packages/squid
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-50269

Browse Source 
(cherry picked from commit dec0999f972a9a1e12e05e260c3070e456d441db)
This commit is contained in:
xh 2023-12-15 17:16:33 +08:00 committed by openeuler-sync-bot
parent bd8abbdd2f
commit ced15abdd1
2 changed files with 87 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
backport-CVE-2023-50269.patch Normal file
View File

@ -0,0 +1,79 @@
commit 9f7136105bff920413042a8806cc5de3f6086d6d
Author: Thomas Leroy <32497783+p4zuu@users.noreply.github.com>
Date: Tue Nov 28 07:35:46 2023 +0000
Limit the number of allowed X-Forwarded-For hops (#1589)
Squid will ignore all X-Forwarded-For elements listed after the first 64
addresses allowed by the follow_x_forwarded_for directive. A different
limit can be specified by defining a C++ SQUID_X_FORWARDED_FOR_HOP_MAX
macro, but that macro is not a supported Squid configuration interface
and may change or disappear at any time.
Squid will log a cache.log ERROR if the hop limit has been reached.
This change works around problematic ACLChecklist and/or slow ACLs
implementation that results in immediate nonBlockingCheck() callbacks.
Such callbacks have caused many bugs and development complications. In
clientFollowXForwardedForCheck() context, they lead to indirect
recursion that was bound only by the number of allowed XFF entries,
which could reach thousands and exhaust Squid process call stack.
This recursion bug was discovered and detailed by Joshua Rogers at
https://megamansec.github.io/Squid-Security-Audit/xff-stackoverflow.html
where it was filed as "X-Forwarded-For Stack Overflow".
Conflict: src/client_side_request.cc context adapt
Reference: http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch
diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h
index f5316f9cf6..8651d101ae 100644
--- a/src/ClientRequestContext.h
+++ b/src/ClientRequestContext.h
@@ -80,6 +80,10 @@ public:
#endif
ErrorState *error; ///< saved error page for centralized/delayed processing
bool readNextRequest; ///< whether Squid should read after error handling
+
+#if FOLLOW_X_FORWARDED_FOR
+ size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far
+#endif
};
#endif /* SQUID_CLIENTREQUESTCONTEXT_H */
diff --git a/src/client_side_request.cc b/src/client_side_request.cc
index 2f49ca1495..890357835a 100644
--- a/src/client_side_request.cc
+++ b/src/client_side_request.cc
@@ -81,6 +81,11 @@
static const char *const crlf = "\r\n";
#if FOLLOW_X_FORWARDED_FOR
+
+#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX)
+#define SQUID_X_FORWARDED_FOR_HOP_MAX 64
+#endif
+
static void clientFollowXForwardedForCheck(allow_t answer, void *data);
#endif /* FOLLOW_X_FORWARDED_FOR */
@@ -486,8 +491,16 @@ clientFollowXForwardedForCheck(Acl::Answer answer, void *data)
/* override the default src_addr tested if we have to go deeper than one level into XFF */
Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr;
}
- calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
- return;
+ if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) {
+ calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
+ return;
+ }
+ const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name;
+ debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses" <<
+ Debug::Extra << "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber <<
+ Debug::Extra << "last/accepted address: " << request->indirect_client_addr <<
+ Debug::Extra << "ignored trailing addresses: " << request->x_forwarded_for_iterator);
+ // fall through to resume clientAccessCheck() processing
}
}
--

9
squid.spec
View File

@ -2,7 +2,7 @@
Name: squid Name: squid
Version: 4.9 Version: 4.9
Release: 21 Release: 22
Summary: The Squid proxy caching server Summary: The Squid proxy caching server
Epoch: 7 Epoch: 7
License: GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain) License: GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain)
@ -53,6 +53,7 @@ Patch32:backport-CVE-2023-46724.patch
Patch33:backport-CVE-2023-46728.patch Patch33:backport-CVE-2023-46728.patch
Patch34:backport-CVE-2023-49285.patch Patch34:backport-CVE-2023-49285.patch
Patch35:backport-CVE-2023-49286.patch Patch35:backport-CVE-2023-49286.patch
Patch36:backport-CVE-2023-50269.patch
Buildroot: %{_tmppath}/squid-4.9-1-root-%(%{__id_u} -n) Buildroot: %{_tmppath}/squid-4.9-1-root-%(%{__id_u} -n)
Requires: bash >= 2.0 Requires: bash >= 2.0
@ -247,6 +248,12 @@ fi
chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || : chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || :
%changelog %changelog
* Fri Dec 15 2023 xinghe <xinghe2@h-partners.com> - 7:4.9-22
- Type:cves
- ID:CVE-2023-50269
- SUG:NA
- DESC:fix CVE-2023-50269
* Tue Dec 05 2023 yanglu <yanglu72@h-partners.com> - 7:4.9-21 * Tue Dec 05 2023 yanglu <yanglu72@h-partners.com> - 7:4.9-21
- Type:cves - Type:cves
- ID:CVE-2023-49285 CVE-2023-49286 - ID:CVE-2023-49285 CVE-2023-49286