!124 [sync] PR-119: fix CVE-2023-50269

From: @openeuler-sync-bot Reviewed-by: @robertxw Signed-off-by: @robertxw
2023-12-19 01:17:36 +00:00 · 2023-12-19 01:17:36 +00:00 · 598076ce24
commit 598076ce24
parent bd8abbdd2f ced15abdd1
2 changed files with 87 additions and 1 deletions
--- a/backport-CVE-2023-50269.patch
+++ b/backport-CVE-2023-50269.patch
@ -0,0 +1,79 @@
+commit 9f7136105bff920413042a8806cc5de3f6086d6d
+Author: Thomas Leroy <32497783+p4zuu@users.noreply.github.com>
+Date:   Tue Nov 28 07:35:46 2023 +0000
+
+    Limit the number of allowed X-Forwarded-For hops (#1589)
+    
+    Squid will ignore all X-Forwarded-For elements listed after the first 64
+    addresses allowed by the follow_x_forwarded_for directive. A different
+    limit can be specified by defining a C++ SQUID_X_FORWARDED_FOR_HOP_MAX
+    macro, but that macro is not a supported Squid configuration interface
+    and may change or disappear at any time.
+    
+    Squid will log a cache.log ERROR if the hop limit has been reached.
+    
+    This change works around problematic ACLChecklist and/or slow ACLs
+    implementation that results in immediate nonBlockingCheck() callbacks.
+    Such callbacks have caused many bugs and development complications. In
+    clientFollowXForwardedForCheck() context, they lead to indirect
+    recursion that was bound only by the number of allowed XFF entries,
+    which could reach thousands and exhaust Squid process call stack.
+    
+    This recursion bug was discovered and detailed by Joshua Rogers at
+    https://megamansec.github.io/Squid-Security-Audit/xff-stackoverflow.html
+    where it was filed as "X-Forwarded-For Stack Overflow".
+
+Conflict: src/client_side_request.cc context adapt
+Reference: http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch
+
+diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h
+index f5316f9cf6..8651d101ae 100644
+--- a/src/ClientRequestContext.h
+++ b/src/ClientRequestContext.h
+@@ -80,6 +80,10 @@ public:
+ #endif
+     ErrorState *error; ///< saved error page for centralized/delayed processing
+     bool readNextRequest; ///< whether Squid should read after error handling
+
+#if FOLLOW_X_FORWARDED_FOR
+    size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far
+#endif
+ };
+ 
+ #endif /* SQUID_CLIENTREQUESTCONTEXT_H */
+diff --git a/src/client_side_request.cc b/src/client_side_request.cc
+index 2f49ca1495..890357835a 100644
+--- a/src/client_side_request.cc
+++ b/src/client_side_request.cc
+@@ -81,6 +81,11 @@
+ static const char *const crlf = "\r\n";
+ 
+ #if FOLLOW_X_FORWARDED_FOR
+
+#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX)
+#define SQUID_X_FORWARDED_FOR_HOP_MAX 64
+#endif
+
+ static void clientFollowXForwardedForCheck(allow_t answer, void *data);
+ #endif /* FOLLOW_X_FORWARDED_FOR */
+ 
+@@ -486,8 +491,16 @@ clientFollowXForwardedForCheck(Acl::Answer answer, void *data)
+                 /* override the default src_addr tested if we have to go deeper than one level into XFF */
+                 Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr;
+             }
+-            calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
+-            return;
+            if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) {
+                calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
+                return;
+            }
+            const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name;
+            debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses" <<
+                   Debug::Extra << "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber <<
+                   Debug::Extra << "last/accepted address: " << request->indirect_client_addr <<
+                   Debug::Extra << "ignored trailing addresses: " << request->x_forwarded_for_iterator);
+            // fall through to resume clientAccessCheck() processing
+         }
+     }
+ 
+--
--- a/squid.spec
+++ b/squid.spec
@ -2,7 +2,7 @@

 Name:     squid
 Version:  4.9
-Release:  21
+Release:  22
 Summary:  The Squid proxy caching server
 Epoch:    7
 License:  GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain)
@ -53,6 +53,7 @@ Patch32:backport-CVE-2023-46724.patch
 Patch33:backport-CVE-2023-46728.patch
 Patch34:backport-CVE-2023-49285.patch
 Patch35:backport-CVE-2023-49286.patch
+Patch36:backport-CVE-2023-50269.patch

 Buildroot: %{_tmppath}/squid-4.9-1-root-%(%{__id_u} -n)
 Requires: bash >= 2.0
@ -247,6 +248,12 @@ fi
    chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || :

 %changelog
+* Fri Dec 15 2023 xinghe <xinghe2@h-partners.com> - 7:4.9-22
+- Type:cves
+- ID:CVE-2023-50269
+- SUG:NA
+- DESC:fix CVE-2023-50269
+
 * Tue Dec 05 2023 yanglu <yanglu72@h-partners.com> - 7:4.9-21
 - Type:cves
 - ID:CVE-2023-49285 CVE-2023-49286