ports/76628: [Maintainer/security] www/squid: integrate partly security relevant vendor patches
Thomas-Martin Seck
tmseck at netcologne.de
Mon Jan 24 19:30:27 UTC 2005
>Number: 76628
>Category: ports
>Synopsis: [Maintainer/security] www/squid: integrate partly security relevant vendor patches
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Mon Jan 24 19:30:26 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Thomas-Martin Seck
>Release: FreeBSD 4.10-STABLE i386
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of Jan 24, 2005.
>Description:
- integrate vendor patches as published on
<http://www.squid-cache.org/Versions/v2/2.5/bugs/>:
+ Reject malformed HTTP requests and responses that conflict with the HTTP
specifications
This issue is qualified as a security issue by the vendor.
Note to committer: the published patch was (as of 2005-01-24, 18:00 UTC)
incomplete as the new ERR_INVALID_RESP error page was not created in
all language directories. As a temporary workaround, I created an
additional patch. It's possible that the vendor patch gets updated
to reflect this, please re-check before commit.
+ PURGE is allowed to delete internal objects (squid bug #1112)
+ Disable Path-MTU discovery on intercepted requests (squid bug #1154)
- clean up and correct package list generation. Now installed files
and directories are visible via PLIST_FILES and PLIST_DIRS.
While at it, don't claim that squid related files or directories are
still present after deinstallation when in fact they are not.
Note to committer: please 'cvs add' files/patch-ERR_INVALID_RESP (if it's
still needed, i.e. the vendor patch still lacks this data)
Proposed VuXML information, entry date left to be filled in:
(Note to security-team: I am not entirely sure whether I understood the
description of the patch correctly. Feel free to improve the VuXML data,
especially if you have further knowledge about the practical impact of this
issue. Maybe the information could even be combined with vuln
4e4bd2c2-6bd5-11d9-9e1e-c296ac722cb3 since both patches seem to address the
same problem from different angles?)
<vuln vid="b4d94fa0-6e38-11d9-9e1e-c296ac722cb3">
<topic>squid -- possible cache-poisoning via malformed HTTP responses</topic>
<affects>
<package>
<name>squid</name>
<range><lt>2.5.7_9</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The squid patches page notes:</p>
<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-header_parsing">
<p>This patch makes Squid considerably stricter while parsing the
HTTP protocol.</p>
<ol>
<li>A Content-length header should only appear once in a valid
request or response. Multiple Content-length headers, in
conjunction with specially crafted requests, may allow Squid's
cache to be poisioned with bad content in certain situations.</li>
<li>CR characters is only allowed as part of the CR NL line
terminator, not alone. This to ensure that all involved agrees on
the structure of HTTP headers.</li>
<li>Rejects requests/responses that have whitespace in an HTTP
header name.</li>
</ol>
</blockquote>
<p>To enable these strict parsing rules, update to at least
squid-2.5.7_9 and specify
<pre>relaxed_header_parser off</pre>
in squid.conf.</p>
</body>
</description>
<references>
<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-header_parsing</url>
</references>
<dates>
<discovery>2005-01-24</discovery>
<entry></entry>
</dates>
</vuln>
>How-To-Repeat:
>Fix:
Apply this patch:
Index: distinfo
===================================================================
--- distinfo (.../www/squid) (revision 360)
+++ distinfo (.../local/squid) (revision 360)
@@ -12,6 +12,8 @@
SIZE (squid2.5/squid-2.5.STABLE7-blank_response.patch) = 723
MD5 (squid2.5/squid-2.5.STABLE7-dothost.patch) = 81034e9092a06d9aa1e9ede26632ae03
