From owner-freebsd-ports-bugs@FreeBSD.ORG Mon Jan 24 19:30:27 2005 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 19B5E16A4CE for ; Mon, 24 Jan 2005 19:30:27 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 800A443D41 for ; Mon, 24 Jan 2005 19:30:26 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j0OJUQmb085146 for ; Mon, 24 Jan 2005 19:30:26 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j0OJUQFS085131; Mon, 24 Jan 2005 19:30:26 GMT (envelope-from gnats) Resent-Date: Mon, 24 Jan 2005 19:30:26 GMT Resent-Message-Id: <200501241930.j0OJUQFS085131@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Thomas-Martin Seck Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4CCD516A4CF for ; Mon, 24 Jan 2005 19:24:33 +0000 (GMT) Received: from smtp1.netcologne.de (smtp1.netcologne.de [194.8.194.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 52D9F43D41 for ; Mon, 24 Jan 2005 19:24:32 +0000 (GMT) (envelope-from tmseck@netcologne.de) Received: from laurel.tmseck.homedns.org (xdsl-213-196-241-97.netcologne.de [213.196.241.97]) by smtp1.netcologne.de (Postfix) with SMTP id A3E2638F07 for ; Mon, 24 Jan 2005 20:24:26 +0100 (MET) Received: (qmail 51779 invoked by uid 1001); 24 Jan 2005 19:24:48 -0000 Message-Id: <20050124192448.51778.qmail@laurel.tmseck.homedns.org> Date: 24 Jan 2005 19:24:48 -0000 From: Thomas-Martin Seck To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 cc: security-team@FreeBSD.org Subject: ports/76628: [Maintainer/security] www/squid: integrate partly security relevant vendor patches X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Thomas-Martin Seck List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jan 2005 19:30:27 -0000 >Number: 76628 >Category: ports >Synopsis: [Maintainer/security] www/squid: integrate partly security relevant vendor patches >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Mon Jan 24 19:30:26 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Thomas-Martin Seck >Release: FreeBSD 4.10-STABLE i386 >Organization: a private site in Germany >Environment: FreeBSD ports collection as of Jan 24, 2005. >Description: - integrate vendor patches as published on : + Reject malformed HTTP requests and responses that conflict with the HTTP specifications This issue is qualified as a security issue by the vendor. Note to committer: the published patch was (as of 2005-01-24, 18:00 UTC) incomplete as the new ERR_INVALID_RESP error page was not created in all language directories. As a temporary workaround, I created an additional patch. It's possible that the vendor patch gets updated to reflect this, please re-check before commit. + PURGE is allowed to delete internal objects (squid bug #1112) + Disable Path-MTU discovery on intercepted requests (squid bug #1154) - clean up and correct package list generation. Now installed files and directories are visible via PLIST_FILES and PLIST_DIRS. While at it, don't claim that squid related files or directories are still present after deinstallation when in fact they are not. Note to committer: please 'cvs add' files/patch-ERR_INVALID_RESP (if it's still needed, i.e. the vendor patch still lacks this data) Proposed VuXML information, entry date left to be filled in: (Note to security-team: I am not entirely sure whether I understood the description of the patch correctly. Feel free to improve the VuXML data, especially if you have further knowledge about the practical impact of this issue. Maybe the information could even be combined with vuln 4e4bd2c2-6bd5-11d9-9e1e-c296ac722cb3 since both patches seem to address the same problem from different angles?) squid -- possible cache-poisoning via malformed HTTP responses squid 2.5.7_9

The squid patches page notes:

This patch makes Squid considerably stricter while parsing the HTTP protocol.

  1. A Content-length header should only appear once in a valid request or response. Multiple Content-length headers, in conjunction with specially crafted requests, may allow Squid's cache to be poisioned with bad content in certain situations.
  2. CR characters is only allowed as part of the CR NL line terminator, not alone. This to ensure that all involved agrees on the structure of HTTP headers.
  3. Rejects requests/responses that have whitespace in an HTTP header name.

