diff options
author | Leo <thinkabit.ukim@gmail.com> | 2020-03-27 13:33:08 -0300 |
---|---|---|
committer | Leo <thinkabit.ukim@gmail.com> | 2020-03-27 21:27:18 +0000 |
commit | 225360732093a00d6a58a6e626b26e6794a4739c (patch) | |
tree | 8127c6abb3462de96655f3664f29730bf9c79f1e | |
parent | d2ccfe10868c3a4f64c1edb32849025118b1e227 (diff) |
main/squid: fix CVE-2019-18679
see #10946
-rw-r--r-- | main/squid/APKBUILD | 2 | ||||
-rw-r--r-- | main/squid/CVE-2019-18679.patch | 101 |
2 files changed, 103 insertions, 0 deletions
diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD index 558dab4591e..8c4798f4ff1 100644 --- a/main/squid/APKBUILD +++ b/main/squid/APKBUILD @@ -23,6 +23,7 @@ source="http://www.squid-cache.org/Versions/v3/${pkgver%.*}/squid-${pkgver}.tar. SQUID-2018_3.patch bug-3679.patch CVE-2019-13345.patch + CVE-2019-18679.patch squid.initd squid.confd @@ -124,6 +125,7 @@ d08d87d4cf97e794735e29ed2a273e27757a9ef95059cf6a2e2855a0c56e92d9e665b85115c9f3b6 20a036b34f7a595d83e707180d831c4adc9b7432f09be5341cfe7b3b00cbe3e5c0de07376a67834b94e08c849703822371eb71938a024307cb52cf8ef52138e8 SQUID-2018_3.patch d44d0688a416ce993e186afe77051f764c7b01f452cfe27474a7876bc7f58e36c15c06978eedb189b98e276f512aa3bd58992a08668e89a5ef9cd843c22af72a bug-3679.patch 9ca3f86fbce36f109a35c35cdb0a9ed21a6fe5cbe7bbb4b92f4527fedd57c19599d338087b099e048084db0374b2ea28bdcbe1798fa37aea8a13d54f6cc0d6a4 CVE-2019-13345.patch +92ca019640d8aecf8b5ed8a1a03a040089ea5e5529fe36aa4b8cb457a4514b00ee1676b559b62efe1309a43b9932c1a1d85b3dd0ce09ff4e503f5bc26260d1f7 CVE-2019-18679.patch 15d95f7d787be8c2e6619ef1661fd8aae8d2c1ede706748764644c7dc3d7c34515ef6e8b7543295fddc4e767bbd74a7cf8c42e77cf60b3d574ff11b3f6e336c9 squid.initd 7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9 squid.confd 89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5 squid.logrotate" diff --git a/main/squid/CVE-2019-18679.patch b/main/squid/CVE-2019-18679.patch new file mode 100644 index 00000000000..0e8a3f5c8f8 --- /dev/null +++ b/main/squid/CVE-2019-18679.patch @@ -0,0 +1,101 @@ +diff --git a/src/HttpHeader.cc b/src/HttpHeader.cc +index 3a3b3a8..595e471 100644 +--- a/src/HttpHeader.cc ++++ b/src/HttpHeader.cc +@@ -727,14 +727,12 @@ HttpHeader::parse(const char *header_start, const char *header_end) + break; /* terminating blank line */ + } + +- if ((e = HttpHeaderEntry::parse(field_start, field_end)) == NULL) { ++ const auto e = HttpHeaderEntry::parse(field_start, field_end, owner); ++ if (!e) { + debugs(55, warnOnError, "WARNING: unparseable HTTP header field {" << + getStringPrefix(field_start, field_end) << "}"); + debugs(55, warnOnError, " in {" << getStringPrefix(header_start, header_end) << "}"); + +- if (Config.onoff.relaxed_header_parser) +- continue; +- + PROF_stop(HttpHeaderParse); + return reset(); + } +@@ -1665,7 +1663,7 @@ HttpHeaderEntry::~HttpHeaderEntry() + + /* parses and inits header entry, returns true/false */ + HttpHeaderEntry * +-HttpHeaderEntry::parse(const char *field_start, const char *field_end) ++HttpHeaderEntry::parse(const char *field_start, const char *field_end, const http_hdr_owner_type msgType) + { + /* note: name_start == field_start */ + const char *name_end = (const char *)memchr(field_start, ':', field_end - field_start); +@@ -1682,19 +1680,41 @@ HttpHeaderEntry::parse(const char *field_start, const char *field_end) + + if (name_len > 65534) { + /* String must be LESS THAN 64K and it adds a terminating NULL */ +- debugs(55, DBG_IMPORTANT, "WARNING: ignoring header name of " << name_len << " bytes"); ++ // TODO: update this to show proper name_len in Raw markup, but not print all that ++ debugs(55, 2, "ignoring huge header field (" << Raw("field_start", field_start, 100) << "...)"); + return NULL; + } + +- if (Config.onoff.relaxed_header_parser && xisspace(field_start[name_len - 1])) { ++ /* ++ * RFC 7230 section 3.2.4: ++ * "No whitespace is allowed between the header field-name and colon. ++ * ... ++ * A server MUST reject any received request message that contains ++ * whitespace between a header field-name and colon with a response code ++ * of 400 (Bad Request). A proxy MUST remove any such whitespace from a ++ * response message before forwarding the message downstream." ++ */ ++ if (xisspace(field_start[name_len - 1])) { ++ ++ if (msgType == hoRequest) ++ return nullptr; ++ ++ // for now, also let relaxed parser remove this BWS from any non-HTTP messages ++ const bool stripWhitespace = (msgType == hoReply) || ++ Config.onoff.relaxed_header_parser; ++ if (!stripWhitespace) ++ return nullptr; // reject if we cannot strip ++ + debugs(55, Config.onoff.relaxed_header_parser <= 0 ? 1 : 2, + "NOTICE: Whitespace after header name in '" << getStringPrefix(field_start, field_end) << "'"); + + while (name_len > 0 && xisspace(field_start[name_len - 1])) + --name_len; + +- if (!name_len) ++ if (!name_len) { ++ debugs(55, 2, "found header with only whitespace for name"); + return NULL; ++ } + } + + /* now we know we can parse it */ +@@ -1728,11 +1748,7 @@ HttpHeaderEntry::parse(const char *field_start, const char *field_end) + + if (field_end - value_start > 65534) { + /* String must be LESS THAN 64K and it adds a terminating NULL */ +- debugs(55, DBG_IMPORTANT, "WARNING: ignoring '" << name << "' header of " << (field_end - value_start) << " bytes"); +- +- if (id == HDR_OTHER) +- name.clean(); +- ++ debugs(55, 2, "WARNING: found '" << name << "' header of " << (field_end - value_start) << " bytes"); + return NULL; + } + +diff --git a/src/HttpHeader.h b/src/HttpHeader.h +index 23f69a4..5db1f0d 100644 +--- a/src/HttpHeader.h ++++ b/src/HttpHeader.h +@@ -187,7 +187,7 @@ class HttpHeaderEntry + public: + HttpHeaderEntry(http_hdr_type id, const char *name, const char *value); + ~HttpHeaderEntry(); +- static HttpHeaderEntry *parse(const char *field_start, const char *field_end); ++ static HttpHeaderEntry *parse(const char *field_start, const char *field_end, const http_hdr_owner_type msgType); + HttpHeaderEntry *clone() const; + void packInto(Packer *p) const; + int getInt() const; |