SIZE (squid2.5/squid-2.5.STABLE7-dothost.patch) = 2155
+MD5 (squid2.5/squid-2.5.STABLE7-PURGE_internal.patch) = bc9d928b8dd37eaadd61bf7fefc375a7
+SIZE (squid2.5/squid-2.5.STABLE7-PURGE_internal.patch) = 871
MD5 (squid2.5/squid-2.5.STABLE7-httpd_accel_vport.patch) = 2366a84e29fad439c2a488b03f112779
SIZE (squid2.5/squid-2.5.STABLE7-httpd_accel_vport.patch) = 843
MD5 (squid2.5/squid-2.5.STABLE7-cachemgr_vmobjects.patch) = fdde57025dbfb8caf9154e24b4e1bf3e
@@ -32,6 +34,10 @@
SIZE (squid2.5/squid-2.5.STABLE7-fqdn_truncated.patch) = 4484
MD5 (squid2.5/squid-2.5.STABLE7-ldap_spaces.patch) = 8c2eb269b16d757b562ee32a2eb7ef99
SIZE (squid2.5/squid-2.5.STABLE7-ldap_spaces.patch) = 1974
+MD5 (squid2.5/squid-2.5.STABLE7-header_parsing.patch) = fbf876f6fe657d6497fd8a5603bd47af
+SIZE (squid2.5/squid-2.5.STABLE7-header_parsing.patch) = 44072
+MD5 (squid2.5/squid-2.5.STABLE7-httpd_accel_no_pmtu_disc.patch) = a151cd22387e815028351b8b69541eec
+SIZE (squid2.5/squid-2.5.STABLE7-httpd_accel_no_pmtu_disc.patch) = 4113
MD5 (squid2.5/squid-2.5.STABLE7-ftp_datachannel.patch) = cc65c481c7ea1e2cb2bc1c0b61f09a69
SIZE (squid2.5/squid-2.5.STABLE7-ftp_datachannel.patch) = 4825
MD5 (squid2.5/squid-2.5.STABLE7-short_icons_urls.patch) = 3cbed4fe923641bff5f23e69c444d63e
Index: files/patch-ERR_INVALID_RESP
===================================================================
--- files/patch-ERR_INVALID_RESP (.../www/squid) (revision 0)
+++ files/patch-ERR_INVALID_RESP (.../local/squid) (revision 360)
@@ -0,0 +1,165 @@
+diff -ruP errors.orig/Korean/ERR_INVALID_RESP errors/Korean/ERR_INVALID_RESP
+--- errors.orig/Korean/ERR_INVALID_RESP Thu Jan 1 01:00:00 1970
++++ errors/Korean/ERR_INVALID_RESP Mon Jan 24 19:19:43 2005
+@@ -0,0 +1,29 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
++<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
++<TITLE>ERROR: The requested URL could not be retrieved</TITLE>
++<STYLE type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--></STYLE>
++</HEAD><BODY>
++<H1>ERROR</H1>
++<H2>The requested URL could not be retrieved</H2>
++<HR noshade size="1px">
++<P>
++While trying to process the request:
++<PRE>
++%R
++</PRE>
++<P>
++The following error was encountered:
++<UL>
++<LI>
++<STRONG>
++Invalid Response
++</STRONG>
++</UL>
++
++<P>
++The HTTP Response message received from the contacted server
++could not be understood or was otherwise malformed. Please contact
++the site operator. Your cache administrator may be able to provide
++you with more details about the exact nature of the problem if needed.
++
++<P>Your cache administrator is <A HREF="mailto:%w">%w</A>.
+diff -ruP errors.orig/Lithuanian/ERR_INVALID_RESP errors/Lithuanian/ERR_INVALID_RESP
+--- errors.orig/Lithuanian/ERR_INVALID_RESP Thu Jan 1 01:00:00 1970
++++ errors/Lithuanian/ERR_INVALID_RESP Mon Jan 24 19:19:43 2005
+@@ -0,0 +1,29 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
++<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
++<TITLE>ERROR: The requested URL could not be retrieved</TITLE>
++<STYLE type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--></STYLE>
++</HEAD><BODY>
++<H1>ERROR</H1>
++<H2>The requested URL could not be retrieved</H2>
++<HR noshade size="1px">
++<P>
++While trying to process the request:
++<PRE>
++%R
++</PRE>
++<P>
++The following error was encountered:
++<UL>
++<LI>
++<STRONG>
++Invalid Response
++</STRONG>
++</UL>
++
++<P>
++The HTTP Response message received from the contacted server
++could not be understood or was otherwise malformed. Please contact
++the site operator. Your cache administrator may be able to provide
++you with more details about the exact nature of the problem if needed.
++
++<P>Your cache administrator is <A HREF="mailto:%w">%w</A>.
