From patchwork Thu Nov  1 19:24:24 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthias Fischer <matthias.fischer@ipfire.org>
X-Patchwork-Id: 1979
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200])
	by web02.i.ipfire.org (Postfix) with ESMTP id 686F760C76
	for <patchwork@web02.i.ipfire.org>; Thu,  1 Nov 2018 09:24:33 +0100 (CET)
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 9ED6320E49A2;
	Thu,  1 Nov 2018 08:24:32 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801;
	t=1541060673; h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:content-type:
	 content-transfer-encoding:in-reply-to:references:list-id:
	 list-unsubscribe:list-subscribe:list-post;
	bh=yZwby3JJjuZPlAXo5/Qw2b9tGsaB9UoHE7q4aX6kTlI=;
	b=EU2JavzD/wpKkWcOur8YhhOj41EEA3LeDOa2uQDgvfPWhAJbUblj1Cu8aIEZ6YBsqsD6Se
	MF3bqfRlA2b5i45LL76eRvrUGFwR9rC/CNaU6SZN3+P04Kmt8OlxJ1p2lvHsf1vadYvNX0
	XwWz/2AMxDkNap0TukkhwCQKSy+wf0vGYjcu9m+7BBc/aFzGsTyc1KxhkWL1YBrVd0/oOl
	ltp5kI0fDIf9vWjz36x0zGpSTr7wJM5ZGqwPNBKvRNnIqTtSYwPJZsxpCVtn6jT11qavIS
	3E6yS8jauDj+O8rwgpbfL8tRzZPPfm7Fy12RQRedlFsESSVmq5Z+nMwTAQOsVQ==
Received: from Devel.localdomain (p5B0A157F.dip0.t-ipconnect.de
 [91.10.21.127])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 24A5F204CBCB
 for <development@lists.ipfire.org>; Thu,  1 Nov 2018 08:24:29 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801;
 t=1541060669;
 h=from:from:sender:reply-to:subject:subject:date:date:
 message-id:message-id:to:to:cc:mime-version:content-type:
 content-transfer-encoding:in-reply-to:references;
 bh=yZwby3JJjuZPlAXo5/Qw2b9tGsaB9UoHE7q4aX6kTlI=;
 b=kDZJ5W7c2v1kHnkBcIovI0sei9v+qGmTb/wW8PiUjL4+E+aBAqYHcwDaaT4Wayt1svceMZ
 SGGcBsXWciWF/3VRh8T5C2OhthSa7pY6ah8YNkd2bWOl4L7g3jeiZnM2INMbZVQGrhzXW5
 lgCw0BSVzsfHnud/3xMkrO2mOUKPcYRY2pfhlVkPR7oZfMpFIFDINbFL3eFDgWYvNz/ZnS
 HzlQ2U7SZe3O8RB0w6cgEkxI7xaPjsrgud+uZ3OPcSzzKuCmLgVYSJiMNZilNyjq6yB5ly
 le/iOAYOJNKb/7trCjqZXqhGpbaoZuiQq7vk8SFdWMqS0EQezeqpI8+cHUMBEQ==
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] squid 3.5.28: latest patches (01-02)
Date: Thu,  1 Nov 2018 09:24:24 +0100
Message-Id: <20181101082424.22499-1-matthias.fischer@ipfire.org>
X-Mailer: git-send-email 2.18.0
Authentication-Results: mail01.ipfire.org;
 auth=pass smtp.auth=mfischer smtp.mailfrom=matthias.fischer@ipfire.org
X-Spamd-Result: default: False [0.21 / 11.00]; ARC_NA(0.00)[];
 FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[];
 NEURAL_SPAM(2.31)[0.771,0]; RCPT_COUNT_ONE(0.00)[1];
 DKIM_SIGNED(0.00)[]; MID_CONTAINS_FROM(1.00)[];
 RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[];
 ASN(0.00)[asn:3320, ipnet:91.0.0.0/10, country:DE];
 RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%]
X-Spam-Status: No, score=0.21
X-Rspamd-Server: mail01.i.ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

For details see:
http://www.squid-cache.org/Versions/v3/3.5/changesets/

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
 lfs/squid                                     |  2 +
 ...via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch | 72 +++++++++++++++++++
 ...ry_leak_when_parsing_SNMP_packet_313.patch | 22 ++++++
 3 files changed, 96 insertions(+)
 create mode 100644 src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch
 create mode 100644 src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch

diff --git a/lfs/squid b/lfs/squid
index cae56407c..11b84d719 100644
--- a/lfs/squid
+++ b/lfs/squid
@@ -72,6 +72,8 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
 	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5.28-fix-max-file-descriptors.patch
 
 	cd $(DIR_APP) && autoreconf -vfi
diff --git a/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch b/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch
new file mode 100644
index 000000000..fadb1d48c
--- /dev/null
+++ b/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch
@@ -0,0 +1,72 @@
+commit f1657a9decc820f748fa3aff68168d3145258031
+Author: Christos Tsantilas <christos@chtsanti.net>
+Date:   2018-10-17 15:14:07 +0000
+
+    Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306)
+    
+    %ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL template. This bug affects all
+    ERR_SECURE_CONNECT_FAIL page templates containing %D, including the default template.
+    
+    Other error pages are not vulnerable because Squid does not populate %D with certificate details in other contexts (yet).
+    
+    Thanks to Nikolas Lohmann [eBlocker] for identifying the problem.
+    
+    TODO: If those certificate details become needed for ACL checks or other non-HTML purposes, make their HTML-escaping conditional.
+    
+    This is a Measurement Factory project.
+
+diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc
+index b5030e3..314e998 100644
+--- a/src/ssl/ErrorDetail.cc
++++ b/src/ssl/ErrorDetail.cc
+@@ -8,6 +8,8 @@
+ 
+ #include "squid.h"
+ #include "errorpage.h"
++#include "fatal.h"
++#include "html_quote.h"
+ #include "ssl/ErrorDetail.h"
+ 
+ #include <climits>
+@@ -432,8 +434,11 @@ const char  *Ssl::ErrorDetail::subject() const
+ {
+     if (broken_cert.get()) {
+         static char tmpBuffer[256]; // A temporary buffer
+-        if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer)))
+-            return tmpBuffer;
++        if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) {
++            // quote to avoid possible html code injection through
++            // certificate subject
++            return html_quote(tmpBuffer);
++        }
+     }
+     return "[Not available]";
+ }
+@@ -461,8 +466,11 @@ const char *Ssl::ErrorDetail::cn() const
+         static String tmpStr;  ///< A temporary string buffer
+         tmpStr.clean();
+         Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn);
+-        if (tmpStr.size())
+-            return tmpStr.termedBuf();
++        if (tmpStr.size()) {
++            // quote to avoid possible html code injection through
++            // certificate subject
++            return html_quote(tmpStr.termedBuf());
++        }
+     }
+     return "[Not available]";
+ }
+@@ -474,8 +482,11 @@ const char *Ssl::ErrorDetail::ca_name() const
+ {
+     if (broken_cert.get()) {
+         static char tmpBuffer[256]; // A temporary buffer
+-        if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer)))
+-            return tmpBuffer;
++        if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) {
++            // quote to avoid possible html code injection through
++            // certificate issuer subject
++            return html_quote(tmpBuffer);
++        }
+     }
+     return "[Not available]";
+ }
diff --git a/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch b/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
new file mode 100644
index 000000000..2ae034c20
--- /dev/null
+++ b/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
@@ -0,0 +1,22 @@
+commit bc9786119f058a76ddf0625424bc33d36460b9a2 (refs/remotes/origin/v3.5)
+Author: flozilla <fishyflow@gmail.com>
+Date:   2018-10-24 14:12:01 +0200
+
+    Fix memory leak when parsing SNMP packet (#313)
+    
+    SNMP queries denied by snmp_access rules and queries with certain
+    unsupported SNMPv2 commands were leaking a few hundred bytes each. Such
+    queries trigger "SNMP agent query DENIED from..." WARNINGs in cache.log.
+
+diff --git a/src/snmp_core.cc b/src/snmp_core.cc
+index c4d21c1..16c2993 100644
+--- a/src/snmp_core.cc
++++ b/src/snmp_core.cc
+@@ -409,6 +409,7 @@ snmpDecodePacket(SnmpRequest * rq)
+             snmpConstructReponse(rq);
+         } else {
+             debugs(49, DBG_IMPORTANT, "WARNING: SNMP agent query DENIED from : " << rq->from);
++            snmp_free_pdu(PDU);
+         }
+         xfree(Community);
+