+ 
+-        if (!strstr(buf, tbuf))
+-            snprintf(tbuf, 128, "%s %2s %-5s",
+-                     month, day, year);
++        // "MMM DD [ YYYY|hh:mm]" with at most two spaces between DD and YYYY
++        int dateSize = snprintf(tbuf, sizeof(tbuf), "%s %2s %5s", month, day, year);
++        bool isTypeA = (dateSize == 12) && (strncmp(copyFrom, tbuf, dateSize) == 0);
+ 
+-        char const *copyFrom = NULL;
++        // "MMM DD [YYYY|hh:mm]" with one space between DD and YYYY
++        dateSize = snprintf(tbuf, sizeof(tbuf), "%s %2s %-5s", month, day, year);
++        bool isTypeB = (dateSize == 12 || dateSize == 11) && (strncmp(copyFrom, tbuf, dateSize) == 0);
+ 
+-        if ((copyFrom = strstr(buf, tbuf))) {
+-            p->type = *tokens[0];
++        // TODO: replace isTypeA and isTypeB with a regex.
++        if (isTypeA || isTypeB) {
++            p->type = *tokens[0].token;
+             p->size = strtoll(size, NULL, 10);
++            const int finalDateSize = snprintf(tbuf, sizeof(tbuf), "%s %2s %5s", month, day, year);
++            assert(finalDateSize >= 0);
+             p->date = xstrdup(tbuf);
+ 
++            // point after tokens[i+2] :
++            copyFrom = buf + tokens[i + 2].pos + strlen(tokens[i + 2].token);
+             if (flags.skip_whitespace) {
+-                copyFrom += strlen(tbuf);
+-
+                 while (strchr(w_space, *copyFrom))
+                     ++copyFrom;
+             } else {
+@@ -634,7 +641,6 @@ ftpListParseParts(const char *buf, struct Ftp::GatewayFlags flags)
+                  * Assuming a single space between date and filename
+                  * suggested by:  Nathan.Bailey@cc.monash.edu.au and
+                  * Mike Battersby <mike@starbug.bofh.asn.au> */
+-                copyFrom += strlen(tbuf);
+                 if (strchr(w_space, *copyFrom))
+                     ++copyFrom;
+             }
+@@ -654,45 +660,36 @@ ftpListParseParts(const char *buf, struct Ftp::GatewayFlags flags)
+ 
+     /* try it as a DOS listing, 04-05-70 09:33PM ... */
+     if (n_tokens > 3 &&
+-            regexec(&scan_ftp_dosdate, tokens[0], 0, NULL, 0) == 0 &&
+-            regexec(&scan_ftp_dostime, tokens[1], 0, NULL, 0) == 0) {
+-        if (!strcasecmp(tokens[2], "<dir>")) {
++            regexec(&scan_ftp_dosdate, tokens[0].token, 0, NULL, 0) == 0 &&
++            regexec(&scan_ftp_dostime, tokens[1].token, 0, NULL, 0) == 0) {
++        if (!strcasecmp(tokens[2].token, "<dir>")) {
+             p->type = 'd';
+         } else {
+             p->type = '-';
+-            p->size = strtoll(tokens[2], NULL, 10);
++            p->size = strtoll(tokens[2].token, NULL, 10);
+         }
+ 
+-        snprintf(tbuf, 128, "%s %s", tokens[0], tokens[1]);
++        snprintf(tbuf, sizeof(tbuf), "%s %s", tokens[0].token, tokens[1].token);
+         p->date = xstrdup(tbuf);
+ 
+         if (p->type == 'd') {
+-            /* Directory.. name begins with first printable after <dir> */
+-            ct = strstr(buf, tokens[2]);
+-            ct += strlen(tokens[2]);
+-
+-            while (xisspace(*ct))
+-                ++ct;
+-
+-            if (!*ct)
+-                ct = NULL;
++            // Directory.. name begins with first printable after <dir>
++            // Because of the "n_tokens > 3", the next printable after <dir>
++            // is stored at token[3]. No need for more checks here.
+         } else {
+-            /* A file. Name begins after size, with a space in between */
+-            snprintf(tbuf, 128, " %s %s", tokens[2], tokens[3]);
+-            ct = strstr(buf, tbuf);
+-
+-            if (ct) {
+-                ct += strlen(tokens[2]) + 2;
+-            }
++            // A file. Name begins after size, with a space in between.
++            // Also a space should exist before size.
++            // But there is not needed to be very strict with spaces.
++            // The name is stored at token[3], take it from here.
