diff options
author | des <des@FreeBSD.org> | 2004-06-09 20:34:00 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2004-06-09 20:34:00 +0000 |
commit | ecd68523c3303ed379e6f480c8062f8e6bf6304b (patch) | |
tree | a2111f6d5c9b676007e5d0393f071acf2ada4114 /www/squid27 | |
parent | 3e1af7fe44f07fa17f4ab7f480cedcbe4c3b6b8e (diff) | |
download | FreeBSD-ports-ecd68523c3303ed379e6f480c8062f8e6bf6304b.zip FreeBSD-ports-ecd68523c3303ed379e6f480c8062f8e6bf6304b.tar.gz |
Add a couple of patches, including one for a buffer overflow in the NTLM
authentication helper.
PR: ports/67764
Submitted by: maintainer
Diffstat (limited to 'www/squid27')
-rw-r--r-- | www/squid27/Makefile | 6 | ||||
-rw-r--r-- | www/squid27/distinfo | 4 | ||||
-rw-r--r-- | www/squid27/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c | 87 |
3 files changed, 95 insertions, 2 deletions
diff --git a/www/squid27/Makefile b/www/squid27/Makefile index bc8d8fb..8bc9b08 100644 --- a/www/squid27/Makefile +++ b/www/squid27/Makefile @@ -29,7 +29,7 @@ PORTNAME= squid PORTVERSION= 2.5.5 -PORTREVISION= 8 +PORTREVISION= 9 CATEGORIES= www MASTER_SITES= \ ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \ @@ -63,7 +63,9 @@ PATCHFILES= squid-2.5.STABLE5-ntlm_assert.patch \ squid-2.5.STABLE5-debug_client_ip.patch \ squid-2.5.STABLE5-ftp_html_doctype.patch \ squid-2.5.STABLE5-dns_localhost.patch \ - squid-2.5.STABLE5-msnt_auth_doc.patch + squid-2.5.STABLE5-msnt_auth_doc.patch \ + squid-2.5.STABLE5-CONNECT_log_size.patch \ + squid-2.5.STABLE5-proxy_abuse.patch PATCH_DIST_STRIP= -p1 MAINTAINER= tmseck@netcologne.de diff --git a/www/squid27/distinfo b/www/squid27/distinfo index db5de42..98d0c13 100644 --- a/www/squid27/distinfo +++ b/www/squid27/distinfo @@ -44,3 +44,7 @@ MD5 (squid2.5/squid-2.5.STABLE5-dns_localhost.patch) = cee1c1417185696f5ab9c94fb SIZE (squid2.5/squid-2.5.STABLE5-dns_localhost.patch) = 1408 MD5 (squid2.5/squid-2.5.STABLE5-msnt_auth_doc.patch) = 6031dda00c8e963e7f9ca17b369006bd SIZE (squid2.5/squid-2.5.STABLE5-msnt_auth_doc.patch) = 16644 +MD5 (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 9bc3c39ca19ae2a4922d4a0e11bb4238 +SIZE (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 2011 +MD5 (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 8b169a288a0491a760f4d04c4f5eab21 +SIZE (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 761 diff --git a/www/squid27/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c b/www/squid27/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c new file mode 100644 index 0000000..c837e41 --- /dev/null +++ b/www/squid27/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c @@ -0,0 +1,87 @@ +This patch fixes a buffer overflow vulnerability in the NTLM auth +helper which was reported by Stefan Esser on the 07th June 2004. +Original advisory: +<http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false> +CVE-ID: CAN-2004-0541 +Patch obtained from: +<http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch> +The patch was slightly modified by the me (tmseck@netcologne.de) to make +it apply cleanly to the FreeBSD port. + +Index: libntlmssp.c +=================================================================== +RCS file: /server/cvs-server/squid/squid/helpers/ntlm_auth/SMB/libntlmssp.c,v +retrieving revision 1.7 +diff -u -3 -p -u -r1.7 libntlmssp.c +--- helpers/ntlm_auth/SMB/libntlmssp.c 30 Nov 2001 09:50:28 -0000 1.7 ++++ helpers/ntlm_auth/SMB/libntlmssp.c 20 May 2004 22:31:33 -0000 +@@ -161,7 +161,10 @@ make_challenge(char *domain, char *domai + #define min(A,B) (A<B?A:B) + + int ntlm_errno; +-static char credentials[1024]; /* we can afford to waste */ ++#define MAX_USERNAME_LEN 255 ++#define MAX_DOMAIN_LEN 255 ++#define MAX_PASSWD_LEN 31 ++static char credentials[MAX_USERNAME_LEN+MAX_DOMAIN_LEN+2]; /* we can afford to waste */ + + + /* Fetches the user's credentials from the challenge. +@@ -197,7 +200,7 @@ char * + ntlm_check_auth(ntlm_authenticate * auth, int auth_length) + { + int rv; +- char pass[25] /*, encrypted_pass[40] */; ++ char pass[MAX_PASSWD_LEN+1]; + char *domain = credentials; + char *user; + lstring tmp; +@@ -215,8 +218,13 @@ ntlm_check_auth(ntlm_authenticate * auth + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } ++ if (tmp.l > MAX_DOMAIN_LEN) { ++ debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } + memcpy(domain, tmp.str, tmp.l); +- user = domain + tmp.l; ++ user = domain + tmp.l + 1; + *user++ = '\0'; + + /* debug("fetching user name\n"); */ +@@ -226,20 +234,30 @@ ntlm_check_auth(ntlm_authenticate * auth + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } ++ if (tmp.l > MAX_USERNAME_LEN) { ++ debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } + memcpy(user, tmp.str, tmp.l); + *(user + tmp.l) = '\0'; + + +- /* Authenticating against the NT response doesn't seem to work... */ ++ /* Authenticating against the NT response doesn't seem to work... */ + tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->lmresponse); + if (tmp.str == NULL || tmp.l == 0) { + fprintf(stderr, "No auth at all. Returning no-auth\n"); + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } +- ++ if (tmp.l > MAX_PASSWD_LEN) { ++ debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } ++ + memcpy(pass, tmp.str, tmp.l); +- pass[25] = '\0'; ++ pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0'; + + #if 1 + debug ("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'" |