aboutsummaryrefslogtreecommitdiffstats
path: root/main
diff options
context:
space:
mode:
authorLeonardo Arena <rnalrd@alpinelinux.org>2019-11-11 15:34:20 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2019-11-11 15:36:23 +0000
commit49fa120aba707913031864610f9f1e8c9611cc06 (patch)
treef8b317f390682716598ee3a6dbd8d7628b1c40d4 /main
parente245657e6ddf7511c3bb512238a8b2fc8df56be3 (diff)
downloadaports-3.9-stable.tar.bz2
aports-3.9-stable.tar.xz
main/squid: security fix (CVE-2019-18679)3.9-stable
ref #10946
Diffstat (limited to 'main')
-rw-r--r--main/squid/APKBUILD6
-rw-r--r--main/squid/CVE-2019-18679.patch120
2 files changed, 125 insertions, 1 deletions
diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD
index c5884e07ce..2be283ad81 100644
--- a/main/squid/APKBUILD
+++ b/main/squid/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=squid
pkgver=4.8
-pkgrel=0
+pkgrel=1
pkgdesc="A full-featured Web proxy cache server."
url="http://www.squid-cache.org"
install="squid.pre-install squid.pre-upgrade"
@@ -18,6 +18,7 @@ linguas="af ar az bg ca cs da de el es et fa fi fr he hu hy id it ja ka ko lt
lv ms nl oc pl pt ro ru sk sl sr sv th tr uk uz vi zh"
langdir="/usr/share/squid/errors"
source="http://www.squid-cache.org/Versions/v4/squid-${pkgver}.tar.xz
+ CVE-2019-18679.patch
$pkgname.initd
$pkgname.confd
@@ -29,6 +30,8 @@ builddir="$srcdir"/$pkgname-$pkgver
options="!check" # does not work. Error message is about "applet not found", some issue with the installed busybox
# secfixes:
+# 4.8-r1:
+# - CVE-2019-18679
# 4.8-r0:
# - CVE-2019-13345
# 3.5.27-r2:
@@ -104,6 +107,7 @@ squid_kerb_auth() {
mv "$pkgdir"/usr/lib/squid/squid_kerb_auth "$subpkgdir"/usr/lib/squid/
}
sha512sums="2223f299950ded074faca6e3d09c15bc26e8644c3019b36a612f5d424e25b02a528c4b3c8a9463864f71edc29f17c5662f16ffda18c76317405cb97657e5e823 squid-4.8.tar.xz
+e2a38576105eb056640f334499504e10605e5b7e82bcd602fe019dd010beb2c70eddc931ca2b3e452f229a28de0f6c7fb6b770bcf2f3c406044286d8fed18490 CVE-2019-18679.patch
15d95f7d787be8c2e6619ef1661fd8aae8d2c1ede706748764644c7dc3d7c34515ef6e8b7543295fddc4e767bbd74a7cf8c42e77cf60b3d574ff11b3f6e336c9 squid.initd
7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9 squid.confd
89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5 squid.logrotate"
diff --git a/main/squid/CVE-2019-18679.patch b/main/squid/CVE-2019-18679.patch
new file mode 100644
index 0000000000..9ad820d319
--- /dev/null
+++ b/main/squid/CVE-2019-18679.patch
@@ -0,0 +1,120 @@
+commit 671ba97abe929156dc4c717ee52ad22fba0f7443
+Author: Amos Jeffries <yadij@users.noreply.github.com>
+Date: 2019-09-11 02:52:52 +0000
+
+ RFC 7230: server MUST reject messages with BWS after field-name (#445)
+
+ Obey the RFC requirement to reject HTTP requests with whitespace
+ between field-name and the colon delimiter. Rejection is
+ critical in the presence of broken HTTP agents that mishandle
+ malformed messages.
+
+ Also obey requirement to always strip such whitespace from HTTP
+ response messages. The relaxed parser is no longer necessary for
+ this response change.
+
+ For now non-HTTP protocols retain the old behaviour of removal
+ only when using the relaxed parser.