To enable these strict parsing rules, update to at least squid-2.5.7_9 and specify 

relaxed_header_parser off
in squid.conf.

 http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-header_parsing 2005-01-24 >How-To-Repeat: >Fix: Apply this patch: Index: distinfo =================================================================== --- distinfo (.../www/squid) (revision 360) +++ distinfo (.../local/squid) (revision 360) @@ -12,6 +12,8 @@ SIZE (squid2.5/squid-2.5.STABLE7-blank_response.patch) = 723 MD5 (squid2.5/squid-2.5.STABLE7-dothost.patch) = 81034e9092a06d9aa1e9ede26632ae03 SIZE (squid2.5/squid-2.5.STABLE7-dothost.patch) = 2155 +MD5 (squid2.5/squid-2.5.STABLE7-PURGE_internal.patch) = bc9d928b8dd37eaadd61bf7fefc375a7 +SIZE (squid2.5/squid-2.5.STABLE7-PURGE_internal.patch) = 871 MD5 (squid2.5/squid-2.5.STABLE7-httpd_accel_vport.patch) = 2366a84e29fad439c2a488b03f112779 SIZE (squid2.5/squid-2.5.STABLE7-httpd_accel_vport.patch) = 843 MD5 (squid2.5/squid-2.5.STABLE7-cachemgr_vmobjects.patch) = fdde57025dbfb8caf9154e24b4e1bf3e @@ -32,6 +34,10 @@ SIZE (squid2.5/squid-2.5.STABLE7-fqdn_truncated.patch) = 4484 MD5 (squid2.5/squid-2.5.STABLE7-ldap_spaces.patch) = 8c2eb269b16d757b562ee32a2eb7ef99 SIZE (squid2.5/squid-2.5.STABLE7-ldap_spaces.patch) = 1974 +MD5 (squid2.5/squid-2.5.STABLE7-header_parsing.patch) = fbf876f6fe657d6497fd8a5603bd47af +SIZE (squid2.5/squid-2.5.STABLE7-header_parsing.patch) = 44072 +MD5 (squid2.5/squid-2.5.STABLE7-httpd_accel_no_pmtu_disc.patch) = a151cd22387e815028351b8b69541eec +SIZE (squid2.5/squid-2.5.STABLE7-httpd_accel_no_pmtu_disc.patch) = 4113 MD5 (squid2.5/squid-2.5.STABLE7-ftp_datachannel.patch) = cc65c481c7ea1e2cb2bc1c0b61f09a69 SIZE (squid2.5/squid-2.5.STABLE7-ftp_datachannel.patch) = 4825 MD5 (squid2.5/squid-2.5.STABLE7-short_icons_urls.patch) = 3cbed4fe923641bff5f23e69c444d63e Index: files/patch-ERR_INVALID_RESP =================================================================== --- files/patch-ERR_INVALID_RESP (.../www/squid) (revision 0) +++ files/patch-ERR_INVALID_RESP (.../local/squid) (revision 360) @@ -0,0 +1,165 @@ +diff -ruP errors.orig/Korean/ERR_INVALID_RESP errors/Korean/ERR_INVALID_RESP +--- errors.orig/Korean/ERR_INVALID_RESP Thu Jan 1 01:00:00 1970 ++++ errors/Korean/ERR_INVALID_RESP Mon Jan 24 19:19:43 2005 +@@ -0,0 +1,29 @@ ++ ++ ++ERROR: The requested URL could not be retrieved ++ ++ ++

ERROR

++

The requested URL could not be retrieved

++
++

++While trying to process the request: ++

++%R
++
++

++The following error was encountered: ++

    ++
  • ++ ++Invalid Response ++ ++
++ ++

++The HTTP Response message received from the contacted server ++could not be understood or was otherwise malformed. Please contact ++the site operator. Your cache administrator may be able to provide ++you with more details about the exact nature of the problem if needed. ++ ++

Your cache administrator is %w. +diff -ruP errors.orig/Lithuanian/ERR_INVALID_RESP errors/Lithuanian/ERR_INVALID_RESP +--- errors.orig/Lithuanian/ERR_INVALID_RESP Thu Jan 1 01:00:00 1970 ++++ errors/Lithuanian/ERR_INVALID_RESP Mon Jan 24 19:19:43 2005 +@@ -0,0 +1,29 @@ ++ ++ ++ERROR: The requested URL could not be retrieved ++ ++ ++

