7 changed files with 1 additions and 2514 deletions
--- a/backport-CVE-2023-46728.patch
+++ b/backport-CVE-2023-46728.patch
--- a/backport-CVE-2023-49285.patch
+++ b/backport-CVE-2023-49285.patch
@ -1,34 +0,0 @@
 From 77b3fb4df0f126784d5fd4967c28ed40eb8d521b Mon Sep 17 00:00:00 2001
 From: Alex Rousskov <rousskov@measurement-factory.com>
 Date: Wed, 25 Oct 2023 19:41:45 +0000
 Subject: [PATCH] RFC 1123: Fix date parsing (#1538)
 The bug was discovered and detailed by Joshua Rogers at
 https://megamansec.github.io/Squid-Security-Audit/datetime-overflow.html
 where it was filed as "1-Byte Buffer OverRead in RFC 1123 date/time
 Handling".
 Conflict:NA
 Reference:https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b
 ---
 lib/rfc1123.c | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/lib/rfc1123.c b/lib/rfc1123.c
 index e5bf9a4d705..cb484cc002b 100644
 --- a/lib/rfc1123.c
 +++ b/lib/rfc1123.c
@@ -50,7 +50,13 @@ make_month(const char *s)
     char month[3];
     month[0] = xtoupper(*s);
 +    if (!month[0])
 +        return -1; // protects *(s + 1) below
 +
     month[1] = xtolower(*(s + 1));
 +    if (!month[1])
 +        return -1; // protects *(s + 2) below
 +
     month[2] = xtolower(*(s + 2));
     for (i = 0; i < 12; i++)
--- a/backport-CVE-2023-49286.patch
+++ b/backport-CVE-2023-49286.patch
@ -1,84 +0,0 @@
 From: Alex Rousskov <rousskov@measurement-factory.com>
 Date: Fri, 27 Oct 2023 21:27:20 +0000
 Subject: [PATCH] Exit without asserting when helper process startup fails
 (#1543)
 ... to dup() after fork() and before execvp().
 Assertions are for handling program logic errors. Helper initialization
 code already handled system call errors correctly (i.e. by exiting the
 newly created helper process with an error), except for a couple of
 assert()s that could be triggered by dup(2) failures.
 This bug was discovered and detailed by Joshua Rogers at
 https://megamansec.github.io/Squid-Security-Audit/ipc-assert.html
 where it was filed as 'Assertion in Squid "Helper" Process Creator'.
 Conflict:NA
 Reference:https://github.com/squid-cache/squid/commit/6014c6648a2a54a4ecb7f952ea1163e0798f9264
 ---
 src/ipc.cc | 32 ++++++++++++++++++++++++++------
 1 file changed, 26 insertions(+), 6 deletions(-)
 diff --git a/src/ipc.cc b/src/ipc.cc
 index 40d34b475..1afc4d5cf 100644
 --- a/src/ipc.cc
 +++ b/src/ipc.cc
@@ -22,6 +22,11 @@
 #include "SquidConfig.h"
 #include "SquidIpc.h"
 #include "tools.h"
 +#include <cstdlib>
 +
 +#if HAVE_UNISTD_H
 +#include <unistd.h>
 +#endif
 static const char *hello_string = "hi there\n";
 #ifndef HELLO_BUF_SZ
@@ -362,6 +367,22 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
     }
     PutEnvironment();
 +
 +    // A dup(2) wrapper that reports and exits the process on errors. The
 +    // exiting logic is only suitable for this child process context.
 +    const auto dupOrExit = [prog,name](const int oldFd) {
 +        const auto newFd = dup(oldFd);
 +        if (newFd < 0) {
 +            const auto savedErrno = errno;
 +            debugs(54, DBG_CRITICAL, "ERROR: Helper process initialization failure: " << name <<
 +                   Debug::Extra << "helper (CHILD) PID: " << getpid() <<
 +                   Debug::Extra << "helper program name: " << prog <<
 +                   Debug::Extra << "dup(2) system call error for FD " << oldFd << ": " << xstrerr(savedErrno));
 +            _exit(EXIT_FAILURE);
 +        }
 +        return newFd;
 +    };
 +
     /*
      * This double-dup stuff avoids problems when one of
      *  crfd, cwfd, or debug_log are in the rage 0-2.
