import squid-4.15-7.module+el8.9.0+20975+25f17541.5

i8c-stream-4 changed/i8c-stream-4/squid-4.15-7.module+el8.9.0+20975+25f17541.5
MSVSphere Packaging Team 12 months ago
parent c0145915b4
commit 5d97eb6885

@ -0,0 +1,24 @@
diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc
index 20b9bf1..81ebb18 100644
--- a/src/anyp/Uri.cc
+++ b/src/anyp/Uri.cc
@@ -173,6 +173,10 @@ urlInitialize(void)
assert(0 == matchDomainName("*.foo.com", ".foo.com", mdnHonorWildcards));
assert(0 != matchDomainName("*.foo.com", "foo.com", mdnHonorWildcards));
+ assert(0 != matchDomainName("foo.com", ""));
+ assert(0 != matchDomainName("foo.com", "", mdnHonorWildcards));
+ assert(0 != matchDomainName("foo.com", "", mdnRejectSubsubDomains));
+
/* more cases? */
}
@@ -756,6 +760,8 @@ matchDomainName(const char *h, const char *d, MatchDomainNameFlags flags)
return -1;
dl = strlen(d);
+ if (dl == 0)
+ return 1;
/*
* Start at the ends of the two strings and work towards the

File diff suppressed because it is too large Load Diff

@ -0,0 +1,30 @@
commit 77b3fb4df0f126784d5fd4967c28ed40eb8d521b
Author: Alex Rousskov <rousskov@measurement-factory.com>
Date: Wed Oct 25 19:41:45 2023 +0000
RFC 1123: Fix date parsing (#1538)
The bug was discovered and detailed by Joshua Rogers at
https://megamansec.github.io/Squid-Security-Audit/datetime-overflow.html
where it was filed as "1-Byte Buffer OverRead in RFC 1123 date/time
Handling".
diff --git a/lib/rfc1123.c b/lib/rfc1123.c
index e5bf9a4d7..cb484cc00 100644
--- a/lib/rfc1123.c
+++ b/lib/rfc1123.c
@@ -50,7 +50,13 @@ make_month(const char *s)
char month[3];
month[0] = xtoupper(*s);
+ if (!month[0])
+ return -1; // protects *(s + 1) below
+
month[1] = xtolower(*(s + 1));
+ if (!month[1])
+ return -1; // protects *(s + 2) below
+
month[2] = xtolower(*(s + 2));
for (i = 0; i < 12; i++)

@ -0,0 +1,62 @@
diff --git a/src/ipc.cc b/src/ipc.cc
index 42e11e6..a68e623 100644
--- a/src/ipc.cc
+++ b/src/ipc.cc
@@ -19,6 +19,11 @@
#include "SquidConfig.h"
#include "SquidIpc.h"
#include "tools.h"
+#include <cstdlib>
+
+#if HAVE_UNISTD_H
+#include <unistd.h>
+#endif
static const char *hello_string = "hi there\n";
#ifndef HELLO_BUF_SZ
@@ -365,6 +370,22 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
}
PutEnvironment();
+
+ // A dup(2) wrapper that reports and exits the process on errors. The
+ // exiting logic is only suitable for this child process context.
+ const auto dupOrExit = [prog,name](const int oldFd) {
+ const auto newFd = dup(oldFd);
+ if (newFd < 0) {
+ const auto savedErrno = errno;
+ debugs(54, DBG_CRITICAL, "ERROR: Helper process initialization failure: " << name <<
+ Debug::Extra << "helper (CHILD) PID: " << getpid() <<
+ Debug::Extra << "helper program name: " << prog <<
+ Debug::Extra << "dup(2) system call error for FD " << oldFd << ": " << xstrerr(savedErrno));
+ _exit(EXIT_FAILURE);
+ }
+ return newFd;
+ };
+
/*
* This double-dup stuff avoids problems when one of
* crfd, cwfd, or debug_log are in the rage 0-2.
@@ -372,17 +393,16 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
do {
/* First make sure 0-2 is occupied by something. Gets cleaned up later */
- x = dup(crfd);
- assert(x > -1);
- } while (x < 3 && x > -1);
+ x = dupOrExit(crfd);
+ } while (x < 3);
close(x);
- t1 = dup(crfd);
+ t1 = dupOrExit(crfd);
- t2 = dup(cwfd);
+ t2 = dupOrExit(cwfd);
- t3 = dup(fileno(debug_log));
+ t3 = dupOrExit(fileno(debug_log));
assert(t1 > 2 && t2 > 2 && t3 > 2);

@ -2657,7 +2657,7 @@ index 0ab97e4..23076b2 100644
safe_free(ereq); safe_free(ereq);
safe_free(erep); safe_free(erep);
diff --git a/src/peer_digest.cc b/src/peer_digest.cc diff --git a/src/peer_digest.cc b/src/peer_digest.cc
index 7b6314d..7c96ce8 100644 index 7b6314d..8a66277 100644
--- a/src/peer_digest.cc --- a/src/peer_digest.cc
+++ b/src/peer_digest.cc +++ b/src/peer_digest.cc
@@ -39,7 +39,6 @@ static EVH peerDigestCheck; @@ -39,7 +39,6 @@ static EVH peerDigestCheck;
@ -2678,18 +2678,25 @@ index 7b6314d..7c96ce8 100644
if (old_e) if (old_e)
e->lastModified(old_e->lastModified()); e->lastModified(old_e->lastModified());
@@ -408,6 +410,11 @@ peerDigestHandleReply(void *data, StoreIOBuffer receivedData) @@ -408,11 +410,16 @@ peerDigestHandleReply(void *data, StoreIOBuffer receivedData)
digest_read_state_t prevstate; digest_read_state_t prevstate;
int newsize; int newsize;
- assert(fetch->pd && receivedData.data);
+ if (receivedData.flags.error) { + if (receivedData.flags.error) {
+ peerDigestFetchAbort(fetch, fetch->buf, "failure loading digest reply from Store"); + peerDigestFetchAbort(fetch, fetch->buf, "failure loading digest reply from Store");
+ return; + return;
+ } + }
+ +
assert(fetch->pd && receivedData.data); + assert(fetch->pd);
/* The existing code assumes that the received pointer is /* The existing code assumes that the received pointer is
* where we asked the data to be put * where we asked the data to be put
*/
- assert(fetch->buf + fetch->bufofs == receivedData.data);
+ assert(!receivedData.data || fetch->buf + fetch->bufofs == receivedData.data);
/* Update the buffer size */
fetch->bufofs += receivedData.length;
@@ -444,10 +451,6 @@ peerDigestHandleReply(void *data, StoreIOBuffer receivedData) @@ -444,10 +451,6 @@ peerDigestHandleReply(void *data, StoreIOBuffer receivedData)
retsize = peerDigestFetchReply(fetch, fetch->buf, fetch->bufofs); retsize = peerDigestFetchReply(fetch, fetch->buf, fetch->bufofs);
break; break;
@ -2825,6 +2832,15 @@ index 7b6314d..7c96ce8 100644
} }
return 0; /* We need to read more to parse .. */ return 0; /* We need to read more to parse .. */
@@ -755,7 +705,7 @@ peerDigestFetchedEnough(DigestFetchState * fetch, char *buf, ssize_t size, const
}
/* continue checking (maybe-successful eof case) */
- if (!reason && !size) {
+ if (!reason && !size && fetch->state != DIGEST_READ_REPLY) {
if (!pd->cd)
reason = "null digest?!";
else if (fetch->mask_offset != pd->cd->mask_size)
diff --git a/src/servers/FtpServer.cc b/src/servers/FtpServer.cc diff --git a/src/servers/FtpServer.cc b/src/servers/FtpServer.cc
index fab26cf..d3faa8d 100644 index fab26cf..d3faa8d 100644
--- a/src/servers/FtpServer.cc --- a/src/servers/FtpServer.cc

