Hello Andreas, Am 07.08.20 um 10:40 schrieb Andreas Schulz: [...] > now everything compiles but I still have ICAP-errors. Just to be sure > that I did everything correctly: > > - apt source squid3 > - quilt pop -a > - replaced the package patch with yours > - quilt push -a > - built packages and installed them
You did nothing wrong but you could add a new changelog entry with a new
version number and then run dpkg-source -b to create a new source
package. After that you can easily compare the old source package with
the new one by running
debdiff old.dsc new.dsc > my.debdiff
which highlights all the changes and also ensures the patch got applied
correctly.
In short, I have corrected the remaining error and I will upload a new
version today. The new package should be available on all mirrors within
24 hours.
For future reference:
The icap exception is triggered by two asserts (Must macros in squid
terminology) the one in src/adaptation/icap/OptXact.cc line 70 and
src/adaptation/icap/ModXact.cc line 1473. In order to fix CVE-2019-12523
the idea also was to better check for supported protocols. However the
urlParse function in 3.x and the corresponding AnyP::Uri::parse function
in 4.x are declared differently. While urlParse is of type HttpRequest,
AnyP::Uri::parse is of type boolean. The latter function simply returns
false if an invalid scheme is found but for the older urlParse function
NULL has to be returned. Since icap is not listed in urlParseProtocol
PROTO_NONE is returned which in turn triggers NULL. The corresponding
FindProtocolType function in 4.x would return PROTO_UNKNOWN instead and
only PROTO_NONE when the scheme is empty. I don't know why icap and ecap
are not explicitly defined as known protocols in 3.x and 4.x. In order
to keep the changes minimal I have simply added icap, icaps, ecap and
ecaps as known protocols now. Thanks to Nico Rogowski for pointing me in
the right direction.
The new update will also include an improved patch for CVE-2019-12529.
Regards,
Markus
signature.asc
Description: OpenPGP digital signature