+         }
+ 
+-        p->name = xstrdup(ct ? ct : tokens[3]);
++        p->name = xstrdup(tokens[3].token);
+         goto found;
+     }
+ 
+     /* Try EPLF format; carson@lehman.com */
+     if (buf[0] == '+') {
+-        ct = buf + 1;
++        const char *ct = buf + 1;
+         p->type = 0;
+ 
+         while (ct && *ct) {
+@@ -763,7 +760,7 @@ blank:
+ found:
+ 
+     for (i = 0; i < n_tokens; ++i)
+-        xfree(tokens[i]);
++        xfree(tokens[i].token);
+ 
+     if (!p->name)
+         ftpListPartsFree(&p);   /* cleanup */
diff --git a/main/squid/CVE-2020-8517.patch b/main/squid/CVE-2020-8517.patch
new file mode 100644
index 0000000000..bf8e6e79c6
--- /dev/null
+++ b/main/squid/CVE-2020-8517.patch
@@ -0,0 +1,24 @@
+commit c62d2b43ad4962ea44aa0c5edb4cc99cb83a413d (HEAD, refs/remotes/origin/v3.5, refs/heads/v3.5)
+Author: aaron-costello <56684862+aaron-costello@users.noreply.github.com>
+Date:   2019-11-22 02:44:29 +0000
+
+    ext_lm_group_acl: Improved username handling (#512)
+
+diff --git a/helpers/external_acl/LM_group/ext_lm_group_acl.cc b/helpers/external_acl/LM_group/ext_lm_group_acl.cc
+index def9db5..f93fc33 100644
+--- a/helpers/external_acl/LM_group/ext_lm_group_acl.cc
++++ b/helpers/external_acl/LM_group/ext_lm_group_acl.cc
+@@ -343,10 +343,10 @@ Valid_Global_Groups(char *UserName, const char **Groups)
+             break;
+     }
+     if (domain_qualify == NULL) {
+-        strcpy(User, NTDomain);
+-        strcpy(NTDomain, DefaultDomain);
++        xstrncpy(User, NTDomain, sizeof(User));
++        xstrncpy(NTDomain, DefaultDomain, sizeof(NTDomain));
+     } else {
+-        strcpy(User, domain_qualify + 1);
++        xstrncpy(User, domain_qualify + 1, sizeof(User));
+         domain_qualify[0] = '\0';
+         strlwr(NTDomain);
+     }
diff --git a/main/squid/SQUID-2020_1.patch b/main/squid/SQUID-2020_1.patch
new file mode 100644
index 0000000000..7902bf8df7
--- /dev/null
+++ b/main/squid/SQUID-2020_1.patch
@@ -0,0 +1,102 @@
+commit 8e657e835965c3a011375feaa0359921c5b3e2dd (refs/remotes/origin/v3.5)
+Author: Amos Jeffries <yadij@users.noreply.github.com>
+Date:   2019-08-13 13:50:06 +0000
+
+    Ignore malformed Host header in intercept and reverse proxy mode (#456)
+
+diff --git a/src/client_side.cc b/src/client_side.cc
+index d374ad1..f14424d 100644
+--- a/src/client_side.cc
++++ b/src/client_side.cc
+@@ -2050,6 +2050,23 @@ setLogUri(ClientHttpRequest * http, char const *uri, bool cleanUrl)
+     }
+ }
+ 
++static char *
++getHostHeader(const char *req_hdr)
++{
++    char *host = mime_get_header(req_hdr, "Host");
++    if (!host)
++        return NULL;
++
++    // check the header contents are valid
++    for(const char *c = host; *c != '\0'; ++c) {
++        // currently only used for pre-parse Host header, ensure valid domain[:port] or ip[:port]
++        static const CharacterSet hostChars = CharacterSet("host",":[].-_") + CharacterSet::ALPHA + CharacterSet::DIGIT;
++        if (hostChars[*c])
++            return NULL; // error. line contains character not accepted in Host header
++    }
++    return host;
++}
++
+ static void
+ prepareAcceleratedURL(ConnStateData * conn, ClientHttpRequest *http, char *url, const char *req_hdr)
+ {
+@@ -2092,7 +2109,7 @@ prepareAcceleratedURL(ConnStateData * conn, ClientHttpRequest *http, char *url,
+ 
+     const bool switchedToHttps = conn->switchedToHttps();
+     const bool tryHostHeader = vhost || switchedToHttps;
+-    if (tryHostHeader && (host = mime_get_header(req_hdr, "Host")) != NULL) {
