ports/139844: [maintainer-update] www/squidguard: fix security vulnerabilities

Guido Falsi mad at madpilot.net
Thu Oct 22 15:50:02 UTC 2009 

>Number:         139844
>Category:       ports
>Synopsis:       [maintainer-update] www/squidguard: fix security vulnerabilities
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 22 15:50:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Guido Falsi
>Release:        FreeBSD 8.0-RC1 amd64
>Organization:
none
>Environment:
System: FreeBSD megatron.madpilot.net 8.0-RC1 FreeBSD 8.0-RC1 #3: Sun Oct 4 12:15:50 CEST 2009 root at megatron.madpilot.net:/usr/obj/usr/src/sys/MEGATRON amd64

>Description:

Fix CVE-2009-3700.

Description of the patches from the squidguard website:

 Fixes a buffer overflow problem and prevents squidGuard from going
 into emergency mode when overlong URLs are encountered (they can
 be perfectly legal).

and

 Fixes two bypass problems with URLs having a length closed to the
 defined MAX_BUF value (4096).

Since the patches from squidguard are distributed as a tar.gz archive
containing a replacement source file I thought it was acceptable
to incorporate them as patches in the files forlder, to keep things
simple by leveraging the ports system.

I already contacted the security team and asked for a VuXML entry.

Added files:

files/patch-src_sgLog.c
files/patch-src_sg.h.in
files/patch-src_sgDiv.c.in

>How-To-Repeat:

>Fix:

diff -ruN squidguard.old/Makefile squidguard/Makefile
--- squidguard.old/Makefile	2009-10-22 15:40:20.103080536 +0200
+++ squidguard/Makefile	2009-10-22 15:40:36.014181000 +0200
@@ -7,7 +7,7 @@
 
 PORTNAME=	squidGuard
 PORTVERSION=	1.4
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	www
 MASTER_SITES=	http://www.squidguard.org/Downloads/
 
diff -ruN squidguard.old/files/patch-src_sg.h.in squidguard/files/patch-src_sg.h.in
--- squidguard.old/files/patch-src_sg.h.in	1970-01-01 01:00:00.000000000 +0100
+++ squidguard/files/patch-src_sg.h.in	2009-10-22 15:54:23.380666468 +0200
@@ -0,0 +1,11 @@
+--- src/sg.h.in.orig	2007-11-16 17:58:32.000000000 +0100
++++ src/sg.h.in	2009-10-22 15:49:01.507292983 +0200
+@@ -73,7 +73,7 @@
+ #define REQUEST_TYPE_REDIRECT   2
+ #define REQUEST_TYPE_PASS       3
+ 
+-#define MAX_BUF 4096
++#define MAX_BUF 12288
+ 
+ #define DEFAULT_LOGFILE "squidGuard.log"
+ #define WARNING_LOGFILE "squidGuard.log"
diff -ruN squidguard.old/files/patch-src_sgDiv.c.in squidguard/files/patch-src_sgDiv.c.in
--- squidguard.old/files/patch-src_sgDiv.c.in	1970-01-01 01:00:00.000000000 +0100
+++ squidguard/files/patch-src_sgDiv.c.in	2009-10-22 15:53:47.104007794 +0200
@@ -0,0 +1,11 @@
+--- src/sgDiv.c.in.orig	2008-07-14 18:02:43.000000000 +0200
++++ src/sgDiv.c.in	2009-10-22 15:49:01.507292983 +0200
+@@ -745,7 +745,7 @@
+       p++;
+       break;
+     case 'u': /* Requested URL */
+-      strcat(buf, req->orig);
++      strncat(buf, req->orig, 2048);
+       p++;
+       break;
+     default:
diff -ruN squidguard.old/files/patch-src_sgLog.c squidguard/files/patch-src_sgLog.c
--- squidguard.old/files/patch-src_sgLog.c	1970-01-01 01:00:00.000000000 +0100
+++ squidguard/files/patch-src_sgLog.c	2009-10-22 15:45:28.078556325 +0200
@@ -0,0 +1,44 @@
+--- src/sgLog.c.orig	2007-11-16 17:58:32.000000000 +0100
++++ src/sgLog.c	2009-10-22 15:43:15.646180596 +0200
+@@ -2,7 +2,7 @@
+   By accepting this notice, you agree to be bound by the following
+   agreements:
+   
+-  This software product, squidGuard, is copyrighted (C) 1998-2007
++  This software product, squidGuard, is copyrighted (C) 1998-2009
+   by Christine Kronberg, Shalla Secure Services. All rights reserved.
+  
+   This program is free software; you can redistribute it and/or modify it
+@@ -55,8 +55,8 @@
+   char msg[MAX_BUF];
+   va_list ap;
+   VA_START(ap, format);
+-  if(vsprintf(msg, format, ap) > (MAX_BUF - 1)) 
+-    fprintf(stderr,"overflow in vsprintf (sgLog): %s",strerror(errno));
++  if(vsnprintf(msg, MAX_BUF, format, ap) > (MAX_BUF - 1)) 
++    fprintf(stderr,"overflow in vsnprintf (sgLog): %s",strerror(errno));
+   va_end(ap);
+   date = niso(0);
+   if(globalDebug || log == NULL) {
+@@ -87,8 +87,8 @@
+   char msg[MAX_BUF];
+   va_list ap;
+   VA_START(ap, format);
+-  if(vsprintf(msg, format, ap) > (MAX_BUF - 1)) 
+-    sgLogFatalError("overflow in vsprintf (sgLogError): %s",strerror(errno));
++  if(vsnprintf(msg, MAX_BUF, format, ap) > (MAX_BUF - 1)) 
++    sgLog(globalErrorLog, "overflow in vsnprintf (sgLogError): %s",strerror(errno));
+   va_end(ap);
+   sgLog(globalErrorLog,"%s",msg);
+ }
+@@ -104,8 +104,8 @@
+   char msg[MAX_BUF];
+   va_list ap;
+   VA_START(ap, format);
+-  if(vsprintf(msg, format, ap) > (MAX_BUF - 1)) 
+-    return;
++  if(vsnprintf(msg, MAX_BUF, format, ap) > (MAX_BUF - 1)) 
++    sgLog(globalErrorLog, "overflow in vsnprintf (sgLogError): %s",strerror(errno));
+   va_end(ap);
+   sgLog(globalErrorLog,"%s",msg);
+   sgEmergency();
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list