ports/139844: [maintainer-update] www/squidguard: fix security vulnerabilities
Guido Falsi
mad at madpilot.net
Thu Oct 22 15:50:02 UTC 2009
>Number: 139844
>Category: ports
>Synopsis: [maintainer-update] www/squidguard: fix security vulnerabilities
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Thu Oct 22 15:50:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Guido Falsi
>Release: FreeBSD 8.0-RC1 amd64
>Organization:
none
>Environment:
System: FreeBSD megatron.madpilot.net 8.0-RC1 FreeBSD 8.0-RC1 #3: Sun Oct 4 12:15:50 CEST 2009 root at megatron.madpilot.net:/usr/obj/usr/src/sys/MEGATRON amd64
>Description:
Fix CVE-2009-3700.
Description of the patches from the squidguard website:
Fixes a buffer overflow problem and prevents squidGuard from going
into emergency mode when overlong URLs are encountered (they can
be perfectly legal).
and
Fixes two bypass problems with URLs having a length closed to the
defined MAX_BUF value (4096).
Since the patches from squidguard are distributed as a tar.gz archive
containing a replacement source file I thought it was acceptable
to incorporate them as patches in the files forlder, to keep things
simple by leveraging the ports system.
I already contacted the security team and asked for a VuXML entry.
Added files:
files/patch-src_sgLog.c
files/patch-src_sg.h.in
files/patch-src_sgDiv.c.in
>How-To-Repeat:
>Fix:
diff -ruN squidguard.old/Makefile squidguard/Makefile
--- squidguard.old/Makefile 2009-10-22 15:40:20.103080536 +0200
+++ squidguard/Makefile 2009-10-22 15:40:36.014181000 +0200
@@ -7,7 +7,7 @@
PORTNAME= squidGuard
PORTVERSION= 1.4
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= www
MASTER_SITES= http://www.squidguard.org/Downloads/
diff -ruN squidguard.old/files/patch-src_sg.h.in squidguard/files/patch-src_sg.h.in
--- squidguard.old/files/patch-src_sg.h.in 1970-01-01 01:00:00.000000000 +0100
+++ squidguard/files/patch-src_sg.h.in 2009-10-22 15:54:23.380666468 +0200
@@ -0,0 +1,11 @@
+--- src/sg.h.in.orig 2007-11-16 17:58:32.000000000 +0100
++++ src/sg.h.in 2009-10-22 15:49:01.507292983 +0200
+@@ -73,7 +73,7 @@
+ #define REQUEST_TYPE_REDIRECT 2
+ #define REQUEST_TYPE_PASS 3
+
+-#define MAX_BUF 4096
++#define MAX_BUF 12288
+
+ #define DEFAULT_LOGFILE "squidGuard.log"
+ #define WARNING_LOGFILE "squidGuard.log"
diff -ruN squidguard.old/files/patch-src_sgDiv.c.in squidguard/files/patch-src_sgDiv.c.in
--- squidguard.old/files/patch-src_sgDiv.c.in 1970-01-01 01:00:00.000000000 +0100
+++ squidguard/files/patch-src_sgDiv.c.in 2009-10-22 15:53:47.104007794 +0200
@@ -0,0 +1,11 @@
+--- src/sgDiv.c.in.orig 2008-07-14 18:02:43.000000000 +0200
++++ src/sgDiv.c.in 2009-10-22 15:49:01.507292983 +0200
+@@ -745,7 +745,7 @@
+ p++;
+ break;
+ case 'u': /* Requested URL */
+- strcat(buf, req->orig);
++ strncat(buf, req->orig, 2048);
+ p++;
+ break;
+ default:
diff -ruN squidguard.old/files/patch-src_sgLog.c squidguard/files/patch-src_sgLog.c
--- squidguard.old/files/patch-src_sgLog.c 1970-01-01 01:00:00.000000000 +0100
+++ squidguard/files/patch-src_sgLog.c 2009-10-22 15:45:28.078556325 +0200
@@ -0,0 +1,44 @@
+--- src/sgLog.c.orig 2007-11-16 17:58:32.000000000 +0100
++++ src/sgLog.c 2009-10-22 15:43:15.646180596 +0200
+@@ -2,7 +2,7 @@
+ By accepting this notice, you agree to be bound by the following
+ agreements:
+
+- This software product, squidGuard, is copyrighted (C) 1998-2007
++ This software product, squidGuard, is copyrighted (C) 1998-2009
+ by Christine Kronberg, Shalla Secure Services. All rights reserved.
+
+ This program is free software; you can redistribute it and/or modify it
+@@ -55,8 +55,8 @@
+ char msg[MAX_BUF];
+ va_list ap;
+ VA_START(ap, format);
+- if(vsprintf(msg, format, ap) > (MAX_BUF - 1))
+- fprintf(stderr,"overflow in vsprintf (sgLog): %s",strerror(errno));
++ if(vsnprintf(msg, MAX_BUF, format, ap) > (MAX_BUF - 1))
++ fprintf(stderr,"overflow in vsnprintf (sgLog): %s",strerror(errno));
+ va_end(ap);
+ date = niso(0);
+ if(globalDebug || log == NULL) {
+@@ -87,8 +87,8 @@
+ char msg[MAX_BUF];
+ va_list ap;
+ VA_START(ap, format);
+- if(vsprintf(msg, format, ap) > (MAX_BUF - 1))
+- sgLogFatalError("overflow in vsprintf (sgLogError): %s",strerror(errno));
++ if(vsnprintf(msg, MAX_BUF, format, ap) > (MAX_BUF - 1))
++ sgLog(globalErrorLog, "overflow in vsnprintf (sgLogError): %s",strerror(errno));
+ va_end(ap);
+ sgLog(globalErrorLog,"%s",msg);
+ }
+@@ -104,8 +104,8 @@
+ char msg[MAX_BUF];
+ va_list ap;
+ VA_START(ap, format);
+- if(vsprintf(msg, format, ap) > (MAX_BUF - 1))
+- return;
++ if(vsnprintf(msg, MAX_BUF, format, ap) > (MAX_BUF - 1))
++ sgLog(globalErrorLog, "overflow in vsnprintf (sgLogError): %s",strerror(errno));
+ va_end(ap);
+ sgLog(globalErrorLog,"%s",msg);
+ sgEmergency();
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list