+diff -ruP errors.orig/Polish/ERR_INVALID_RESP errors/Polish/ERR_INVALID_RESP
+--- errors.orig/Polish/ERR_INVALID_RESP Thu Jan 1 01:00:00 1970
++++ errors/Polish/ERR_INVALID_RESP Mon Jan 24 19:19:43 2005
+@@ -0,0 +1,29 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
++<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
++<TITLE>ERROR: The requested URL could not be retrieved</TITLE>
++<STYLE type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--></STYLE>
++</HEAD><BODY>
++<H1>ERROR</H1>
++<H2>The requested URL could not be retrieved</H2>
++<HR noshade size="1px">
++<P>
++While trying to process the request:
++<PRE>
++%R
++</PRE>
++<P>
++The following error was encountered:
++<UL>
++<LI>
++<STRONG>
++Invalid Response
++</STRONG>
++</UL>
++
++<P>
++The HTTP Response message received from the contacted server
++could not be understood or was otherwise malformed. Please contact
++the site operator. Your cache administrator may be able to provide
++you with more details about the exact nature of the problem if needed.
++
++<P>Your cache administrator is <A HREF="mailto:%w">%w</A>.
+diff -ruP errors.orig/Portuguese/ERR_INVALID_RESP errors/Portuguese/ERR_INVALID_RESP
+--- errors.orig/Portuguese/ERR_INVALID_RESP Thu Jan 1 01:00:00 1970
++++ errors/Portuguese/ERR_INVALID_RESP Mon Jan 24 19:19:43 2005
+@@ -0,0 +1,29 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
++<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
++<TITLE>ERROR: The requested URL could not be retrieved</TITLE>
++<STYLE type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--></STYLE>
++</HEAD><BODY>
++<H1>ERROR</H1>
++<H2>The requested URL could not be retrieved</H2>
++<HR noshade size="1px">
++<P>
++While trying to process the request:
++<PRE>
++%R
++</PRE>
++<P>
++The following error was encountered:
++<UL>
++<LI>
++<STRONG>
++Invalid Response
++</STRONG>
++</UL>
++
++<P>
++The HTTP Response message received from the contacted server
++could not be understood or was otherwise malformed. Please contact
++the site operator. Your cache administrator may be able to provide
++you with more details about the exact nature of the problem if needed.
++
++<P>Your cache administrator is <A HREF="mailto:%w">%w</A>.
+diff -ruP errors.orig/Romanian/ERR_INVALID_RESP errors/Romanian/ERR_INVALID_RESP
+--- errors.orig/Romanian/ERR_INVALID_RESP Thu Jan 1 01:00:00 1970
++++ errors/Romanian/ERR_INVALID_RESP Mon Jan 24 19:19:43 2005
+@@ -0,0 +1,29 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
++<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
++<TITLE>ERROR: The requested URL could not be retrieved</TITLE>
++<STYLE type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--></STYLE>
++</HEAD><BODY>
++<H1>ERROR</H1>
++<H2>The requested URL could not be retrieved</H2>
++<HR noshade size="1px">
++<P>
++While trying to process the request:
++<PRE>
++%R
++</PRE>
++<P>
++The following error was encountered:
++<UL>
++<LI>
++<STRONG>
++Invalid Response
++</STRONG>
++</UL>
++
++<P>
++The HTTP Response message received from the contacted server
++could not be understood or was otherwise malformed. Please contact
++the site operator. Your cache administrator may be able to provide
++you with more details about the exact nature of the problem if needed.
++
++<P>Your cache administrator is <A HREF="mailto:%w">%w</A>.
Index: Makefile
===================================================================
--- Makefile (.../www/squid) (revision 360)
+++ Makefile (.../local/squid) (revision 360)
@@ -74,7 +74,7 @@
PORTNAME= squid
PORTVERSION= 2.5.7
-PORTREVISION= 8
+PORTREVISION= 9
CATEGORIES= www
MASTER_SITES= \
ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
@@ -93,6 +93,7 @@
squid-2.5.STABLE7-helper_shutdown.patch \
squid-2.5.STABLE7-blank_response.patch \
squid-2.5.STABLE7-dothost.patch \
+ squid-2.5.STABLE7-PURGE_internal.patch \
squid-2.5.STABLE7-httpd_accel_vport.patch \
squid-2.5.STABLE7-cachemgr_vmobjects.patch \
squid-2.5.STABLE7-empty_acls.patch \
@@ -103,6 +104,8 @@
squid-2.5.STABLE7-dns_memleak.patch \
squid-2.5.STABLE7-fqdn_truncated.patch \
squid-2.5.STABLE7-ldap_spaces.patch \
+ squid-2.5.STABLE7-header_parsing.patch \
+ squid-2.5.STABLE7-httpd_accel_no_pmtu_disc.patch \
squid-2.5.STABLE7-ftp_datachannel.patch \
squid-2.5.STABLE7-short_icons_urls.patch \
squid-2.5.STABLE7-response_splitting.patch
@@ -150,9 +153,8 @@
SQUID_STACKTRACES "Create backtraces on fatal errors" off \
SQUID_RCNG "Install an rcNG startup script" on
-PLIST_FILES= etc/rc.d/squid.sh etc/squid/mib.txt etc/squid/mime.conf.default \
- etc/squid/msntauth.conf.default etc/squid/squid.conf.default \
- sbin/RunAccel sbin/RunCache sbin/squidclient sbin/squid
+etc_files= rc.d/squid.sh squid/mib.txt squid/mime.conf.default \
+ squid/msntauth.conf.default squid/squid.conf.default
icon_files= anthony-binhex.gif anthony-bomb.gif anthony-box.gif \
anthony-box2.gif anthony-c.gif anthony-compressed.gif \
@@ -169,18 +171,23 @@
ERR_CONNECT_FAIL ERR_DNS_FAIL ERR_FORWARDING_DENIED \
ERR_FTP_DISABLED ERR_FTP_FAILURE ERR_FTP_FORBIDDEN \
ERR_FTP_NOT_FOUND ERR_FTP_PUT_CREATED \
- ERR_FTP_PUT_ERROR ERR_FTP_PUT_MODIFIED \
- ERR_FTP_UNAVAILABLE ERR_INVALID_REQ ERR_INVALID_URL \
+ ERR_FTP_PUT_ERROR ERR_FTP_PUT_MODIFIED ERR_FTP_UNAVAILABLE \
+ ERR_INVALID_REQ ERR_INVALID_RESP ERR_INVALID_URL \
ERR_LIFETIME_EXP ERR_NO_RELAY ERR_ONLY_IF_CACHED_MISS \
ERR_READ_ERROR ERR_READ_TIMEOUT ERR_SHUTTING_DOWN \
ERR_SOCKET_FAILURE ERR_TOO_BIG ERR_UNSUP_REQ \
ERR_URN_RESOLVE ERR_WRITE_ERROR ERR_ZERO_SIZE_OBJECT
-libexec= cachemgr.cgi digest_pw_auth diskd dnsserver ip_user_check \
- squid_ldap_auth squid_ldap_group msnt_auth ncsa_auth ntlm_auth \
- pam_auth pinger smb_auth smb_auth.sh squid_unix_group \
- unlinkd wb_auth wb_group wb_ntlmauth wbinfo_group.pl
+libexec= cachemgr.cgi digest_pw_auth diskd ip_user_check \
+ msnt_auth ncsa_auth ntlm_auth \
+ pam_auth smb_auth smb_auth.sh squid_unix_group \
+ wb_auth wb_group wb_ntlmauth wbinfo_group.pl
+.if !defined(SQUID_CONFIGURE_ARGS) || ${SQUID_CONFIGURE_ARGS:M*--disable-unlinkd*} == ""
+libexec+= unlinkd
+.endif
+sbin= RunAccel RunCache squidclient squid
+
CONFIGURE_ARGS= --bindir=${PREFIX}/sbin --sysconfdir=${PREFIX}/etc/squid \
--datadir=${PREFIX}/etc/squid \
--libexecdir=${PREFIX}/libexec/squid \
@@ -201,6 +208,7 @@
MAN8+= squid_ldap_auth.8 squid_ldap_group.8
basic_auth+= LDAP
external_acl+= ldap_group
+libexec+= squid_ldap_auth squid_ldap_group
.endif
.if !defined(NO_NIS)
basic_auth+= YP
@@ -251,9 +259,11 @@
.endif
.if defined(WITH_SQUID_PINGER)
CONFIGURE_ARGS+= --enable-icmp