@@ -369,17 +390,16 @@ ipcCreate(int type, const char *prog, const char *const args[], const char *name
     do {
         /* First make sure 0-2 is occupied by something. Gets cleaned up later */
 -        x = dup(crfd);
 -        assert(x > -1);
 -    } while (x < 3 && x > -1);
 +        x = dupOrExit(crfd);
 +    } while (x < 3);
     close(x);
 -    t1 = dup(crfd);
 +    t1 = dupOrExit(crfd);
 -    t2 = dup(cwfd);
 +    t2 = dupOrExit(cwfd);
 -    t3 = dup(fileno(debug_log));
 +    t3 = dupOrExit(fileno(debug_log));
     assert(t1 > 2 && t2 > 2 && t3 > 2);
--- a/backport-CVE-2023-50269.patch
+++ b/backport-CVE-2023-50269.patch
@ -1,79 +0,0 @@
 commit 9f7136105bff920413042a8806cc5de3f6086d6d
 Author: Thomas Leroy <32497783+p4zuu@users.noreply.github.com>
 Date:   Tue Nov 28 07:35:46 2023 +0000
    Limit the number of allowed X-Forwarded-For hops (#1589)
    Squid will ignore all X-Forwarded-For elements listed after the first 64
    addresses allowed by the follow_x_forwarded_for directive. A different
    limit can be specified by defining a C++ SQUID_X_FORWARDED_FOR_HOP_MAX
    macro, but that macro is not a supported Squid configuration interface
    and may change or disappear at any time.
    Squid will log a cache.log ERROR if the hop limit has been reached.
    This change works around problematic ACLChecklist and/or slow ACLs
    implementation that results in immediate nonBlockingCheck() callbacks.
    Such callbacks have caused many bugs and development complications. In
    clientFollowXForwardedForCheck() context, they lead to indirect
    recursion that was bound only by the number of allowed XFF entries,
    which could reach thousands and exhaust Squid process call stack.
    This recursion bug was discovered and detailed by Joshua Rogers at
    https://megamansec.github.io/Squid-Security-Audit/xff-stackoverflow.html
    where it was filed as "X-Forwarded-For Stack Overflow".
 Conflict: src/client_side_request.cc context adapt
 Reference: http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch
 diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h
 index f5316f9cf6..8651d101ae 100644
 --- a/src/ClientRequestContext.h
 +++ b/src/ClientRequestContext.h
@@ -80,6 +80,10 @@ public:
 #endif
     ErrorState *error; ///< saved error page for centralized/delayed processing
     bool readNextRequest; ///< whether Squid should read after error handling
 +
 +#if FOLLOW_X_FORWARDED_FOR
 +    size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far
 +#endif
 };
 #endif /* SQUID_CLIENTREQUESTCONTEXT_H */
 diff --git a/src/client_side_request.cc b/src/client_side_request.cc
 index 2f49ca1495..890357835a 100644
 --- a/src/client_side_request.cc
 +++ b/src/client_side_request.cc
@@ -81,6 +81,11 @@
 static const char *const crlf = "\r\n";
 #if FOLLOW_X_FORWARDED_FOR
 +
 +#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX)
 +#define SQUID_X_FORWARDED_FOR_HOP_MAX 64
 +#endif
 +
 static void clientFollowXForwardedForCheck(allow_t answer, void *data);
 #endif /* FOLLOW_X_FORWARDED_FOR */
@@ -486,8 +491,16 @@ clientFollowXForwardedForCheck(Acl::Answer answer, void *data)
                 /* override the default src_addr tested if we have to go deeper than one level into XFF */
                 Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr;
             }
 -            calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
 -            return;
 +            if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) {
 +                calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
 +                return;
 +            }
 +            const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name;
 +            debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses" <<
 +                   Debug::Extra << "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber <<
 +                   Debug::Extra << "last/accepted address: " << request->indirect_client_addr <<
 +                   Debug::Extra << "ignored trailing addresses: " << request->x_forwarded_for_iterator);
 +            // fall through to resume clientAccessCheck() processing
         }
     }
 --
--- a/backport-CVE-2024-23638.patch
+++ b/backport-CVE-2024-23638.patch
@ -1,36 +0,0 @@
 From 5bede3305cabb9ac19babecf3ebaf64f43f7b53e Mon Sep 17 00:00:00 2001
 From: Alex Rousskov <rousskov@measurement-factory.com>
 Date: Sun, 12 Nov 2023 09:33:20 +0000
 Subject: [PATCH] Do not update StoreEntry expiration after errorAppendEntry()
 (#1580)
 errorAppendEntry() is responsible for setting entry expiration times,
 which it does by calling StoreEntry::storeErrorResponse() that calls
 StoreEntry::negativeCache().