ERROR

++

The requested URL could not be retrieved

++
++

++While trying to process the request: ++

++%R
++
++

++The following error was encountered: ++

    ++
  • ++ ++Invalid Response ++ ++
++ ++

++The HTTP Response message received from the contacted server ++could not be understood or was otherwise malformed. Please contact ++the site operator. Your cache administrator may be able to provide ++you with more details about the exact nature of the problem if needed. ++ ++

Your cache administrator is %w. +diff -ruP errors.orig/Polish/ERR_INVALID_RESP errors/Polish/ERR_INVALID_RESP +--- errors.orig/Polish/ERR_INVALID_RESP Thu Jan 1 01:00:00 1970 ++++ errors/Polish/ERR_INVALID_RESP Mon Jan 24 19:19:43 2005 +@@ -0,0 +1,29 @@ ++ ++ ++ERROR: The requested URL could not be retrieved ++ ++ ++

ERROR

++

The requested URL could not be retrieved

++
++

++While trying to process the request: ++

++%R
++
++

++The following error was encountered: ++

    ++
  • ++ ++Invalid Response ++ ++
++ ++

++The HTTP Response message received from the contacted server ++could not be understood or was otherwise malformed. Please contact ++the site operator. Your cache administrator may be able to provide ++you with more details about the exact nature of the problem if needed. ++ ++

Your cache administrator is %w. +diff -ruP errors.orig/Portuguese/ERR_INVALID_RESP errors/Portuguese/ERR_INVALID_RESP +--- errors.orig/Portuguese/ERR_INVALID_RESP Thu Jan 1 01:00:00 1970 ++++ errors/Portuguese/ERR_INVALID_RESP Mon Jan 24 19:19:43 2005 +@@ -0,0 +1,29 @@ ++ ++ ++ERROR: The requested URL could not be retrieved ++ ++ ++

ERROR

++

The requested URL could not be retrieved

++
++

++While trying to process the request: ++

++%R
++
++

++The following error was encountered: ++

    ++
  • ++ ++Invalid Response ++ ++
++ ++

++The HTTP Response message received from the contacted server ++could not be understood or was otherwise malformed. Please contact ++the site operator. Your cache administrator may be able to provide ++you with more details about the exact nature of the problem if needed. ++ ++

Your cache administrator is %w. +diff -ruP errors.orig/Romanian/ERR_INVALID_RESP errors/Romanian/ERR_INVALID_RESP +--- errors.orig/Romanian/ERR_INVALID_RESP Thu Jan 1 01:00:00 1970 ++++ errors/Romanian/ERR_INVALID_RESP Mon Jan 24 19:19:43 2005 +@@ -0,0 +1,29 @@ ++ ++ ++ERROR: The requested URL could not be retrieved ++ ++ ++

ERROR

++

The requested URL could not be retrieved

++
++

++While trying to process the request: ++

++%R
++
++

++The following error was encountered: ++

    ++
  • ++ ++Invalid Response ++ ++
++ ++

++The HTTP Response message received from the contacted server ++could not be understood or was otherwise malformed. Please contact ++the site operator. Your cache administrator may be able to provide ++you with more details about the exact nature of the problem if needed. ++ ++