+libexec+= pinger
.endif
.if defined(WITH_SQUID_DNS_HELPER)
CONFIGURE_ARGS+= --disable-internal-dns
+libexec+= dnsserver
.endif
.if defined(WITH_SQUID_HTCP)
CONFIGURE_ARGS+= --enable-htcp
@@ -332,6 +342,16 @@
CONFIGURE_ENV+= CFLAGS="${CFLAGS}" \
LDFLAGS="${LDFLAGS}"
+PLIST_DIRS= etc/squid/icons libexec/squid
+PLIST_FILES= ${etc_files:S,^,etc/,} ${icon_files:S,^,etc/squid/icons/,} \
+ ${libexec:S,^,libexec/squid/,} ${sbin:S,^,sbin/,}
+
+.for d in ${SQUID_LANGUAGES}
+PLIST_DIRS+= etc/squid/errors/${d}
+PLIST_FILES+= ${error_files:S,^,etc/squid/errors/${d}/,}
+.endfor
+PLIST_DIRS+= etc/squid/errors etc/squid squid/logs squid/cache squid
+
pre-patch:
# Check whether we need to create the extra patch that makes pf(4)
# visible to squid's configure script:
@@ -375,27 +395,6 @@
.endif
@${SETENV} PKG_PREFIX=${PREFIX} \
${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL
-# Create package list:
- @for f in ${libexec}; do \
- ${TEST} -f ${PREFIX}/libexec/squid/$${f} && \
- ${ECHO_CMD} "libexec/squid/$${f}" >>${TMPPLIST} || ${TRUE} ; \
- done
- @${ECHO_CMD} "@unexec rmdir %D/libexec/squid 2>/dev/null || true" \
- >>${TMPPLIST}
- @for f in ${icon_files}; do \
- ${ECHO_CMD} "etc/squid/icons/$${f}" >>${TMPPLIST}; \
- done
- @${ECHO_CMD} "@unexec rmdir %D/etc/squid/icons 2>/dev/null || true" \
- >>${TMPPLIST}
- @for d in ${SQUID_LANGUAGES}; do \
- for f in ${error_files}; do \
- ${ECHO_CMD} "etc/squid/errors/$${d}/$${f}" >>${TMPPLIST} ; \
- done; \
- ${ECHO_CMD} "@unexec rmdir %D/etc/squid/errors/$${d} 2>/dev/null || true" \
- >>${TMPPLIST}; \
- done
- @${ECHO_CMD} "@unexec rmdir %D/etc/squid/errors 2>/dev/null || true" \
- >>${TMPPLIST}
changeuser:
# Recover from the problem that earlier versions of this port created the
Index: pkg-deinstall
===================================================================
--- pkg-deinstall (.../www/squid) (revision 360)
+++ pkg-deinstall (.../local/squid) (revision 360)
@@ -13,20 +13,20 @@
done
;;
POST-DEINSTALL)
- rmdir ${PKG_PREFIX}/etc/squid 2>/dev/null
- rmdir ${PKG_PREFIX}/squid/cache 2>/dev/null
- rmdir ${PKG_PREFIX}/squid/logs 2>/dev/null
- rmdir ${PKG_PREFIX}/squid 2>/dev/null
echo "===> post-deinstallation information for $1"
echo ""
- echo " Please note that $1 was not completely removed"
- echo " from this system."
+ echo " Please note that squid was not completely removed"
+ echo " from this system:"
echo ""
- echo " The cache and log directories, squid's user account,"
- echo " and any modified configuration files have been preserved"
- echo " in case you want to install an updated version of squid"
- echo " on this system. You must remove them manually if you do"
- echo " not want to use squid any longer."
+ echo " Any squid related user accounts were kept."
+ if [ -d ${PKG_PREFIX}/squid -o -d ${PKG_PREFIX}/etc/squid ] ; then
+ echo ""
+ echo " Additionally, cache and log directories as well as"
+ echo " configuration files modified by you were preserved"
+ echo " too, in case you want to install an updated version"
+ echo " of squid. You need to remove them manually if you do"
+ echo " not want to use it any longer."
+ fi
echo ""
;;
*)
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list