 This change was triggered by a vulnerability report by Joshua Rogers at
 https://megamansec.github.io/Squid-Security-Audit/cache-uaf.html where
 it was filed as "Use-After-Free in Cache Manager Errors". The reported
 "use after free" vulnerability was unknowingly addressed by 2022 commit
 1fa761a that removed excessively long "reentrant" store_client calls
 responsible for the disappearance of the properly locked StoreEntry in
 this (and probably other) contexts.
 Conflict: context adapt
 Reference: https://github.com/squid-cache/squid/commit/5bede3305cabb9ac19babecf3ebaf64f43f7b53e
 ---
 src/cache_manager.cc | 1 -
 1 file changed, 1 deletion(-)
 diff --git a/src/cache_manager.cc b/src/cache_manager.cc
 index b5a9cbecd33..08445a517a9 100644
 --- a/src/cache_manager.cc
 +++ b/src/cache_manager.cc
@@ -306,7 +306,6 @@ CacheManager::start(const Comm::ConnectionPointer &client, HttpRequest *request,
         const auto err = new ErrorState(ERR_INVALID_URL, Http::scNotFound, request);
         err->url = xstrdup(entry->url());
         errorAppendEntry(entry, err);
 -        entry->expires = squid_curtime;
         return;
     }
--- a/backport-CVE-2024-25617.patch
+++ b/backport-CVE-2024-25617.patch
@ -1,138 +0,0 @@
 From 72a3bbd5e431597c3fdb56d752bc56b010ba3817 Mon Sep 17 00:00:00 2001
 From: Alex Rousskov <rousskov@measurement-factory.com>
 Date: Wed, 25 Oct 2023 11:47:19 +0000
 Subject: [PATCH] Improve handling of expanding HTTP header values (#1536)
 Squid manipulations often increase HTTP header value length compared to
 the corresponding raw value received by Squid. Raw header length is
 checked against request_header_max_size and reply_header_max_size that
 default to 64KB, making the raw value safe to store in a String object
 (by default). However, when the increased length of a manipulated value
 exceeds String class limits, Squid leaks memory, asserts, or possibly
 stalls affected transactions. The long-term fix for this problem is a
 complete String elimination from Squid sources, but that takes time.
 Known manipulations may effectively concatenate headers and/or increase
 header value length by 50%. This workaround makes such known increases
 safe by essentially tripling String class limits:
    (64KB + 64KB) * 150% = 3 * 64KB
 This bug was discovered and detailed by Joshua Rogers at
 https://megamansec.github.io/Squid-Security-Audit/response-memleaks.html
 where it was filed as "Memory Leak in HTTP Response Parsing".
 Conflict: src/SquidString.h context adapt
 Reference: https://github.com/squid-cache/squid/commit/72a3bbd5e431597c3fdb56d752bc56b010ba3817
 ---
 src/SquidString.h | 11 ++++++++++-
 src/cache_cf.cc   | 12 ++++++++++++
 src/cf.data.pre   | 26 ++++++++++++++++----------
 src/http.cc       |  5 +++--
 4 files changed, 41 insertions(+), 13 deletions(-)
 diff --git a/src/SquidString.h b/src/SquidString.h
 index 21fdde598cb..ffb215fa5e7 100644
 --- a/src/SquidString.h
 +++ b/src/SquidString.h
@@ -140,7 +140,16 @@ class String
     size_type len_;  /* current length  */
 -    static const size_type SizeMax_ = 65535; ///< 64K limit protects some fixed-size buffers
 +    /// An earlier 64KB limit was meant to protect some fixed-size buffers, but
 +    /// (a) we do not know where those buffers are (or whether they still exist)
 +    /// (b) too many String users unknowingly exceeded that limit and asserted.