+
+diff --git a/src/HttpHeader.cc b/src/HttpHeader.cc
+index dd320d5..a36ad85 100644
+--- a/src/HttpHeader.cc
++++ b/src/HttpHeader.cc
+@@ -421,15 +421,12 @@ HttpHeader::parse(const char *header_start, size_t hdrLen)
+ break; /* terminating blank line */
+ }
+
+- HttpHeaderEntry *e;
+- if ((e = HttpHeaderEntry::parse(field_start, field_end)) == NULL) {
++ const auto e = HttpHeaderEntry::parse(field_start, field_end, owner);
++ if (!e) {
+ debugs(55, warnOnError, "WARNING: unparseable HTTP header field {" <<
+ getStringPrefix(field_start, field_end-field_start) << "}");
+ debugs(55, warnOnError, " in {" << getStringPrefix(header_start, hdrLen) << "}");
+
+- if (Config.onoff.relaxed_header_parser)
+- continue;
+-
+ PROF_stop(HttpHeaderParse);
+ clean();
+ return 0;
+@@ -1386,7 +1383,7 @@ HttpHeaderEntry::~HttpHeaderEntry()
+
+ /* parses and inits header entry, returns true/false */
+ HttpHeaderEntry *
+-HttpHeaderEntry::parse(const char *field_start, const char *field_end)
++HttpHeaderEntry::parse(const char *field_start, const char *field_end, const http_hdr_owner_type msgType)
+ {
+ /* note: name_start == field_start */
+ const char *name_end = (const char *)memchr(field_start, ':', field_end - field_start);
+@@ -1403,19 +1400,41 @@ HttpHeaderEntry::parse(const char *field_start, const char *field_end)
+
+ if (name_len > 65534) {
+ /* String must be LESS THAN 64K and it adds a terminating NULL */
+- debugs(55, DBG_IMPORTANT, "WARNING: ignoring header name of " << name_len << " bytes");
++ // TODO: update this to show proper name_len in Raw markup, but not print all that
++ debugs(55, 2, "ignoring huge header field (" << Raw("field_start", field_start, 100) << "...)");
+ return NULL;
+ }
+
+- if (Config.onoff.relaxed_header_parser && xisspace(field_start[name_len - 1])) {
++ /*
++ * RFC 7230 section 3.2.4:
++ * "No whitespace is allowed between the header field-name and colon.
++ * ...
++ * A server MUST reject any received request message that contains
++ * whitespace between a header field-name and colon with a response code
++ * of 400 (Bad Request). A proxy MUST remove any such whitespace from a
++ * response message before forwarding the message downstream."
++ */
++ if (xisspace(field_start[name_len - 1])) {
++
++ if (msgType == hoRequest)
++ return nullptr;
++
++ // for now, also let relaxed parser remove this BWS from any non-HTTP messages
++ const bool stripWhitespace = (msgType == hoReply) ||
++ Config.onoff.relaxed_header_parser;
++ if (!stripWhitespace)
++ return nullptr; // reject if we cannot strip
++
+ debugs(55, Config.onoff.relaxed_header_parser <= 0 ? 1 : 2,
+ "NOTICE: Whitespace after header name in '" << getStringPrefix(field_start, field_end-field_start) << "'");
+
+ while (name_len > 0 && xisspace(field_start[name_len - 1]))
+ --name_len;
+
+- if (!name_len)
++ if (!name_len) {
++ debugs(55, 2, "found header with only whitespace for name");
+ return NULL;
++ }
+ }
+
+ /* now we know we can parse it */
+@@ -1448,11 +1467,7 @@ HttpHeaderEntry::parse(const char *field_start, const char *field_end)
+
+ if (field_end - value_start > 65534) {
+ /* String must be LESS THAN 64K and it adds a terminating NULL */
+- debugs(55, DBG_IMPORTANT, "WARNING: ignoring '" << name << "' header of " << (field_end - value_start) << " bytes");
+-
+- if (id == Http::HdrType::OTHER)
+- name.clean();
+-
++ debugs(55, 2, "WARNING: found '" << name << "' header of " << (field_end - value_start) << " bytes");
+ return NULL;
+ }
+
+diff --git a/src/HttpHeader.h b/src/HttpHeader.h
+index 35a9410..be175b7 100644
+--- a/src/HttpHeader.h
++++ b/src/HttpHeader.h
+@@ -54,7 +54,7 @@ class HttpHeaderEntry
+ public:
+ HttpHeaderEntry(Http::HdrType id, const char *name, const char *value);
+ ~HttpHeaderEntry();
+- static HttpHeaderEntry *parse(const char *field_start, const char *field_end);
++ static HttpHeaderEntry *parse(const char *field_start, const char *field_end, const http_hdr_owner_type msgType);
+ HttpHeaderEntry *clone() const;
+ void packInto(Packable *p) const;
+ int getInt() const;