summaryrefslogtreecommitdiffstats
path: root/meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2015-10-26 16:31:22 -0700
committerMartin Jansa <Martin.Jansa@gmail.com>2016-02-08 14:13:39 +0100
commit5b2e937448371626cf71b761e3bfb06ffb60a7ee (patch)
tree93dded2f09e03ac611c9d9f333c0562ec75ac62a /meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch
parente8a8e0be8e39dbb949bf0f0df90abe1c4e3f6470 (diff)
downloadast2050-yocto-openembedded-5b2e937448371626cf71b761e3bfb06ffb60a7ee.zip
ast2050-yocto-openembedded-5b2e937448371626cf71b761e3bfb06ffb60a7ee.tar.gz
squid: serveral missing security fixes
SQUID-2015:2 - Does not affect Squid-3.4 and older versions are not vulnerable. CVE-2015-5400 CVE-2015-3455 CVE-2014-7142 CVE-2014-7141 CVE-2014-6270 see http://www.squid-cache.org/Advisories/ Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch')
-rw-r--r--meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch282
1 files changed, 282 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch b/meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch
new file mode 100644
index 0000000..5d4c620
--- /dev/null
+++ b/meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch
@@ -0,0 +1,282 @@
+Fix: CVE-2014-7141 CVE-2014-7142
+
+revno: 13173
+revision-id: squid3@treenet.co.nz-20140915050614-6uo8tfwrpbrd47kw
+parent: squid3@treenet.co.nz-20140915045834-qo85nnsinp9wu4gt
+author: Amos Jeffries <squid3@treenet.co.nz>, Sebastian Krahmer <krahmer@suse.com>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.4
+timestamp: Sun 2014-09-14 23:06:14 -0600
+message:
+ Fix various ICMP handling issues in Squid pinger
+
+ * ICMP code type logging display could over-read the registered type
+ string arrays.
+
+ * Malformed ICMP packets were accepted into processing with undefined
+ and potentially nasty results.
+
+ Both sets of flaws can result in pinger segmentation fault and halting
+ the Squid functionality relying on pinger for correct operation.
+
+ Thanks to the OpenSUSE project for analysis and resolution of these.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20140915050614-6uo8tfwrpbrd47kw
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# testament_sha1: 234c1592673c5317e1b323018226e04941cc61a8
+# timestamp: 2014-09-15 11:08:18 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# base_revision_id: squid3@treenet.co.nz-20140915045834-\
+# qo85nnsinp9wu4gt
+#
+# Begin patch
+
+Upstream-Status: Backport
+
+http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13173.patch
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+=== modified file 'src/icmp/Icmp4.cc'
+--- a/src/icmp/Icmp4.cc 2013-06-03 14:05:16 +0000
++++ b/src/icmp/Icmp4.cc 2014-09-15 05:06:14 +0000
+@@ -41,26 +41,38 @@
+ #include "IcmpPinger.h"
+ #include "Debug.h"
+
+-const char *icmpPktStr[] = {
+- "Echo Reply",
+- "ICMP 1",
+- "ICMP 2",
+- "Destination Unreachable",
+- "Source Quench",
+- "Redirect",
+- "ICMP 6",
+- "ICMP 7",
+- "Echo",
+- "ICMP 9",
+- "ICMP 10",
+- "Time Exceeded",
+- "Parameter Problem",
+- "Timestamp",
+- "Timestamp Reply",
+- "Info Request",
+- "Info Reply",
+- "Out of Range Type"
+-};
++static const char *
++IcmpPacketType(uint8_t v)
++{
++ static const char *icmpPktStr[] = {
++ "Echo Reply",
++ "ICMP 1",
++ "ICMP 2",
++ "Destination Unreachable",
++ "Source Quench",
++ "Redirect",
++ "ICMP 6",
++ "ICMP 7",
++ "Echo",
++ "ICMP 9",
++ "ICMP 10",
++ "Time Exceeded",
++ "Parameter Problem",
++ "Timestamp",
++ "Timestamp Reply",
++ "Info Request",
++ "Info Reply",
++ "Out of Range Type"
++ };
++
++ if (v > 17) {
++ static char buf[50];
++ snprintf(buf, sizeof(buf), "ICMP %u (invalid)", v);
++ return buf;
++ }
++
++ return icmpPktStr[v];
++}
+
+ Icmp4::Icmp4() : Icmp()
+ {
+@@ -187,6 +199,12 @@
+ from->ai_addr,
+ &from->ai_addrlen);
+
++ if (n <= 0) {
++ debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMP socket.");
++ Ip::Address::FreeAddrInfo(from);
++ return;
++ }
++
+ preply.from = *from;
+
+ #if GETTIMEOFDAY_NO_TZP
+@@ -243,9 +261,15 @@
+
+ preply.psize = n - iphdrlen - (sizeof(icmpEchoData) - MAX_PKT4_SZ);
+
++ if (preply.psize < 0) {
++ debugs(42, DBG_CRITICAL, HERE << "Malformed ICMP packet.");
++ Ip::Address::FreeAddrInfo(from);
++ return;
++ }
++
+ control.SendResult(preply, (sizeof(pingerReplyData) - MAX_PKT4_SZ + preply.psize) );
+
+- Log(preply.from, icmp->icmp_type, icmpPktStr[icmp->icmp_type], preply.rtt, preply.hops);
++ Log(preply.from, icmp->icmp_type, IcmpPacketType(icmp->icmp_type), preply.rtt, preply.hops);
+ Ip::Address::FreeAddrInfo(from);
+ }
+
+
+=== modified file 'src/icmp/Icmp6.cc'
+--- a/src/icmp/Icmp6.cc 2013-06-03 14:05:16 +0000
++++ b/src/icmp/Icmp6.cc 2014-09-15 05:06:14 +0000
+@@ -50,57 +50,61 @@
+
+ // Icmp6 OP-Codes
+ // see http://www.iana.org/assignments/icmpv6-parameters
+-// NP: LowPktStr is for codes 0-127
+-static const char *icmp6LowPktStr[] = {
+- "ICMP 0", // 0
+- "Destination Unreachable", // 1 - RFC2463
+- "Packet Too Big", // 2 - RFC2463
+- "Time Exceeded", // 3 - RFC2463
+- "Parameter Problem", // 4 - RFC2463
+- "ICMP 5", // 5
+- "ICMP 6", // 6
+- "ICMP 7", // 7
+- "ICMP 8", // 8
+- "ICMP 9", // 9
+- "ICMP 10" // 10
+-};
+-
+-// NP: HighPktStr is for codes 128-255
+-static const char *icmp6HighPktStr[] = {
+- "Echo Request", // 128 - RFC2463
+- "Echo Reply", // 129 - RFC2463
+- "Multicast Listener Query", // 130 - RFC2710
+- "Multicast Listener Report", // 131 - RFC2710
+- "Multicast Listener Done", // 132 - RFC2710
+- "Router Solicitation", // 133 - RFC4861
+- "Router Advertisement", // 134 - RFC4861
+- "Neighbor Solicitation", // 135 - RFC4861
+- "Neighbor Advertisement", // 136 - RFC4861
+- "Redirect Message", // 137 - RFC4861
+- "Router Renumbering", // 138 - Crawford
+- "ICMP Node Information Query", // 139 - RFC4620
+- "ICMP Node Information Response", // 140 - RFC4620
+- "Inverse Neighbor Discovery Solicitation", // 141 - RFC3122
+- "Inverse Neighbor Discovery Advertisement", // 142 - RFC3122
+- "Version 2 Multicast Listener Report", // 143 - RFC3810
+- "Home Agent Address Discovery Request", // 144 - RFC3775
+- "Home Agent Address Discovery Reply", // 145 - RFC3775
+- "Mobile Prefix Solicitation", // 146 - RFC3775
+- "Mobile Prefix Advertisement", // 147 - RFC3775
+- "Certification Path Solicitation", // 148 - RFC3971
+- "Certification Path Advertisement", // 149 - RFC3971
+- "ICMP Experimental (150)", // 150 - RFC4065
+- "Multicast Router Advertisement", // 151 - RFC4286
+- "Multicast Router Solicitation", // 152 - RFC4286
+- "Multicast Router Termination", // 153 - [RFC4286]
+- "ICMP 154",
+- "ICMP 155",
+- "ICMP 156",
+- "ICMP 157",
+- "ICMP 158",
+- "ICMP 159",
+- "ICMP 160"
+-};
++static const char *
++IcmpPacketType(uint8_t v)
++{
++ // NP: LowPktStr is for codes 0-127
++ static const char *icmp6LowPktStr[] = {
++ "ICMPv6 0", // 0
++ "Destination Unreachable", // 1 - RFC2463
++ "Packet Too Big", // 2 - RFC2463
++ "Time Exceeded", // 3 - RFC2463
++ "Parameter Problem", // 4 - RFC2463
++ };
++
++ // low codes 1-4 registered
++ if (0 < v && v < 5)
++ return icmp6LowPktStr[(int)(v&0x7f)];
++
++ // NP: HighPktStr is for codes 128-255
++ static const char *icmp6HighPktStr[] = {
++ "Echo Request", // 128 - RFC2463
++ "Echo Reply", // 129 - RFC2463
++ "Multicast Listener Query", // 130 - RFC2710
++ "Multicast Listener Report", // 131 - RFC2710
++ "Multicast Listener Done", // 132 - RFC2710
++ "Router Solicitation", // 133 - RFC4861
++ "Router Advertisement", // 134 - RFC4861
++ "Neighbor Solicitation", // 135 - RFC4861
++ "Neighbor Advertisement", // 136 - RFC4861
++ "Redirect Message", // 137 - RFC4861
++ "Router Renumbering", // 138 - Crawford
++ "ICMP Node Information Query", // 139 - RFC4620
++ "ICMP Node Information Response", // 140 - RFC4620
++ "Inverse Neighbor Discovery Solicitation", // 141 - RFC3122
++ "Inverse Neighbor Discovery Advertisement", // 142 - RFC3122
++ "Version 2 Multicast Listener Report", // 143 - RFC3810
++ "Home Agent Address Discovery Request", // 144 - RFC3775
++ "Home Agent Address Discovery Reply", // 145 - RFC3775
++ "Mobile Prefix Solicitation", // 146 - RFC3775
++ "Mobile Prefix Advertisement", // 147 - RFC3775
++ "Certification Path Solicitation", // 148 - RFC3971
++ "Certification Path Advertisement", // 149 - RFC3971
++ "ICMP Experimental (150)", // 150 - RFC4065
++ "Multicast Router Advertisement", // 151 - RFC4286
++ "Multicast Router Solicitation", // 152 - RFC4286
++ "Multicast Router Termination", // 153 - [RFC4286]
++ };
++
++ // high codes 127-153 registered
++ if (127 < v && v < 154)
++ return icmp6HighPktStr[(int)(v&0x7f)];
++
++ // give all others a generic display
++ static char buf[50];
++ snprintf(buf, sizeof(buf), "ICMPv6 %u", v);
++ return buf;
++}
+
+ Icmp6::Icmp6() : Icmp()
+ {
+@@ -236,6 +240,12 @@
+ from->ai_addr,
+ &from->ai_addrlen);
+
++ if (n <= 0) {
++ debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMPv6 socket.");
++ Ip::Address::FreeAddrInfo(from);
++ return;
++ }
++
+ preply.from = *from;
+
+ #if GETTIMEOFDAY_NO_TZP
+@@ -291,8 +301,7 @@
+
+ default:
+ debugs(42, 8, HERE << preply.from << " said: " << icmp6header->icmp6_type << "/" << (int)icmp6header->icmp6_code << " " <<
+- ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] )
+- );
++ IcmpPacketType(icmp6header->icmp6_type));
+ }
+ Ip::Address::FreeAddrInfo(from);
+ return;
+@@ -331,7 +340,7 @@
+
+ Log(preply.from,
+ icmp6header->icmp6_type,
+- ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] ),
++ IcmpPacketType(icmp6header->icmp6_type),
+ preply.rtt,
+ preply.hops);
+
+
OpenPOWER on IntegriCloud