 +    /// We are now using a larger limit to reduce the number of (b) cases,
 +    /// especially cases where "compact" lists of items grow 50% in size when we
 +    /// convert them to canonical form. The new limit is selected to withstand
 +    /// concatenation and ~50% expansion of two HTTP headers limited by default
 +    /// request_header_max_size and reply_header_max_size settings.
 +    static const size_type SizeMax_ = 3*64*1024 - 1;
 +
     /// returns true after increasing the first argument by extra if the sum does not exceed SizeMax_
     static bool SafeAdd(size_type &base, size_type extra) { if (extra <= SizeMax_ && base <= SizeMax_ - extra) { base += extra; return true; } return false; }
 diff --git a/src/cache_cf.cc b/src/cache_cf.cc
 index 6a0d253b139..e4a296005fd 100644
 --- a/src/cache_cf.cc
 +++ b/src/cache_cf.cc
@@ -1007,6 +1007,18 @@ configDoConfigure(void)
                (uint32_t)Config.maxRequestBufferSize, (uint32_t)Config.maxRequestHeaderSize);
     }
 +    // Warn about the dangers of exceeding String limits when manipulating HTTP
 +    // headers. Technically, we do not concatenate _requests_, so we could relax
 +    // their check, but we keep the two checks the same for simplicity sake.
 +    const auto safeRawHeaderValueSizeMax = (String::SizeMaxXXX()+1)/3;
 +    // TODO: static_assert(safeRawHeaderValueSizeMax >= 64*1024); // no WARNINGs for default settings
 +    if (Config.maxRequestHeaderSize > safeRawHeaderValueSizeMax)
 +        debugs(3, DBG_CRITICAL, "WARNING: Increasing request_header_max_size beyond " << safeRawHeaderValueSizeMax <<
 +               " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxRequestHeaderSize << " bytes");
 +    if (Config.maxReplyHeaderSize > safeRawHeaderValueSizeMax)
 +        debugs(3, DBG_CRITICAL, "WARNING: Increasing reply_header_max_size beyond " << safeRawHeaderValueSizeMax <<
 +               " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxReplyHeaderSize << " bytes");
 +
     /*
      * Disable client side request pipelining if client_persistent_connections OFF.
      * Waste of resources queueing any pipelined requests when the first will close the connection.
 diff --git a/src/cf.data.pre b/src/cf.data.pre
 index 15e09c42378..986e31499a6 100644
 --- a/src/cf.data.pre
 +++ b/src/cf.data.pre
@@ -6753,11 +6753,14 @@ TYPE: b_size_t
 DEFAULT: 64 KB
 LOC: Config.maxRequestHeaderSize
 DOC_START
 -	This specifies the maximum size for HTTP headers in a request.
 -	Request headers are usually relatively small (about 512 bytes).
 -	Placing a limit on the request header size will catch certain
 -	bugs (for example with persistent connections) and possibly
 -	buffer-overflow or denial-of-service attacks.
 +	This directives limits the header size of a received HTTP request
 +	(including request-line). Increasing this limit beyond its 64 KB default
 +	exposes certain old Squid code to various denial-of-service attacks. This
 +	limit also applies to received FTP commands.
 +
 +	This limit has no direct affect on Squid memory consumption.
 +
 +	Squid does not check this limit when sending requests.
 DOC_END
 NAME: reply_header_max_size
@@ -6766,11 +6769,14 @@ TYPE: b_size_t
 DEFAULT: 64 KB
 LOC: Config.maxReplyHeaderSize
 DOC_START
 -	This specifies the maximum size for HTTP headers in a reply.
 -	Reply headers are usually relatively small (about 512 bytes).
 -	Placing a limit on the reply header size will catch certain
 -	bugs (for example with persistent connections) and possibly
 -	buffer-overflow or denial-of-service attacks.
 +	This directives limits the header size of a received HTTP response
 +	(including status-line). Increasing this limit beyond its 64 KB default
 +	exposes certain old Squid code to various denial-of-service attacks. This
 +	limit also applies to FTP command responses.
 +
 +	Squid also checks this limit when loading hit responses from disk cache.
 +
 +	Squid does not check this limit when sending responses.
 DOC_END
 NAME: request_body_max_size
 diff --git a/src/http.cc b/src/http.cc
 index f4e96aacd52..138c845c7b0 100644
 --- a/src/http.cc
 +++ b/src/http.cc
@@ -1900,8 +1900,9 @@ HttpStateData::httpBuildRequestHeader(HttpRequest * request,
         String strFwd = hdr_in->getList(Http::HdrType::X_FORWARDED_FOR);
 -        // if we cannot double strFwd size, then it grew past 50% of the limit
 -        if (!strFwd.canGrowBy(strFwd.size())) {
 +        // Detect unreasonably long header values. And paranoidly check String
 +        // limits: a String ought to accommodate two reasonable-length values.
 +        if (strFwd.size() > 32*1024 || !strFwd.canGrowBy(strFwd.size())) {
             // There is probably a forwarding loop with Via detection disabled.
             // If we do nothing, String will assert on overflow soon.
             // TODO: Terminate all transactions with huge XFF?
--- a/squid.spec
+++ b/squid.spec
@ -2,7 +2,7 @@
 Name:     squid
 Version:  4.9
-Release:  24
+Release:  19
 Summary:  The Squid proxy caching server
 Epoch:    7
 License:  GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain)
@ -50,12 +50,6 @@ Patch29:backport-0001-CVE-2023-46846.patch
 Patch30:backport-0002-CVE-2023-46846.patch
 Patch31:backport-CVE-2023-46847.patch
 Patch32:backport-CVE-2023-46724.patch
 Patch33:backport-CVE-2023-46728.patch
 Patch34:backport-CVE-2023-49285.patch
 Patch35:backport-CVE-2023-49286.patch
 Patch36:backport-CVE-2023-50269.patch
 Patch37:backport-CVE-2024-23638.patch
 Patch38:backport-CVE-2024-25617.patch
 Buildroot: %{_tmppath}/squid-4.9-1-root-%(%{__id_u} -n)
 Requires: bash >= 2.0
@ -250,36 +244,6 @@ fi
    chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || :
 %changelog
 * Mon Feb 19 2024 hehuazhen <hehuazhen@huawei.com> - 7:4.9-24
 - Type:cves
 - ID:CVE-2024-25617
 - SUG:NA
 - DESC:fix CVE-2024-25617
 * Thu Jan 25 2024 xinghe <xinghe2@h-partners.com> - 7:4.9-23
 - Type:cves
 - ID:CVE-2024-23638
 - SUG:NA
 - DESC:fix CVE-2024-23638
 * Fri Dec 15 2023 xinghe <xinghe2@h-partners.com> - 7:4.9-22
 - Type:cves
 - ID:CVE-2023-50269
 - SUG:NA
 - DESC:fix CVE-2023-50269
 * Tue Dec 05 2023 yanglu <yanglu72@h-partners.com> - 7:4.9-21
 - Type:cves
 - ID:CVE-2023-49285 CVE-2023-49286
 - SUG:NA
 - DESC:fix CVE-2023-49285 CVE-2023-49286
 * Wed Nov 08 2023 yanglu <yanglu72@h-partners.com> - 7:4.9-20
 - Type:CVE
 - ID:CVE-2023-46728
 - SUG:NA
 - DESC:fix CVE-2023-46728
 * Thu Nov 02 2023 yanglu <yanglu72@h-partners.com> - 7:4.9-19
 - Type:CVE
 - ID:CVE-2023-46724