!86 fix CVE-2023-46846 CVE-2023-46847

From: @yangl777 Reviewed-by: @robertxw Signed-off-by: @robertxw
2023-11-01 02:18:35 +00:00 · 2023-11-01 02:18:35 +00:00 · c53cc0ac70
commit c53cc0ac70
parent f63a966785 4992d508dc
4 changed files with 1298 additions and 1 deletions
--- a/backport-0001-CVE-2023-46846.patch
+++ b/backport-0001-CVE-2023-46846.patch
--- a/backport-0002-CVE-2023-46846.patch
+++ b/backport-0002-CVE-2023-46846.patch
@ -0,0 +1,180 @@
 From 05f6af2f4c85cc99323cfff6149c3d74af661b6d Mon Sep 17 00:00:00 2001
 From: Amos Jeffries <yadij@users.noreply.github.com>
 Date: Fri, 13 Oct 2023 08:44:16 +0000
 Subject: [PATCH] RFC 9112: Improve HTTP chunked encoding compliance (#1498)
 Conflict:NA
 Reference:http://www.squid-cache.org/Versions/v5/SQUID-2023_1.patch
 ---
 src/http/one/Parser.cc          |  8 +-------
 src/http/one/Parser.h           |  4 +---
 src/http/one/TeChunkedParser.cc | 23 ++++++++++++++++++-----
 src/parser/Tokenizer.cc         | 12 ++++++++++++
 src/parser/Tokenizer.h          |  7 +++++++
 5 files changed, 39 insertions(+), 15 deletions(-)
 diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc
 index c78ddd7f0..291ae39f0 100644
 --- a/src/http/one/Parser.cc
 +++ b/src/http/one/Parser.cc
@@ -65,16 +65,10 @@ Http::One::Parser::DelimiterCharacters()
 void
 Http::One::Parser::skipLineTerminator(Tokenizer &tok) const
 {
 -    if (tok.skip(Http1::CrLf()))
 -        return;
 -
     if (Config.onoff.relaxed_header_parser && tok.skipOne(CharacterSet::LF))
         return;
 -    if (tok.atEnd() || (tok.remaining().length() == 1 && tok.remaining().at(0) == '\r'))
 -        throw InsufficientInput();
 -
 -    throw TexcHere("garbage instead of CRLF line terminator");
 +    tok.skipRequired("line-terminating CRLF", Http1::CrLf());
 }
 /// all characters except the LF line terminator
 diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h
 index f83c01a9a..aab895583 100644
 --- a/src/http/one/Parser.h
 +++ b/src/http/one/Parser.h
@@ -124,9 +124,7 @@ protected:
      * detect and skip the CRLF or (if tolerant) LF line terminator
      * consume from the tokenizer.
      *
 -     * \throws exception on bad or InsuffientInput.
 -     * \retval true only if line terminator found.
 -     * \retval false incomplete or missing line terminator, need more data.
 +     * \throws exception on bad or InsufficientInput
      */
     void skipLineTerminator(Tokenizer &) const;
 diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc
 index 1434100b6..8bdb65abb 100644
 --- a/src/http/one/TeChunkedParser.cc
 +++ b/src/http/one/TeChunkedParser.cc
@@ -91,6 +91,11 @@ Http::One::TeChunkedParser::parseChunkSize(Tokenizer &tok)
 {
     Must(theChunkSize <= 0); // Should(), really
 +    static const SBuf bannedHexPrefixLower("0x");
 +    static const SBuf bannedHexPrefixUpper("0X");
 +    if (tok.skip(bannedHexPrefixLower) || tok.skip(bannedHexPrefixUpper))
 +        throw TextException("chunk starts with 0x", Here());
 +
     int64_t size = -1;
     if (tok.int64(size, 16, false) && !tok.atEnd()) {
         if (size < 0)
@@ -121,7 +126,7 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
     // bad or insufficient input, like in the code below. TODO: Expand up.
     try {
         parseChunkExtensions(tok); // a possibly empty chunk-ext list
 -        skipLineTerminator(tok);
 +        tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf());
         buf_ = tok.remaining();
         parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME;
         return true;
@@ -132,12 +137,14 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok)
     // other exceptions bubble up to kill message parsing
 }
 -/// Parses the chunk-ext list (RFC 7230 section 4.1.1 and its Errata #4667):
 +/// Parses the chunk-ext list (RFC 9112 section 7.1.1:
 /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] )
 void
 -Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &tok)
 +Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok)
 {
     do {
 +        auto tok = callerTok;
 +
         ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size
         if (!tok.skip(';'))
@@ -145,6 +152,7 @@ Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &tok)
         parseOneChunkExtension(tok);
         buf_ = tok.remaining(); // got one extension
 +        callerTok = tok;
     } while (true);
 }
@@ -158,11 +166,14 @@ Http::One::ChunkExtensionValueParser::Ignore(Tokenizer &tok, const SBuf &extName
 /// Parses a single chunk-ext list element:
 /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] )
 void
 -Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &tok)
 +Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &callerTok)
 {
 +    auto tok = callerTok;
 +
     ParseBws(tok); // Bug 4492: ICAP servers send SP before chunk-ext-name
     const auto extName = tok.prefix("chunk-ext-name", CharacterSet::TCHAR);
 +    callerTok = tok; // in case we determine that this is a valueless chunk-ext
     ParseBws(tok);
@@ -176,6 +187,8 @@ Http::One::TeChunkedParser::parseOneChunkExtension(Tokenizer &tok)
         customExtensionValueParser->parse(tok, extName);
     else
         ChunkExtensionValueParser::Ignore(tok, extName);
 +
 +    callerTok = tok;
 }
 bool
@@ -209,7 +222,7 @@ Http::One::TeChunkedParser::parseChunkEnd(Tokenizer &tok)
     Must(theLeftBodySize == 0); // Should(), really
     try {
 -        skipLineTerminator(tok);
 +        tok.skipRequired("chunk CRLF", Http1::CrLf());
         buf_ = tok.remaining(); // parse checkpoint
         theChunkSize = 0; // done with the current chunk
         parsingStage_ = Http1::HTTP_PARSE_CHUNK_SZ;
 diff --git a/src/parser/Tokenizer.cc b/src/parser/Tokenizer.cc
 index edaffd8d3..15df793b8 100644
 --- a/src/parser/Tokenizer.cc
 +++ b/src/parser/Tokenizer.cc
@@ -147,6 +147,18 @@ Parser::Tokenizer::skipAll(const CharacterSet &tokenChars)
     return success(prefixLen);
 }
 +void
 +Parser::Tokenizer::skipRequired(const char *description, const SBuf &tokenToSkip)
 +{
 +    if (skip(tokenToSkip) || tokenToSkip.isEmpty())
 +        return;
 +
 +    if (tokenToSkip.startsWith(buf_))
 +        throw InsufficientInput();
 +
 +    throw TextException(ToSBuf("cannot skip ", description), Here());
 +}
 +
 bool
 Parser::Tokenizer::skipOne(const CharacterSet &chars)
 {
 diff --git a/src/parser/Tokenizer.h b/src/parser/Tokenizer.h
 index 7bae1ccbb..3cfa7dd6c 100644
 --- a/src/parser/Tokenizer.h
 +++ b/src/parser/Tokenizer.h
@@ -115,6 +115,13 @@ public:
      */
     SBuf::size_type skipAll(const CharacterSet &discardables);
 +    /** skips a given character sequence (string);
 +     * does nothing if the sequence is empty
 +     *
 +     * \throws exception on mismatching prefix or InsufficientInput
 +     */
 +    void skipRequired(const char *description, const SBuf &tokenToSkip);
 +
     /** Removes a single trailing character from the set.
      *
      * \return whether a character was removed
 -- 
 2.25.1
--- a/backport-CVE-2023-46847.patch
+++ b/backport-CVE-2023-46847.patch
@ -0,0 +1,48 @@
 From 052cf082b0faaef4eaaa4e94119d7a1437aac4a3 Mon Sep 17 00:00:00 2001
 From: squidadm <squidadm@users.noreply.github.com>
 Date: Wed, 18 Oct 2023 04:50:56 +1300
 Subject: [PATCH] Fix stack buffer overflow when parsing Digest Authorization
 (#1517)
 The bug was discovered and detailed by Joshua Rogers at
 https://megamansec.github.io/Squid-Security-Audit/digest-overflow.html
 where it was filed as "Stack Buffer Overflow in Digest Authentication".
 ---------
 Co-authored-by: Alex Bason <nonsleepr@gmail.com>
 Co-authored-by: Amos Jeffries <yadij@users.noreply.github.com>
 Conflict:NA
 Reference:http://www.squid-cache.org/Versions/v5/SQUID-2023_3.patch
 ---
 src/auth/digest/Config.cc | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)
 diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
 index d42831a55..be9f3c433 100644
 --- a/src/auth/digest/Config.cc
 +++ b/src/auth/digest/Config.cc
@@ -844,11 +844,15 @@ Auth::Digest::Config::decode(char const *proxy_auth, const HttpRequest *request,
             break;
         case DIGEST_NC:
 -            if (value.size() != 8) {
 +            if (value.size() == 8) {
 +                // for historical reasons, the nc value MUST be exactly 8 bytes
 +                static_assert(sizeof(digest_request->nc) == 8 + 1, "bad nc buffer size");
 +                xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
 +                debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
 +            } else {
                 debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'");
 +                digest_request->nc[0] = 0;
             }
 -            xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
 -            debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
             break;
         case DIGEST_CNONCE:
 -- 
 2.25.1
--- a/squid.spec
+++ b/squid.spec
@ -2,7 +2,7 @@
 Name:     squid
 Version:  4.9
-Release:  17
+Release:  18
 Summary:  The Squid proxy caching server
 Epoch:    7
 License:  GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain)
@ -46,6 +46,9 @@ Patch25:backport-CVE-2021-28116.patch
 Patch26:backport-CVE-2021-46784.patch
 Patch27:backport-CVE-2022-41317.patch
 Patch28:backport-CVE-2022-41318.patch
 Patch29:backport-0001-CVE-2023-46846.patch
 Patch30:backport-0002-CVE-2023-46846.patch
 Patch31:backport-CVE-2023-46847.patch
 Buildroot: %{_tmppath}/squid-4.9-1-root-%(%{__id_u} -n)
 Requires: bash >= 2.0
@ -240,6 +243,12 @@ fi
    chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || :
 %changelog
 * Tue Oct 31 2023 yanglu <yanglu72@h-partners.com> - 7:4.9-18
 - Type:cves
 - ID:CVE-2023-46846 CVE-2023-46847
 - SUG:NA
 - DESC:fix CVE-2023-46846 CVE-2023-46847
 * Fri Nov 11 2022 xinghe <xinghe2@h-partners.com> - 7:4.9-17
 - Type:bugfix
 - ID:NA