From owner-freebsd-ports-bugs@FreeBSD.ORG Thu Oct 22 15:50:02 2009 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B99E1065676 for ; Thu, 22 Oct 2009 15:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5B6F18FC14 for ; Thu, 22 Oct 2009 15:50:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n9MFo26I069478 for ; Thu, 22 Oct 2009 15:50:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n9MFo2TD069477; Thu, 22 Oct 2009 15:50:02 GMT (envelope-from gnats) Resent-Date: Thu, 22 Oct 2009 15:50:02 GMT Resent-Message-Id: <200910221550.n9MFo2TD069477@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Guido Falsi Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EBD231065679 for ; Thu, 22 Oct 2009 15:47:37 +0000 (UTC) (envelope-from mad@madpilot.net) Received: from megatron.madpilot.net (megatron.madpilot.net [88.149.173.206]) by mx1.freebsd.org (Postfix) with ESMTP id 126D78FC1B for ; Thu, 22 Oct 2009 15:47:37 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by megatron.madpilot.net (Postfix) with ESMTP id 38B4F1ECC for ; Thu, 22 Oct 2009 17:47:36 +0200 (CEST) Received: from megatron.madpilot.net ([127.0.0.1]) by localhost (megatron.madpilot.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id eQaBJRrnr3vQ for ; Thu, 22 Oct 2009 17:47:33 +0200 (CEST) Received: by megatron.madpilot.net (Postfix, from userid 1000) id 8F7A21EC5; Thu, 22 Oct 2009 17:47:33 +0200 (CEST) Message-Id: <20091022154733.8F7A21EC5@megatron.madpilot.net> Date: Thu, 22 Oct 2009 17:47:33 +0200 (CEST) From: Guido Falsi To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/139844: [maintainer-update] www/squidguard: fix security vulnerabilities X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Guido Falsi List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Oct 2009 15:50:02 -0000 >Number: 139844 >Category: ports >Synopsis: [maintainer-update] www/squidguard: fix security vulnerabilities >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Thu Oct 22 15:50:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Guido Falsi >Release: FreeBSD 8.0-RC1 amd64 >Organization: none >Environment: System: FreeBSD megatron.madpilot.net 8.0-RC1 FreeBSD 8.0-RC1 #3: Sun Oct 4 12:15:50 CEST 2009 root@megatron.madpilot.net:/usr/obj/usr/src/sys/MEGATRON amd64 >Description: Fix CVE-2009-3700. Description of the patches from the squidguard website: Fixes a buffer overflow problem and prevents squidGuard from going into emergency mode when overlong URLs are encountered (they can be perfectly legal). and Fixes two bypass problems with URLs having a length closed to the defined MAX_BUF value (4096). Since the patches from squidguard are distributed as a tar.gz archive containing a replacement source file I thought it was acceptable to incorporate them as patches in the files forlder, to keep things simple by leveraging the ports system. I already contacted the security team and asked for a VuXML entry. Added files: files/patch-src_sgLog.c files/patch-src_sg.h.in files/patch-src_sgDiv.c.in >How-To-Repeat: >Fix: diff -ruN squidguard.old/Makefile squidguard/Makefile --- squidguard.old/Makefile 2009-10-22 15:40:20.103080536 +0200 +++ squidguard/Makefile 2009-10-22 15:40:36.014181000 +0200 @@ -7,7 +7,7 @@ PORTNAME= squidGuard PORTVERSION= 1.4 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= www MASTER_SITES= http://www.squidguard.org/Downloads/ diff -ruN squidguard.old/files/patch-src_sg.h.in squidguard/files/patch-src_sg.h.in --- squidguard.old/files/patch-src_sg.h.in 1970-01-01 01:00:00.000000000 +0100 +++ squidguard/files/patch-src_sg.h.in 2009-10-22 15:54:23.380666468 +0200 @@ -0,0 +1,11 @@ +--- src/sg.h.in.orig 2007-11-16 17:58:32.000000000 +0100 ++++ src/sg.h.in 2009-10-22 15:49:01.507292983 +0200 +@@ -73,7 +73,7 @@ + #define REQUEST_TYPE_REDIRECT 2 + #define REQUEST_TYPE_PASS 3 + +-#define MAX_BUF 4096 ++#define MAX_BUF 12288 + + #define DEFAULT_LOGFILE "squidGuard.log" + #define WARNING_LOGFILE "squidGuard.log" diff -ruN squidguard.old/files/patch-src_sgDiv.c.in squidguard/files/patch-src_sgDiv.c.in --- squidguard.old/files/patch-src_sgDiv.c.in 1970-01-01 01:00:00.000000000 +0100 +++ squidguard/files/patch-src_sgDiv.c.in 2009-10-22 15:53:47.104007794 +0200 @@ -0,0 +1,11 @@ +--- src/sgDiv.c.in.orig 2008-07-14 18:02:43.000000000 +0200 ++++ src/sgDiv.c.in 2009-10-22 15:49:01.507292983 +0200 +@@ -745,7 +745,7 @@ + p++; + break; + case 'u': /* Requested URL */ +- strcat(buf, req->orig); ++ strncat(buf, req->orig, 2048); + p++; + break; + default: diff -ruN squidguard.old/files/patch-src_sgLog.c squidguard/files/patch-src_sgLog.c --- squidguard.old/files/patch-src_sgLog.c 1970-01-01 01:00:00.000000000 +0100 +++ squidguard/files/patch-src_sgLog.c 2009-10-22 15:45:28.078556325 +0200 @@ -0,0 +1,44 @@ +--- src/sgLog.c.orig 2007-11-16 17:58:32.000000000 +0100 ++++ src/sgLog.c 2009-10-22 15:43:15.646180596 +0200 +@@ -2,7 +2,7 @@ + By accepting this notice, you agree to be bound by the following + agreements: + +- This software product, squidGuard, is copyrighted (C) 1998-2007 ++ This software product, squidGuard, is copyrighted (C) 1998-2009 + by Christine Kronberg, Shalla Secure Services. All rights reserved. + + This program is free software; you can redistribute it and/or modify it +@@ -55,8 +55,8 @@ + char msg[MAX_BUF]; + va_list ap; + VA_START(ap, format); +- if(vsprintf(msg, format, ap) > (MAX_BUF - 1)) +- fprintf(stderr,"overflow in vsprintf (sgLog): %s",strerror(errno)); ++ if(vsnprintf(msg, MAX_BUF, format, ap) > (MAX_BUF - 1)) ++ fprintf(stderr,"overflow in vsnprintf (sgLog): %s",strerror(errno)); + va_end(ap); + date = niso(0); + if(globalDebug || log == NULL) { +@@ -87,8 +87,8 @@ + char msg[MAX_BUF]; + va_list ap; + VA_START(ap, format); +- if(vsprintf(msg, format, ap) > (MAX_BUF - 1)) +- sgLogFatalError("overflow in vsprintf (sgLogError): %s",strerror(errno)); ++ if(vsnprintf(msg, MAX_BUF, format, ap) > (MAX_BUF - 1)) ++ sgLog(globalErrorLog, "overflow in vsnprintf (sgLogError): %s",strerror(errno)); + va_end(ap); + sgLog(globalErrorLog,"%s",msg); + } +@@ -104,8 +104,8 @@ + char msg[MAX_BUF]; + va_list ap; + VA_START(ap, format); +- if(vsprintf(msg, format, ap) > (MAX_BUF - 1)) +- return; ++ if(vsnprintf(msg, MAX_BUF, format, ap) > (MAX_BUF - 1)) ++ sgLog(globalErrorLog, "overflow in vsnprintf (sgLogError): %s",strerror(errno)); + va_end(ap); + sgLog(globalErrorLog,"%s",msg); + sgEmergency(); >Release-Note: >Audit-Trail: >Unformatted: