From owner-svn-ports-all@FreeBSD.ORG Tue Sep 4 13:45:29 2012 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 26E271065674; Tue, 4 Sep 2012 13:45:29 +0000 (UTC) (envelope-from rea@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 11B3D8FC14; Tue, 4 Sep 2012 13:45:29 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q84DjSe7063151; Tue, 4 Sep 2012 13:45:28 GMT (envelope-from rea@svn.freebsd.org) Received: (from rea@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q84DjSKO063146; Tue, 4 Sep 2012 13:45:28 GMT (envelope-from rea@svn.freebsd.org) Message-Id: <201209041345.q84DjSKO063146@svn.freebsd.org> From: Eygene Ryabinkin Date: Tue, 4 Sep 2012 13:45:28 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r303652 - in head/security: squidclamav squidclamav/files vuxml X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 13:45:29 -0000 Author: rea Date: Tue Sep 4 13:45:28 2012 New Revision: 303652 URL: http://svn.freebsd.org/changeset/ports/303652 Log: security/squidclamav: fix DoS and XSS vulnerabilities Apply upstream patches for CVE-2012-3501 and CVE-2012-4667. Security: http://www.vuxml.org/freebsd/ce680f0a-eea6-11e1-8bd8-0022156e8794.html Security: http://www.vuxml.org/freebsd/8defa0f9-ee8a-11e1-8bd8-0022156e8794.html PR: 171022 QA page: http://codelabs.ru/fbsd/ports/qa/security/squidclamav/5.7_1 Approved by: maintainer timeout (1 week) Added: head/security/squidclamav/files/patch-cve-2012-3501 (contents, props changed) head/security/squidclamav/files/patch-cve-2012-4667 (contents, props changed) Modified: head/security/squidclamav/Makefile head/security/vuxml/vuln.xml Modified: head/security/squidclamav/Makefile ============================================================================== --- head/security/squidclamav/Makefile Tue Sep 4 11:54:30 2012 (r303651) +++ head/security/squidclamav/Makefile Tue Sep 4 13:45:28 2012 (r303652) @@ -7,6 +7,7 @@ PORTNAME= squidclamav PORTVERSION= 5.7 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= SF Added: head/security/squidclamav/files/patch-cve-2012-3501 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/squidclamav/files/patch-cve-2012-3501 Tue Sep 4 13:45:28 2012 (r303652) @@ -0,0 +1,71 @@ +Fix CVE-2012-3501, DoS when external URL checker is used + +This fix was integrated into 6.7 and 5.8. + +Obtained-from: https://github.com/darold/squidclamav/commit/80f74451f628264d1d9a1f1c0bbcebc932ba5e00.diff + +--- src/squidclamav.c.orig 2010-12-11 15:20:46.000000000 +0300 ++++ src/squidclamav.c 2012-08-25 15:55:51.708586983 +0400 +@@ -62,6 +62,7 @@ + static char * escape_quote (char *s); + void timeit (struct timeval start, char *level); + int dconnect (void); ++char * replace(const char *s, const char *old, const char *new); + void replace_chr(char string[], char *from, char *to); + void free_global (); /* routine to free global pointer */ + void freeBuff (struct IN_BUFF); +@@ -474,11 +475,15 @@ + /* chaining with SquidGuard - before bridge mode or not*/ + if ((bridge_mode == 0) && (squidguard != NULL)) { + if (usepipe == 1) { ++ char *rbuff = NULL; ++ /* escaping escaped character to prevent unescaping by squidguard */ ++ rbuff = replace(rbuff, "%", "%25"); + if (debug > 0) + logit(log_file, "DEBUG Sending request to chained program: %s\n", squidguard); + fprintf(sgfpw,"%s\n",sbuff); + fflush(sgfpw); + xfree(escaped); ++ xfree(rbuff); + escaped = NULL; + /* the chained redirector must return empty line if ok or the redirection url */ + chain_ret = (char *)malloc(sizeof(char)*MAX_URL); +@@ -1114,3 +1119,38 @@ + } + + ++/** ++ * Searches all occurrences of old into s ++ * and replaces with new ++ */ ++char * ++replace(const char *s, const char *old, const char *new) ++{ ++ char *ret; ++ int i, count = 0; ++ size_t newlen = strlen(new); ++ size_t oldlen = strlen(old); ++ ++ for (i = 0; s[i] != '\0'; i++) { ++ if (strstr(&s[i], old) == &s[i]) { ++ count++; ++ i += oldlen - 1; ++ } ++ } ++ ret = malloc(i + 1 + count * (newlen - oldlen)); ++ if (ret != NULL) { ++ i = 0; ++ while (*s) { ++ if (strstr(s, old) == s) { ++ strcpy(&ret[i], new); ++ i += newlen; ++ s += oldlen; ++ } else { ++ ret[i++] = *s++; ++ } ++ } ++ ret[i] = '\0'; ++ } ++ ++ return ret; ++} Added: head/security/squidclamav/files/patch-cve-2012-4667 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/squidclamav/files/patch-cve-2012-4667 Tue Sep 4 13:45:28 2012 (r303652) @@ -0,0 +1,124 @@ +Fixes CVE-2012-4667, XSS in clwarn.cgi + +Integrated to 5.8 and 6.7. + +Obtained-from: https://github.com/darold/squidclamav/commit/5806d10a31183a0b0d18eccc3a3e04e536e2315b.diff + +diff --git a/cgi-bin/clwarn.cgi b/cgi-bin/clwarn.cgi +index 9333bef..a43eca7 100755 +--- cgi-bin/clwarn.cgi ++++ cgi-bin/clwarn.cgi +@@ -7,11 +7,11 @@ my $VERSION = '6.6'; + + my $cgi = new CGI; + +-my $url = $cgi->param('url') || ''; +-my $virus = $cgi->param('virus') || ''; +-my $source = $cgi->param('source') || ''; ++my $url = CGI::escapeHTML($cgi->param('url')) || ''; ++my $virus = CGI::escapeHTML($cgi->param('virus')) || ''; ++my $source = CGI::escapeHTML($cgi->param('source')) || ''; + $source =~ s/\/-//; +-my $user = $cgi->param('user') || ''; ++my $user = CGI::escapeHTML($cgi->param('user')) || ''; + + + my $TITLE_VIRUS = "SquidClamAv $VERSION: Virus detection"; +diff --git a/cgi-bin/clwarn.cgi.de_DE b/cgi-bin/clwarn.cgi.de_DE +index 700c3df..3f21180 100755 +--- cgi-bin/clwarn.cgi.de_DE ++++ cgi-bin/clwarn.cgi.de_DE +@@ -7,11 +7,11 @@ my $VERSION = '6.6'; + + my $cgi = new CGI; + +-my $url = $cgi->param('url') || ''; +-my $virus = $cgi->param('virus') || ''; +-my $source = $cgi->param('source') || ''; ++my $url = CGI::escapeHTML($cgi->param('url')) || ''; ++my $virus = CGI::escapeHTML($cgi->param('virus')) || ''; ++my $source = CGI::escapeHTML($cgi->param('source')) || ''; + $source =~ s/\/-//; +-my $user = $cgi->param('user') || ''; ++my $user = CGI::escapeHTML($cgi->param('user')) || ''; + + my $TITLE_VIRUS = "Virus Alarm"; + my $subtitle = 'enthlt folgenden Virus'; +diff --git a/cgi-bin/clwarn.cgi.en_EN b/cgi-bin/clwarn.cgi.en_EN +index d246e54..6e70e46 100755 +--- cgi-bin/clwarn.cgi.en_EN ++++ cgi-bin/clwarn.cgi.en_EN +@@ -7,11 +7,11 @@ my $VERSION = '6.6'; + + my $cgi = new CGI; + +-my $url = $cgi->param('url') || ''; +-my $virus = $cgi->param('virus') || ''; +-my $source = $cgi->param('source') || ''; ++my $url = CGI::escapeHTML($cgi->param('url')) || ''; ++my $virus = CGI::escapeHTML($cgi->param('virus')) || ''; ++my $source = CGI::escapeHTML($cgi->param('source')) || ''; + $source =~ s/\/-//; +-my $user = $cgi->param('user') || ''; ++my $user = CGI::escapeHTML($cgi->param('user')) || ''; + + my $TITLE_VIRUS = "SquidClamAv $VERSION: Virus detection"; + my $subtitle = 'contains the virus'; +diff --git a/cgi-bin/clwarn.cgi.fr_FR b/cgi-bin/clwarn.cgi.fr_FR +index c0b3896..323fa30 100755 +--- cgi-bin/clwarn.cgi.fr_FR ++++ cgi-bin/clwarn.cgi.fr_FR +@@ -7,11 +7,11 @@ my $VERSION = '6.6'; + + my $cgi = new CGI; + +-my $url = $cgi->param('url') || ''; +-my $virus = $cgi->param('virus') || ''; +-my $source = $cgi->param('source') || ''; ++my $url = CGI::escapeHTML($cgi->param('url')) || ''; ++my $virus = CGI::escapeHTML($cgi->param('virus')) || ''; ++my $source = CGI::escapeHTML($cgi->param('source')) || ''; + $source =~ s/\/-//; +-my $user = $cgi->param('user') || ''; ++my $user = CGI::escapeHTML($cgi->param('user')) || ''; + + my $TITLE_VIRUS = "SquidClamAv $VERSION: Virus detection"; + my $subtitle = 'contient le virus'; +diff --git a/cgi-bin/clwarn.cgi.pt_BR b/cgi-bin/clwarn.cgi.pt_BR +index 6bf12a0..1a6492a 100755 +--- cgi-bin/clwarn.cgi.pt_BR ++++ cgi-bin/clwarn.cgi.pt_BR +@@ -7,8 +7,11 @@ my $VERSION = '6.6'; + + my $cgi = new CGI; + +-my $url = $cgi->param('url') || ''; +-my $virus = $cgi->param('virus') || ''; ++my $url = CGI::escapeHTML($cgi->param('url')) || ''; ++my $virus = CGI::escapeHTML($cgi->param('virus')) || ''; ++my $source = CGI::escapeHTML($cgi->param('source')) || ''; ++$source =~ s/\/-//; ++my $user = CGI::escapeHTML($cgi->param('user')) || ''; + + my $TITLE_VIRUS = "SquidClamAv $VERSION: Foi detectado um vírus!"; + my $subtitle = 'está infectada pelo vírus'; +diff --git a/cgi-bin/clwarn.cgi.ru_RU b/cgi-bin/clwarn.cgi.ru_RU +index 21e4d94..1e82a0b 100755 +--- cgi-bin/clwarn.cgi.ru_RU ++++ cgi-bin/clwarn.cgi.ru_RU +@@ -7,11 +7,11 @@ my $VERSION = '6.6'; + + my $cgi = new CGI; + +-my $url = $cgi->param('url') || ''; +-my $virus = $cgi->param('virus') || ''; +-my $source = $cgi->param('source') || ''; ++my $url = CGI::escapeHTML($cgi->param('url')) || ''; ++my $virus = CGI::escapeHTML($cgi->param('virus')) || ''; ++my $source = CGI::escapeHTML($cgi->param('source')) || ''; + $source =~ s/\/-//; +-my $user = $cgi->param('user') || ''; ++my $user = CGI::escapeHTML($cgi->param('user')) || ''; + + my $TITLE_VIRUS = "SquidClamAv $VERSION: Обнаружен вирус!"; + my $subtitle = 'содержит вирус'; Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Sep 4 11:54:30 2012 (r303651) +++ head/security/vuxml/vuln.xml Tue Sep 4 13:45:28 2012 (r303652) @@ -695,7 +695,7 @@ Note: Please add new entries to the beg squidclamav - 5.8 + 5.7_1 6.06.7 @@ -722,6 +722,7 @@ Note: Please add new entries to the beg 2012-07-24 2012-08-25 + 2012-09-04