@ -2,7 +2,7 @@
Name: squid Name: squid
Version: 4.15 Version: 4.15
Release: 7%{?dist}.3 Release: 7%{?dist}.5
Summary: The Squid proxy caching server Summary: The Squid proxy caching server
Epoch: 7 Epoch: 7
# See CREDITS for breakdown of non GPLv2+ code # See CREDITS for breakdown of non GPLv2+ code
@ -55,6 +55,14 @@ Patch303: squid-4.15-CVE-2023-46846.patch
Patch304: squid-4.15-CVE-2023-46847.patch Patch304: squid-4.15-CVE-2023-46847.patch
# https://issues.redhat.com/browse/RHEL-14792 # https://issues.redhat.com/browse/RHEL-14792
Patch305: squid-4.15-CVE-2023-5824.patch Patch305: squid-4.15-CVE-2023-5824.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2248521
Patch306: squid-4.15-CVE-2023-46728.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2247567
Patch307: squid-4.15-CVE-2023-46724.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2252926
Patch308: squid-4.15-CVE-2023-49285.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2252923
Patch309: squid-4.15-CVE-2023-49286.patch
Requires: bash >= 2.0 Requires: bash >= 2.0
Requires(pre): shadow-utils Requires(pre): shadow-utils
@ -125,6 +133,10 @@ lookup program (dnsserver), a program for retrieving FTP data
%patch303 -p1 -b .CVE-2023-46846 %patch303 -p1 -b .CVE-2023-46846
%patch304 -p1 -b .CVE-2023-46847 %patch304 -p1 -b .CVE-2023-46847
%patch305 -p1 -b .CVE-2023-5824 %patch305 -p1 -b .CVE-2023-5824
%patch306 -p1 -b .CVE-2023-46728
%patch307 -p1 -b .CVE-2023-46724
%patch308 -p1 -b .CVE-2023-49285
%patch309 -p1 -b .CVE-2023-49286
# https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # https://bugzilla.redhat.com/show_bug.cgi?id=1679526
# Patch in the vendor documentation and used different location for documentation # Patch in the vendor documentation and used different location for documentation
@ -341,9 +353,22 @@ fi
%changelog %changelog
* Tue Dec 12 2023 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 7:4.15-7.3 * Tue Dec 12 2023 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 7:4.15-7.5
- Rebuilt for MSVSphere 8.8 - Rebuilt for MSVSphere 8.8
* Thu Dec 07 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-7.5
- Resolves: RHEL-18483 - squid:4/squid: Buffer over-read in the HTTP Message
processing feature (CVE-2023-49285)
- Resolves: RHEL-18485 - squid:4/squid: Incorrect Check of Function Return
Value In Helper Process management (CVE-2023-49286)
* Wed Dec 06 2023 Luboš Uhliarik <luhliari@redhat.com> - 7:4.15-7.4
- Resolves: RHEL-16764 - squid:4/squid: Denial of Service in SSL Certificate
validation (CVE-2023-46724)
- Resolves: RHEL-16775 - squid:4/squid: NULL pointer dereference in the gopher
protocol code (CVE-2023-46728)
- Resolves: RHEL-18257 - squid crashes in assertion when a parent peer exists
* Thu Nov 30 2023 Tomas Korbar <tkorbar@redhat.com> - 7:4.15-7.3 * Thu Nov 30 2023 Tomas Korbar <tkorbar@redhat.com> - 7:4.15-7.3
- Related: RHEL-14792 - squid: squid multiple issues in HTTP response caching - Related: RHEL-14792 - squid: squid multiple issues in HTTP response caching
- Fix mistake in the patch - Fix mistake in the patch

Loading…
Cancel
Save