++    if (tryHostHeader && (host = getHostHeader(req_hdr)) != NULL) {
+         debugs(33, 5, "ACCEL VHOST REWRITE: vhost=" << host << " + vport=" << vport);
+         char thost[256];
+         if (vport > 0) {
+@@ -2151,7 +2168,7 @@ prepareTransparentURL(ConnStateData * conn, ClientHttpRequest *http, char *url,
+ 
+     /* BUG: Squid cannot deal with '*' URLs (RFC2616 5.1.2) */
+ 
+-    if ((host = mime_get_header(req_hdr, "Host")) != NULL) {
++    if ((host = getHostHeader(req_hdr)) != NULL) {
+         int url_sz = strlen(url) + 32 + Config.appendDomainLen +
+                      strlen(host);
+         http->uri = (char *)xcalloc(url_sz, 1);
+commit d29ac78fd203f55bf391bcb24348ed43ea469d21
+Author: squidadm <squidadm@users.noreply.github.com>
+Date:   2020-02-02 00:03:24 +1300
+
+    Fix request URL generation in reverse proxy configurations (#550)
+
+diff --git a/src/client_side.cc b/src/client_side.cc
+index f14424d..3fecf68 100644
+--- a/src/client_side.cc
++++ b/src/client_side.cc
+@@ -2109,9 +2109,9 @@ prepareAcceleratedURL(ConnStateData * conn, ClientHttpRequest *http, char *url,
+ 
+     const bool switchedToHttps = conn->switchedToHttps();
+     const bool tryHostHeader = vhost || switchedToHttps;
+-    if (tryHostHeader && (host = getHostHeader(req_hdr)) != NULL) {
++    if (tryHostHeader && (host = getHostHeader(req_hdr)) != NULL && strlen(host) >= SQUIDHOSTNAMELEN) {
+         debugs(33, 5, "ACCEL VHOST REWRITE: vhost=" << host << " + vport=" << vport);
+-        char thost[256];
++        char thost[SQUIDHOSTNAMELEN + 6 /* ':' vport */];
+         if (vport > 0) {
+             thost[0] = '\0';
+             char *t = NULL;
+commit 21d99bdeaed7b2208098d824496da954920ea720 (HEAD, refs/remotes/origin/v3.5, refs/heads/v3.5)
+Author: Armin Wolfermann <aw@osn.de>
+Date:   2020-02-04 21:15:00 +0100
+
+    fix security patch
+
+diff --git a/src/client_side.cc b/src/client_side.cc
+index 3fecf68..2d58fcb 100644
+--- a/src/client_side.cc
++++ b/src/client_side.cc
+@@ -2061,7 +2061,7 @@ getHostHeader(const char *req_hdr)
+     for(const char *c = host; *c != '\0'; ++c) {
+         // currently only used for pre-parse Host header, ensure valid domain[:port] or ip[:port]
+         static const CharacterSet hostChars = CharacterSet("host",":[].-_") + CharacterSet::ALPHA + CharacterSet::DIGIT;
+-        if (hostChars[*c])
++        if (!hostChars[*c])
+             return NULL; // error. line contains character not accepted in Host header
+     }
+     return host;
+@@ -2109,7 +2109,7 @@ prepareAcceleratedURL(ConnStateData * conn, ClientHttpRequest *http, char *url,
+ 
+     const bool switchedToHttps = conn->switchedToHttps();
+     const bool tryHostHeader = vhost || switchedToHttps;
+-    if (tryHostHeader && (host = getHostHeader(req_hdr)) != NULL && strlen(host) >= SQUIDHOSTNAMELEN) {
++    if (tryHostHeader && (host = getHostHeader(req_hdr)) != NULL && strlen(host) <= SQUIDHOSTNAMELEN) {
+         debugs(33, 5, "ACCEL VHOST REWRITE: vhost=" << host << " + vport=" << vport);
+         char thost[SQUIDHOSTNAMELEN + 6 /* ':' vport */];
+         if (vport > 0) {
author	Natanael Copa <ncopa@alpinelinux.org>	2020-04-02 17:32:43 +0200
committer	Natanael Copa <ncopa@alpinelinux.org>	2020-04-02 17:32:43 +0200
commit	3db264c1978654cc19d61a5feaf1b0ee54e0a85b (patch)
tree	83e52af694374e899ca8aaff33931096c2187b13 /main
parent	248b3fa9ef3ac2d1eecc6514fa4e1e9368fa4d86 (diff)
download	aports-3db264c1978654cc19d61a5feaf1b0ee54e0a85b.tar.bz2 aports-3db264c1978654cc19d61a5feaf1b0ee54e0a85b.tar.xz