Your cache administrator is %w. Index: Makefile =================================================================== --- Makefile (.../www/squid) (revision 360) +++ Makefile (.../local/squid) (revision 360) @@ -74,7 +74,7 @@ PORTNAME= squid PORTVERSION= 2.5.7 -PORTREVISION= 8 +PORTREVISION= 9 CATEGORIES= www MASTER_SITES= \ ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \ @@ -93,6 +93,7 @@ squid-2.5.STABLE7-helper_shutdown.patch \ squid-2.5.STABLE7-blank_response.patch \ squid-2.5.STABLE7-dothost.patch \ + squid-2.5.STABLE7-PURGE_internal.patch \ squid-2.5.STABLE7-httpd_accel_vport.patch \ squid-2.5.STABLE7-cachemgr_vmobjects.patch \ squid-2.5.STABLE7-empty_acls.patch \ @@ -103,6 +104,8 @@ squid-2.5.STABLE7-dns_memleak.patch \ squid-2.5.STABLE7-fqdn_truncated.patch \ squid-2.5.STABLE7-ldap_spaces.patch \ + squid-2.5.STABLE7-header_parsing.patch \ + squid-2.5.STABLE7-httpd_accel_no_pmtu_disc.patch \ squid-2.5.STABLE7-ftp_datachannel.patch \ squid-2.5.STABLE7-short_icons_urls.patch \ squid-2.5.STABLE7-response_splitting.patch @@ -150,9 +153,8 @@ SQUID_STACKTRACES "Create backtraces on fatal errors" off \ SQUID_RCNG "Install an rcNG startup script" on -PLIST_FILES= etc/rc.d/squid.sh etc/squid/mib.txt etc/squid/mime.conf.default \ - etc/squid/msntauth.conf.default etc/squid/squid.conf.default \ - sbin/RunAccel sbin/RunCache sbin/squidclient sbin/squid +etc_files= rc.d/squid.sh squid/mib.txt squid/mime.conf.default \ + squid/msntauth.conf.default squid/squid.conf.default icon_files= anthony-binhex.gif anthony-bomb.gif anthony-box.gif \ anthony-box2.gif anthony-c.gif anthony-compressed.gif \ @@ -169,18 +171,23 @@ ERR_CONNECT_FAIL ERR_DNS_FAIL ERR_FORWARDING_DENIED \ ERR_FTP_DISABLED ERR_FTP_FAILURE ERR_FTP_FORBIDDEN \ ERR_FTP_NOT_FOUND ERR_FTP_PUT_CREATED \ - ERR_FTP_PUT_ERROR ERR_FTP_PUT_MODIFIED \ - ERR_FTP_UNAVAILABLE ERR_INVALID_REQ ERR_INVALID_URL \ + ERR_FTP_PUT_ERROR ERR_FTP_PUT_MODIFIED ERR_FTP_UNAVAILABLE \ + ERR_INVALID_REQ ERR_INVALID_RESP ERR_INVALID_URL \ ERR_LIFETIME_EXP ERR_NO_RELAY ERR_ONLY_IF_CACHED_MISS \ ERR_READ_ERROR ERR_READ_TIMEOUT ERR_SHUTTING_DOWN \ ERR_SOCKET_FAILURE ERR_TOO_BIG ERR_UNSUP_REQ \ ERR_URN_RESOLVE ERR_WRITE_ERROR ERR_ZERO_SIZE_OBJECT -libexec= cachemgr.cgi digest_pw_auth diskd dnsserver ip_user_check \ - squid_ldap_auth squid_ldap_group msnt_auth ncsa_auth ntlm_auth \ - pam_auth pinger smb_auth smb_auth.sh squid_unix_group \ - unlinkd wb_auth wb_group wb_ntlmauth wbinfo_group.pl +libexec= cachemgr.cgi digest_pw_auth diskd ip_user_check \ + msnt_auth ncsa_auth ntlm_auth \ + pam_auth smb_auth smb_auth.sh squid_unix_group \ + wb_auth wb_group wb_ntlmauth wbinfo_group.pl +.if !defined(SQUID_CONFIGURE_ARGS) || ${SQUID_CONFIGURE_ARGS:M*--disable-unlinkd*} == "" +libexec+= unlinkd +.endif +sbin= RunAccel RunCache squidclient squid + CONFIGURE_ARGS= --bindir=${PREFIX}/sbin --sysconfdir=${PREFIX}/etc/squid \ --datadir=${PREFIX}/etc/squid \ --libexecdir=${PREFIX}/libexec/squid \ @@ -201,6 +208,7 @@ MAN8+= squid_ldap_auth.8 squid_ldap_group.8 basic_auth+= LDAP external_acl+= ldap_group +libexec+= squid_ldap_auth squid_ldap_group .endif .if !defined(NO_NIS) basic_auth+= YP @@ -251,9 +259,11 @@ .endif .if defined(WITH_SQUID_PINGER) CONFIGURE_ARGS+= --enable-icmp +libexec+= pinger .endif .if defined(WITH_SQUID_DNS_HELPER) CONFIGURE_ARGS+= --disable-internal-dns +libexec+= dnsserver .endif .if defined(WITH_SQUID_HTCP) CONFIGURE_ARGS+= --enable-htcp @@ -332,6 +342,16 @@ CONFIGURE_ENV+= CFLAGS="${CFLAGS}" \ LDFLAGS="${LDFLAGS}" +PLIST_DIRS= etc/squid/icons libexec/squid +PLIST_FILES= ${etc_files:S,^,etc/,} ${icon_files:S,^,etc/squid/icons/,} \ + ${libexec:S,^,libexec/squid/,} ${sbin:S,^,sbin/,} + +.for d in ${SQUID_LANGUAGES} +PLIST_DIRS+= etc/squid/errors/${d} +PLIST_FILES+= ${error_files:S,^,etc/squid/errors/${d}/,} +.endfor +PLIST_DIRS+= etc/squid/errors etc/squid squid/logs squid/cache squid + pre-patch: # Check whether we need to create the extra patch that makes pf(4) # visible to squid's configure script: @@ -375,27 +395,6 @@ .endif @${SETENV} PKG_PREFIX=${PREFIX} \ ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL -# Create package list: - @for f in ${libexec}; do \ - ${TEST} -f ${PREFIX}/libexec/squid/$${f} && \ - ${ECHO_CMD} "libexec/squid/$${f}" >>${TMPPLIST} || ${TRUE} ; \ - done - @${ECHO_CMD} "@unexec rmdir %D/libexec/squid 2>/dev/null || true" \ - >>${TMPPLIST} - @for f in ${icon_files}; do \ - ${ECHO_CMD} "etc/squid/icons/$${f}" >>${TMPPLIST}; \ - done - @${ECHO_CMD} "@unexec rmdir %D/etc/squid/icons 2>/dev/null || true" \ - >>${TMPPLIST} - @for d in ${SQUID_LANGUAGES}; do \ - for f in ${error_files}; do \ - ${ECHO_CMD} "etc/squid/errors/$${d}/$${f}" >>${TMPPLIST} ; \ - done; \ - ${ECHO_CMD} "@unexec rmdir %D/etc/squid/errors/$${d} 2>/dev/null || true" \ - >>${TMPPLIST}; \ - done - @${ECHO_CMD} "@unexec rmdir %D/etc/squid/errors 2>/dev/null || true" \ - >>${TMPPLIST} changeuser: # Recover from the problem that earlier versions of this port created the Index: pkg-deinstall =================================================================== --- pkg-deinstall (.../www/squid) (revision 360) +++ pkg-deinstall (.../local/squid) (revision 360) @@ -13,20 +13,20 @@ done ;; POST-DEINSTALL) - rmdir ${PKG_PREFIX}/etc/squid 2>/dev/null - rmdir ${PKG_PREFIX}/squid/cache 2>/dev/null - rmdir ${PKG_PREFIX}/squid/logs 2>/dev/null - rmdir ${PKG_PREFIX}/squid 2>/dev/null echo "===> post-deinstallation information for $1" echo "" - echo " Please note that $1 was not completely removed" - echo " from this system." + echo " Please note that squid was not completely removed" + echo " from this system:" echo "" - echo " The cache and log directories, squid's user account," - echo " and any modified configuration files have been preserved" - echo " in case you want to install an updated version of squid" - echo " on this system. You must remove them manually if you do" - echo " not want to use squid any longer." + echo " Any squid related user accounts were kept." + if [ -d ${PKG_PREFIX}/squid -o -d ${PKG_PREFIX}/etc/squid ] ; then + echo "" + echo " Additionally, cache and log directories as well as" + echo " configuration files modified by you were preserved" + echo " too, in case you want to install an updated version" + echo " of squid. You need to remove them manually if you do" + echo " not want to use it any longer." + fi echo "" ;; *) >Release-Note: >Audit-Trail: >Unformatted: