diff options
author | Armin Kuster <akuster@mvista.com> | 2015-10-26 16:31:22 -0700 |
---|---|---|
committer | Martin Jansa <Martin.Jansa@gmail.com> | 2016-02-08 14:13:39 +0100 |
commit | 5b2e937448371626cf71b761e3bfb06ffb60a7ee (patch) | |
tree | 93dded2f09e03ac611c9d9f333c0562ec75ac62a /meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch | |
parent | e8a8e0be8e39dbb949bf0f0df90abe1c4e3f6470 (diff) | |
download | ast2050-yocto-openembedded-5b2e937448371626cf71b761e3bfb06ffb60a7ee.zip ast2050-yocto-openembedded-5b2e937448371626cf71b761e3bfb06ffb60a7ee.tar.gz |
squid: serveral missing security fixes
SQUID-2015:2 - Does not affect Squid-3.4 and older versions are not vulnerable.
CVE-2015-5400
CVE-2015-3455
CVE-2014-7142
CVE-2014-7141
CVE-2014-6270
see http://www.squid-cache.org/Advisories/
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch')
-rw-r--r-- | meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch | 282 |
1 files changed, 282 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch b/meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch new file mode 100644 index 0000000..5d4c620 --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch @@ -0,0 +1,282 @@ +Fix: CVE-2014-7141 CVE-2014-7142 + +revno: 13173 +revision-id: squid3@treenet.co.nz-20140915050614-6uo8tfwrpbrd47kw +parent: squid3@treenet.co.nz-20140915045834-qo85nnsinp9wu4gt +author: Amos Jeffries <squid3@treenet.co.nz>, Sebastian Krahmer <krahmer@suse.com> +committer: Amos Jeffries <squid3@treenet.co.nz> +branch nick: 3.4 +timestamp: Sun 2014-09-14 23:06:14 -0600 +message: + Fix various ICMP handling issues in Squid pinger + + * ICMP code type logging display could over-read the registered type + string arrays. + + * Malformed ICMP packets were accepted into processing with undefined + and potentially nasty results. + + Both sets of flaws can result in pinger segmentation fault and halting + the Squid functionality relying on pinger for correct operation. + + Thanks to the OpenSUSE project for analysis and resolution of these. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squid3@treenet.co.nz-20140915050614-6uo8tfwrpbrd47kw +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 +# testament_sha1: 234c1592673c5317e1b323018226e04941cc61a8 +# timestamp: 2014-09-15 11:08:18 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4 +# base_revision_id: squid3@treenet.co.nz-20140915045834-\ +# qo85nnsinp9wu4gt +# +# Begin patch + +Upstream-Status: Backport + +http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13173.patch + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +=== modified file 'src/icmp/Icmp4.cc' +--- a/src/icmp/Icmp4.cc 2013-06-03 14:05:16 +0000 ++++ b/src/icmp/Icmp4.cc 2014-09-15 05:06:14 +0000 +@@ -41,26 +41,38 @@ + #include "IcmpPinger.h" + #include "Debug.h" + +-const char *icmpPktStr[] = { +- "Echo Reply", +- "ICMP 1", +- "ICMP 2", +- "Destination Unreachable", +- "Source Quench", +- "Redirect", +- "ICMP 6", +- "ICMP 7", +- "Echo", +- "ICMP 9", +- "ICMP 10", +- "Time Exceeded", +- "Parameter Problem", +- "Timestamp", +- "Timestamp Reply", +- "Info Request", +- "Info Reply", +- "Out of Range Type" +-}; ++static const char * ++IcmpPacketType(uint8_t v) ++{ ++ static const char *icmpPktStr[] = { ++ "Echo Reply", ++ "ICMP 1", ++ "ICMP 2", ++ "Destination Unreachable", ++ "Source Quench", ++ "Redirect", ++ "ICMP 6", ++ "ICMP 7", ++ "Echo", ++ "ICMP 9", ++ "ICMP 10", ++ "Time Exceeded", ++ "Parameter Problem", ++ "Timestamp", ++ "Timestamp Reply", ++ "Info Request", ++ "Info Reply", ++ "Out of Range Type" ++ }; ++ ++ if (v > 17) { ++ static char buf[50]; ++ snprintf(buf, sizeof(buf), "ICMP %u (invalid)", v); ++ return buf; ++ } ++ ++ return icmpPktStr[v]; ++} + + Icmp4::Icmp4() : Icmp() + { +@@ -187,6 +199,12 @@ + from->ai_addr, + &from->ai_addrlen); + ++ if (n <= 0) { ++ debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMP socket."); ++ Ip::Address::FreeAddrInfo(from); ++ return; ++ } ++ + preply.from = *from; + + #if GETTIMEOFDAY_NO_TZP +@@ -243,9 +261,15 @@ + + preply.psize = n - iphdrlen - (sizeof(icmpEchoData) - MAX_PKT4_SZ); + ++ if (preply.psize < 0) { ++ debugs(42, DBG_CRITICAL, HERE << "Malformed ICMP packet."); ++ Ip::Address::FreeAddrInfo(from); ++ return; ++ } ++ + control.SendResult(preply, (sizeof(pingerReplyData) - MAX_PKT4_SZ + preply.psize) ); + +- Log(preply.from, icmp->icmp_type, icmpPktStr[icmp->icmp_type], preply.rtt, preply.hops); ++ Log(preply.from, icmp->icmp_type, IcmpPacketType(icmp->icmp_type), preply.rtt, preply.hops); + Ip::Address::FreeAddrInfo(from); + } + + +=== modified file 'src/icmp/Icmp6.cc' +--- a/src/icmp/Icmp6.cc 2013-06-03 14:05:16 +0000 ++++ b/src/icmp/Icmp6.cc 2014-09-15 05:06:14 +0000 +@@ -50,57 +50,61 @@ + + // Icmp6 OP-Codes + // see http://www.iana.org/assignments/icmpv6-parameters +-// NP: LowPktStr is for codes 0-127 +-static const char *icmp6LowPktStr[] = { +- "ICMP 0", // 0 +- "Destination Unreachable", // 1 - RFC2463 +- "Packet Too Big", // 2 - RFC2463 +- "Time Exceeded", // 3 - RFC2463 +- "Parameter Problem", // 4 - RFC2463 +- "ICMP 5", // 5 +- "ICMP 6", // 6 +- "ICMP 7", // 7 +- "ICMP 8", // 8 +- "ICMP 9", // 9 +- "ICMP 10" // 10 +-}; +- +-// NP: HighPktStr is for codes 128-255 +-static const char *icmp6HighPktStr[] = { +- "Echo Request", // 128 - RFC2463 +- "Echo Reply", // 129 - RFC2463 +- "Multicast Listener Query", // 130 - RFC2710 +- "Multicast Listener Report", // 131 - RFC2710 +- "Multicast Listener Done", // 132 - RFC2710 +- "Router Solicitation", // 133 - RFC4861 +- "Router Advertisement", // 134 - RFC4861 +- "Neighbor Solicitation", // 135 - RFC4861 +- "Neighbor Advertisement", // 136 - RFC4861 +- "Redirect Message", // 137 - RFC4861 +- "Router Renumbering", // 138 - Crawford +- "ICMP Node Information Query", // 139 - RFC4620 +- "ICMP Node Information Response", // 140 - RFC4620 +- "Inverse Neighbor Discovery Solicitation", // 141 - RFC3122 +- "Inverse Neighbor Discovery Advertisement", // 142 - RFC3122 +- "Version 2 Multicast Listener Report", // 143 - RFC3810 +- "Home Agent Address Discovery Request", // 144 - RFC3775 +- "Home Agent Address Discovery Reply", // 145 - RFC3775 +- "Mobile Prefix Solicitation", // 146 - RFC3775 +- "Mobile Prefix Advertisement", // 147 - RFC3775 +- "Certification Path Solicitation", // 148 - RFC3971 +- "Certification Path Advertisement", // 149 - RFC3971 +- "ICMP Experimental (150)", // 150 - RFC4065 +- "Multicast Router Advertisement", // 151 - RFC4286 +- "Multicast Router Solicitation", // 152 - RFC4286 +- "Multicast Router Termination", // 153 - [RFC4286] +- "ICMP 154", +- "ICMP 155", +- "ICMP 156", +- "ICMP 157", +- "ICMP 158", +- "ICMP 159", +- "ICMP 160" +-}; ++static const char * ++IcmpPacketType(uint8_t v) ++{ ++ // NP: LowPktStr is for codes 0-127 ++ static const char *icmp6LowPktStr[] = { ++ "ICMPv6 0", // 0 ++ "Destination Unreachable", // 1 - RFC2463 ++ "Packet Too Big", // 2 - RFC2463 ++ "Time Exceeded", // 3 - RFC2463 ++ "Parameter Problem", // 4 - RFC2463 ++ }; ++ ++ // low codes 1-4 registered ++ if (0 < v && v < 5) ++ return icmp6LowPktStr[(int)(v&0x7f)]; ++ ++ // NP: HighPktStr is for codes 128-255 ++ static const char *icmp6HighPktStr[] = { ++ "Echo Request", // 128 - RFC2463 ++ "Echo Reply", // 129 - RFC2463 ++ "Multicast Listener Query", // 130 - RFC2710 ++ "Multicast Listener Report", // 131 - RFC2710 ++ "Multicast Listener Done", // 132 - RFC2710 ++ "Router Solicitation", // 133 - RFC4861 ++ "Router Advertisement", // 134 - RFC4861 ++ "Neighbor Solicitation", // 135 - RFC4861 ++ "Neighbor Advertisement", // 136 - RFC4861 ++ "Redirect Message", // 137 - RFC4861 ++ "Router Renumbering", // 138 - Crawford ++ "ICMP Node Information Query", // 139 - RFC4620 ++ "ICMP Node Information Response", // 140 - RFC4620 ++ "Inverse Neighbor Discovery Solicitation", // 141 - RFC3122 ++ "Inverse Neighbor Discovery Advertisement", // 142 - RFC3122 ++ "Version 2 Multicast Listener Report", // 143 - RFC3810 ++ "Home Agent Address Discovery Request", // 144 - RFC3775 ++ "Home Agent Address Discovery Reply", // 145 - RFC3775 ++ "Mobile Prefix Solicitation", // 146 - RFC3775 ++ "Mobile Prefix Advertisement", // 147 - RFC3775 ++ "Certification Path Solicitation", // 148 - RFC3971 ++ "Certification Path Advertisement", // 149 - RFC3971 ++ "ICMP Experimental (150)", // 150 - RFC4065 ++ "Multicast Router Advertisement", // 151 - RFC4286 ++ "Multicast Router Solicitation", // 152 - RFC4286 ++ "Multicast Router Termination", // 153 - [RFC4286] ++ }; ++ ++ // high codes 127-153 registered ++ if (127 < v && v < 154) ++ return icmp6HighPktStr[(int)(v&0x7f)]; ++ ++ // give all others a generic display ++ static char buf[50]; ++ snprintf(buf, sizeof(buf), "ICMPv6 %u", v); ++ return buf; ++} + + Icmp6::Icmp6() : Icmp() + { +@@ -236,6 +240,12 @@ + from->ai_addr, + &from->ai_addrlen); + ++ if (n <= 0) { ++ debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMPv6 socket."); ++ Ip::Address::FreeAddrInfo(from); ++ return; ++ } ++ + preply.from = *from; + + #if GETTIMEOFDAY_NO_TZP +@@ -291,8 +301,7 @@ + + default: + debugs(42, 8, HERE << preply.from << " said: " << icmp6header->icmp6_type << "/" << (int)icmp6header->icmp6_code << " " << +- ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] ) +- ); ++ IcmpPacketType(icmp6header->icmp6_type)); + } + Ip::Address::FreeAddrInfo(from); + return; +@@ -331,7 +340,7 @@ + + Log(preply.from, + icmp6header->icmp6_type, +- ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] ), ++ IcmpPacketType(icmp6header->icmp6_type), + preply.rtt, + preply.hops); + + |