ports/76173: [Maintainer/Security] www/squid: fix two security issues
Thomas-Martin Seck
tmseck at netcologne.de
Wed Jan 12 19:30:27 UTC 2005
>Number: 76173
>Category: ports
>Synopsis: [Maintainer/Security] www/squid: fix two security issues
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Wed Jan 12 19:30:26 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Thomas-Martin Seck
>Release: FreeBSD 4.10-STABLE i386
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of Jan 12, 2004.
>Description:
- Integrate vendor patches as published on
<http://www.squid-cache.org/Versions/v2/2.5/bugs/> for the following
issues (security-team CC'ed):
+ prevent a possible denial of service attack via WCCP messages (squid bug
#1190), classified as security issue by the vendor
+ fix a buffer overflow in the Gopher to HTML conversion routine (squid bug
#1189), classified as security issue by the vendor
+ fix a null pointer access and plug memory leaks in the fake_auth NTLM
helper (squid bug #1183) (this helper app is not installed by default by
the port)
+ stop closing open filedescriptors beyond stdin, stdout and stderr on
startup (squid bug #1177)
- unbreak the port on NO_NIS systems (thanks to "Alexander <freebsd AT
nagilum.de>" for reporting this)
Proposed VuXML information for the two security issues, entry dates left to be
filled in:
<vuln vid=5fe7e27a-64cb-11d9-9e1e-c296ac722cb3>
<topic>squid -- Denial Of Service With Forged WCCP Messages</topic>
<affects>
<package>
<name>squid</squid>
<range><lt>2.5.7_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The squid patches page notes:</p>
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth">
<p>WCCP_I_SEE_YOU messages contain a 'number of caches' field
which should be between 1 and 32. Values outside that range may
crash Squid if WCCP is enabled, and if an attacker can spoof
UDP packets with the WCCP router's IP address.</p>
</blockquote>
<p>Note: the WCCP protocol is not enabled by default in squid's
FreeBSD port.</p>
</description>
<references>
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth</url>
</references>
<dates>
<discovery>2005-01-11</discovery>
<entry>YYYY-MM-DD</entry>
</dates>
</vuln>
<vuln vid=184ab9e0-64cd-11d9-9e1e-c296ac722cb3>
<topic>squid -- Buffer Overflow Bug in gopherToHTML</topic>
<affects>
<package>
<name>squid</squid>
<range><lt>2.5.7_6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The squid patches page notes:</p>
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-gopher_html_parsing">
<p>A malicious gopher server may return a response with very
long lines that cause a buffer overflow in Squid.</p>
<p>workaround: Since gopher is very obscure these days, do not
allow Squid to any gopher servers. Use an ACL rule like:</p>
<pre>
acl Gopher proto gopher
http_access deny Gopher
</pre>
</blockquote>
</description>
<references>
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-gopher_html_parsing</url>
</references>
<dates>
<discovery>2005-01-11</discovery>
<entry>YYYY-MM-DD</entry>
</dates>
</vuln>
>How-To-Repeat:
>Fix:
Apply this patch:
Index: distinfo
===================================================================
--- distinfo (.../www/squid) (revision 325)
+++ distinfo (.../local/squid) (revision 325)
@@ -18,3 +18,11 @@
SIZE (squid2.5/squid-2.5.STABLE7-cachemgr_vmobjects.patch) = 6238
MD5 (squid2.5/squid-2.5.STABLE7-empty_acls.patch) = 77d4365ebd4216ecde5f08301d43a02b
SIZE (squid2.5/squid-2.5.STABLE7-empty_acls.patch) = 4432
+MD5 (squid2.5/squid-2.5.STABLE7-close_other.patch) = 70f04f805907bb6544ae5aaccb74f324
+SIZE (squid2.5/squid-2.5.STABLE7-close_other.patch) = 945
+MD5 (squid2.5/squid-2.5.STABLE7-fakeauth_auth.patch) = 1b630af756317f97046adad302faedc4
+SIZE (squid2.5/squid-2.5.STABLE7-fakeauth_auth.patch) = 7967
+MD5 (squid2.5/squid-2.5.STABLE7-gopher_html_parsing.patch) = 1c0ba661b91a17fbd01e5e42430deb86
+SIZE (squid2.5/squid-2.5.STABLE7-gopher_html_parsing.patch) = 714
+MD5 (squid2.5/squid-2.5.STABLE7-wccp_denial_of_service.patch) = 0c77d92efda39797eb7d59c8d2e942d0
+SIZE (squid2.5/squid-2.5.STABLE7-wccp_denial_of_service.patch) = 1928
Index: Makefile
===================================================================
--- Makefile (.../www/squid) (revision 325)
+++ Makefile (.../local/squid) (revision 325)
@@ -74,7 +74,7 @@
PORTNAME= squid
PORTVERSION= 2.5.7
-PORTREVISION= 5
+PORTREVISION= 6
CATEGORIES= www
MASTER_SITES= \
ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
@@ -95,7 +95,11 @@
squid-2.5.STABLE7-dothost.patch \
squid-2.5.STABLE7-httpd_accel_vport.patch \
squid-2.5.STABLE7-cachemgr_vmobjects.patch \
- squid-2.5.STABLE7-empty_acls.patch
+ squid-2.5.STABLE7-empty_acls.patch \
+ squid-2.5.STABLE7-close_other.patch \
+ squid-2.5.STABLE7-fakeauth_auth.patch \
+ squid-2.5.STABLE7-gopher_html_parsing.patch \
+ squid-2.5.STABLE7-wccp_denial_of_service.patch
PATCH_DIST_STRIP= -p1
MAINTAINER= tmseck at netcologne.de
@@ -169,7 +173,7 @@
libexec= cachemgr.cgi digest_pw_auth diskd dnsserver ip_user_check \
squid_ldap_auth squid_ldap_group msnt_auth ncsa_auth ntlm_auth \
pam_auth pinger smb_auth smb_auth.sh squid_unix_group \
- unlinkd wb_auth wb_group wb_ntlmauth wbinfo_group.pl yp_auth
+ unlinkd wb_auth wb_group wb_ntlmauth wbinfo_group.pl
CONFIGURE_ARGS= --bindir=${PREFIX}/sbin --sysconfdir=${PREFIX}/etc/squid \
--datadir=${PREFIX}/etc/squid \
@@ -181,7 +185,7 @@
# Authentication methods and modules:
-basic_auth= NCSA PAM YP MSNT SMB winbind
+basic_auth= NCSA PAM MSNT SMB winbind
external_acl= ip_user unix_group wbinfo_group winbind_group
MAN8+= pam_auth.8 squid_unix_group.8
.if defined(WITH_SQUID_LDAP_AUTH)
@@ -192,6 +196,10 @@
basic_auth+= LDAP
external_acl+= ldap_group
.endif
+.if !defined(NO_NIS)
+basic_auth+= YP
+libexec+= yp_auth
+.endif
CONFIGURE_ARGS+= --enable-auth="basic ntlm digest" \
--enable-basic-auth-helpers="${basic_auth}" \
--enable-digest-auth-helpers="password" \
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list