Hi On Wed, Aug 10, 2016 at 02:27:19AM +1200, Amos Jeffries wrote: > I think this bug is probably the same authentication issue that resulted > in this upstream patch: > <www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13930.patch> > > It is technically not part of the CVE fix, but is needed to let certain > auth configuration to coninue working once the fix is in place.
Attached is proposed debdiff for this regarding the version in jessie. And proposed builds in https://people.debian.org/~carnil/tmp/squid3/ Do you have a chance to test those? Regards, Salvatore
diff -Nru squid3-3.4.8/debian/changelog squid3-3.4.8/debian/changelog --- squid3-3.4.8/debian/changelog 2016-07-21 11:27:34.000000000 +0200 +++ squid3-3.4.8/debian/changelog 2016-08-09 17:02:32.000000000 +0200 @@ -1,3 +1,11 @@ +squid3 (3.4.8-6+deb8u4) jessie-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix cache_peer login=PASS(THRU) after CVE-2015-5400. + Thanks to Amos Jeffries <squ...@treenet.co.nz> (Closes: #819563) + + -- Salvatore Bonaccorso <car...@debian.org> Tue, 09 Aug 2016 17:02:32 +0200 + squid3 (3.4.8-6+deb8u3) jessie-security; urgency=high * Non-maintainer upload. diff -Nru squid3-3.4.8/debian/patches/43_Fix-CVE-2015-5400-regression.patch squid3-3.4.8/debian/patches/43_Fix-CVE-2015-5400-regression.patch --- squid3-3.4.8/debian/patches/43_Fix-CVE-2015-5400-regression.patch 1970-01-01 01:00:00.000000000 +0100 +++ squid3-3.4.8/debian/patches/43_Fix-CVE-2015-5400-regression.patch 2016-08-09 17:02:32.000000000 +0200 @@ -0,0 +1,118 @@ +------------------------------------------------------------ +revno: 13930 +revision-id: squ...@treenet.co.nz-20150927082859-7za4czz7cpqry16n +parent: squ...@treenet.co.nz-20150927081853-u23ejmocr3694zyd +committer: Amos Jeffries <squ...@treenet.co.nz> +branch nick: 3.5 +timestamp: Sun 2015-09-27 01:28:59 -0700 +message: + Fix cache_peer login=PASS(THRU) after CVE-2015-5400 + + The patch for CVE-2015-5400 converts all non-200 peer responses + into 502 Bad Gateway responses when relaying a CONNECT to a peer. + + This happens to break login=PASS and login=PASSTHRU behaviour + which relies on the 401 and 407 status being relayed transparently. + + We need to relay the auth server responses as-is when login= is + set to PASS or PASSTHRU but then unconditionally close the + connections to prevent CVE-2015-5400 from occuring. +------------------------------------------------------------ +# Bazaar merge directive format 2 (Bazaar 0.90) +# revision_id: squ...@treenet.co.nz-20150927082859-7za4czz7cpqry16n +# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# testament_sha1: 57d2ad15fd181cd054567c3028663f0f9eb07197 +# timestamp: 2015-09-27 08:51:01 +0000 +# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 +# base_revision_id: squ...@treenet.co.nz-20150927081853-\ +# u23ejmocr3694zyd +# +# Begin patch +=== modified file 'src/tunnel.cc' +--- a/src/tunnel.cc ++++ b/src/tunnel.cc +@@ -124,7 +124,7 @@ public: + + /// Sends "502 Bad Gateway" error response to the client, + /// if it is waiting for Squid CONNECT response, closing connections. +- void informUserOfPeerError(const char *errMsg); ++ void informUserOfPeerError(const char *errMsg, size_t); + + class Connection + { +@@ -351,20 +351,33 @@ TunnelStateData::readConnectResponseDone + } + + void +-TunnelStateData::informUserOfPeerError(const char *errMsg) ++TunnelStateData::informUserOfPeerError(const char *errMsg, const size_t sz) + { + server.len = 0; ++ + if (!clientExpectsConnectResponse()) { + // closing the connection is the best we can do here + debugs(50, 3, server.conn << " closing on error: " << errMsg); + server.conn->close(); + return; + } +- ErrorState *err = new ErrorState(ERR_CONNECT_FAIL, Http::scBadGateway, request.getRaw()); +- err->callback = tunnelErrorComplete; +- err->callback_data = this; +- *status_ptr = Http::scBadGateway; +- errorSend(http->getConn()->clientConnection, err); ++ ++ // if we have no reply suitable to relay, use 502 Bad Gateway ++ if (!sz || sz > static_cast<size_t>(connectRespBuf->contentSize())) { ++ ErrorState *err = new ErrorState(ERR_CONNECT_FAIL, Http::scBadGateway, request.getRaw()); ++ *status_ptr = Http::scBadGateway; ++ err->callback = tunnelErrorComplete; ++ err->callback_data = this; ++ errorSend(http->getConn()->clientConnection, err); ++ return; ++ } ++ ++ // if we need to send back the server response. write its headers to the client ++ server.len = sz; ++ memcpy(server.buf, connectRespBuf->content(), server.len); ++ copy(server.len, server, client, TunnelStateData::WriteClientDone); ++ // then close the server FD to prevent any relayed keep-alive causing CVE-2015-5400 ++ server.closeIfOpen(); + } + + /* Read from client side and queue it for writing to the server */ +@@ -398,7 +411,7 @@ TunnelStateData::handleConnectResponse(c + const bool parsed = rep.parse(connectRespBuf, eof, &parseErr); + if (!parsed) { + if (parseErr > 0) { // unrecoverable parsing error +- informUserOfPeerError("malformed CONNECT response from peer"); ++ informUserOfPeerError("malformed CONNECT response from peer", 0); + return; + } + +@@ -407,7 +420,7 @@ TunnelStateData::handleConnectResponse(c + assert(!parseErr); + + if (!connectRespBuf->hasSpace()) { +- informUserOfPeerError("huge CONNECT response from peer"); ++ informUserOfPeerError("huge CONNECT response from peer", 0); + return; + } + +@@ -419,10 +432,16 @@ TunnelStateData::handleConnectResponse(c + // CONNECT response was successfully parsed + *status_ptr = rep.sline.status(); + ++ // we need to relay the 401/407 responses when login=PASS(THRU) ++ const char *pwd = server.conn->getPeer()->login; ++ const bool relay = pwd && (strcmp(pwd, "PASS") != 0 || strcmp(pwd, "PASSTHRU") != 0) && ++ (*status_ptr == Http::scProxyAuthenticationRequired || ++ *status_ptr == Http::scUnauthorized); ++ + // bail if we did not get an HTTP 200 (Connection Established) response + if (rep.sline.status() != Http::scOkay) { + // if we ever decide to reuse the peer connection, we must extract the error response first +- informUserOfPeerError("unsupported CONNECT response status code"); ++ informUserOfPeerError("unsupported CONNECT response status code", (relay ? rep.hdr_sz : 0)); + return; + } + diff -Nru squid3-3.4.8/debian/patches/series squid3-3.4.8/debian/patches/series --- squid3-3.4.8/debian/patches/series 2016-07-21 11:27:34.000000000 +0200 +++ squid3-3.4.8/debian/patches/series 2016-08-09 17:02:32.000000000 +0200 @@ -17,3 +17,4 @@ 41-squid-3.4-13236-CVE-2016-4554.patch 41-squid-3.4-13239-CVE-2016-4554.patch 42-SQUID-2016_9-CVE-2016-4555-CVE-2016-4556.patch +43_Fix-CVE-2015-5400-regression.patch
signature.asc
Description: PGP signature
