commit: ddbd920e9c116b227a00a797b4f5c791be9b843f Author: Hank Leininger <hlein <AT> korelogic <DOT> com> AuthorDate: Wed Nov 5 20:40:22 2025 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Wed Nov 5 23:56:14 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ddbd920e
net-proxy/squid: security fixes One is available from upstream; for the other, use Debian's backport. Signed-off-by: Hank Leininger <hlein <AT> korelogic.com> Bug: https://bugs.gentoo.org/965708 Part-of: https://github.com/gentoo/gentoo/pull/44502 Closes: https://github.com/gentoo/gentoo/pull/44502 Signed-off-by: Sam James <sam <AT> gentoo.org> .../squid-6.14-cachemgr-dont_show_hostname.patch | 17 + .../squid/files/squid-6.14-proxy_auth_data.patch | 187 +++++++++ net-proxy/squid/squid-6.14-r1.ebuild | 421 +++++++++++++++++++++ 3 files changed, 625 insertions(+) diff --git a/net-proxy/squid/files/squid-6.14-cachemgr-dont_show_hostname.patch b/net-proxy/squid/files/squid-6.14-cachemgr-dont_show_hostname.patch new file mode 100644 index 000000000000..315208646474 --- /dev/null +++ b/net-proxy/squid/files/squid-6.14-cachemgr-dont_show_hostname.patch @@ -0,0 +1,17 @@ +https://github.com/squid-cache/squid/commit/d94dbed6c700faeded8c4175f2a8d0f71c15755b.patch +From d94dbed6c700faeded8c4175f2a8d0f71c15755b Mon Sep 17 00:00:00 2001 +From: Amos Jeffries <[email protected]> +Date: Wed, 5 Nov 2025 10:23:34 +1300 +Subject: [PATCH] Do not show arbitrary hostname in cachemgr.cgi output + +--- a/tools/cachemgr.cc ++++ b/tools/cachemgr.cc +@@ -819,7 +819,7 @@ process_request(cachemgr_request * req) + } + + if (!check_target_acl(req->hostname, req->port)) { +- snprintf(buf, sizeof(buf), "target %s:%d not allowed in cachemgr.conf\n", req->hostname, req->port); ++ snprintf(buf, sizeof(buf), "target host not allowed in cachemgr.conf\n"); + error_html(buf); + return 1; + } diff --git a/net-proxy/squid/files/squid-6.14-proxy_auth_data.patch b/net-proxy/squid/files/squid-6.14-proxy_auth_data.patch new file mode 100644 index 000000000000..fa0aaef12e43 --- /dev/null +++ b/net-proxy/squid/files/squid-6.14-proxy_auth_data.patch @@ -0,0 +1,187 @@ +https://sources.debian.org/patches/squid/6.13-2+deb13u1/CVE-2025-62168.patch/ +From: Amos Jeffries <[email protected]> +Date: Sat, 11 Oct 2025 16:33:02 +1300 +Subject: [PATCH] Bug 3390: Proxy auth data visible to scripts (#2249) + +Original changes to redact credentials from error page %R code +expansion output was incomplete. It missed the parse failure +case where ErrorState::request_hdrs raw buffer contained +sensitive information. + +Also missed was the %W case where full request message headers +were generated in a mailto link. This case is especially +problematic as it may be delivered over insecure SMTP even if +the error was secured with HTTPS. + +After this change: +* The HttpRequest message packing code for error pages is de-duplicated + and elides authentication headers for both %R and %W code outputs. +* The %R code output includes the CRLF request message terminator. +* The email_err_data directive causing advanced details to be added to + %W mailto links is disabled by default. + +Also redact credentials from generated TRACE responses. + +--------- + +Co-authored-by: Alex Rousskov <[email protected]> + +origin: backport, https://github.com/squid-cache/squid/commit/0951a0681011dfca3d78c84fd7f1e19c78a4443f +bug: https://github.com/squid-cache/squid/security/advisories/GHSA-c8cc-phh7-xmxr +debian-bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118341 +--- a/src/HttpRequest.cc ++++ b/src/HttpRequest.cc +@@ -341,7 +341,7 @@ HttpRequest::swapOut(StoreEntry * e) + + /* packs request-line and headers, appends <crlf> terminator */ + void +-HttpRequest::pack(Packable * p) const ++HttpRequest::pack(Packable * const p, const bool maskSensitiveInfo) const + { + assert(p); + /* pack request-line */ +@@ -349,8 +349,8 @@ HttpRequest::pack(Packable * p) const + SQUIDSBUFPRINT(method.image()), SQUIDSBUFPRINT(url.path()), + http_ver.major, http_ver.minor); + /* headers */ +- header.packInto(p); +- /* trailer */ ++ header.packInto(p, maskSensitiveInfo); ++ /* indicate the end of the header section */ + p->append("\r\n", 2); + } + +--- a/src/HttpRequest.h ++++ b/src/HttpRequest.h +@@ -206,7 +206,7 @@ public: + + void swapOut(StoreEntry * e); + +- void pack(Packable * p) const; ++ void pack(Packable * p, bool maskSensitiveInfo = false) const; + + static void httpRequestPack(void *obj, Packable *p); + +--- a/src/cf.data.pre ++++ b/src/cf.data.pre +@@ -8944,12 +8944,18 @@ NAME: email_err_data + COMMENT: on|off + TYPE: onoff + LOC: Config.onoff.emailErrData +-DEFAULT: on ++DEFAULT: off + DOC_START + If enabled, information about the occurred error will be + included in the mailto links of the ERR pages (if %W is set) + so that the email body contains the data. + Syntax is <A HREF="mailto:%w%W";>%w</A> ++ ++ SECURITY WARNING: ++ Request headers and other included facts may contain ++ sensitive information about transaction history, the ++ Squid instance, and its environment which would be ++ unavailable to error recipients otherwise. + DOC_END + + NAME: deny_info +--- a/src/client_side_reply.cc ++++ b/src/client_side_reply.cc +@@ -94,7 +94,7 @@ clientReplyContext::clientReplyContext(ClientHttpRequest *clientContext) : + void + clientReplyContext::setReplyToError( + err_type err, Http::StatusCode status, char const *uri, +- const ConnStateData *conn, HttpRequest *failedrequest, const char *unparsedrequest, ++ const ConnStateData *conn, HttpRequest *failedrequest, const char *, + #if USE_AUTH + Auth::UserRequest::Pointer auth_user_request + #else +@@ -104,9 +104,6 @@ clientReplyContext::setReplyToError( + { + auto errstate = clientBuildError(err, status, uri, conn, failedrequest, http->al); + +- if (unparsedrequest) +- errstate->request_hdrs = xstrdup(unparsedrequest); +- + #if USE_AUTH + errstate->auth_user_request = auth_user_request; + #endif +@@ -995,11 +992,14 @@ clientReplyContext::traceReply() + triggerInitialStoreRead(); + http->storeEntry()->releaseRequest(); + http->storeEntry()->buffer(); ++ MemBuf content; ++ content.init(); ++ http->request->pack(&content, true /* hide authorization data */); + const HttpReplyPointer rep(new HttpReply); +- rep->setHeaders(Http::scOkay, nullptr, "text/plain", http->request->prefixLen(), 0, squid_curtime); ++ rep->setHeaders(Http::scOkay, nullptr, "message/http", content.contentSize(), 0, squid_curtime); ++ rep->body.set(SBuf(content.buf, content.size)); + http->storeEntry()->replaceHttpReply(rep); +- http->request->swapOut(http->storeEntry()); +- http->storeEntry()->complete(); ++ http->storeEntry()->completeSuccessfully("traceReply() stored the entire response"); + } + + #define SENDING_BODY 0 +--- a/src/errorpage.cc ++++ b/src/errorpage.cc +@@ -792,7 +792,6 @@ ErrorState::~ErrorState() + { + safe_free(redirect_url); + safe_free(url); +- safe_free(request_hdrs); + wordlistDestroy(&ftp.server_msg); + safe_free(ftp.request); + safe_free(ftp.reply); +@@ -850,7 +849,7 @@ ErrorState::Dump(MemBuf * mb) + SQUIDSBUFPRINT(request->url.path()), + AnyP::ProtocolType_str[request->http_ver.protocol], + request->http_ver.major, request->http_ver.minor); +- request->header.packInto(&str); ++ request->header.packInto(&str, true /* hide authorization data */); + } + + str.append("\r\n", 2); +@@ -1112,18 +1111,10 @@ ErrorState::compileLegacyCode(Build &build) + p = "[no request]"; + break; + } +- if (request) { +- mb.appendf(SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\n", +- SQUIDSBUFPRINT(request->method.image()), +- SQUIDSBUFPRINT(request->url.path()), +- AnyP::ProtocolType_str[request->http_ver.protocol], +- request->http_ver.major, request->http_ver.minor); +- request->header.packInto(&mb, true); //hide authorization data +- } else if (request_hdrs) { +- p = request_hdrs; +- } else { ++ else if (request) ++ request->pack(&mb, true /* hide authorization data */); ++ else + p = "[no request]"; +- } + break; + + case 's': +--- a/src/errorpage.h ++++ b/src/errorpage.h +@@ -194,7 +194,6 @@ public: + MemBuf *listing = nullptr; + } ftp; + +- char *request_hdrs = nullptr; + char *err_msg = nullptr; /* Preformatted error message from the cache */ + + AccessLogEntryPointer ale; ///< transaction details (or nil) +--- a/src/tests/stub_HttpRequest.cc ++++ b/src/tests/stub_HttpRequest.cc +@@ -45,7 +45,7 @@ bool HttpRequest::expectingBody(const HttpRequestMethod &, int64_t &) const STUB + bool HttpRequest::bodyNibbled() const STUB_RETVAL(false) + int HttpRequest::prefixLen() const STUB_RETVAL(0) + void HttpRequest::swapOut(StoreEntry *) STUB +-void HttpRequest::pack(Packable *) const STUB ++void HttpRequest::pack(Packable *, bool) const STUB + void HttpRequest::httpRequestPack(void *, Packable *) STUB + HttpRequest * HttpRequest::FromUrl(const SBuf &, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr) + HttpRequest * HttpRequest::FromUrlXXX(const char *, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr) diff --git a/net-proxy/squid/squid-6.14-r1.ebuild b/net-proxy/squid/squid-6.14-r1.ebuild new file mode 100644 index 000000000000..94561fe7c5e5 --- /dev/null +++ b/net-proxy/squid/squid-6.14-r1.ebuild @@ -0,0 +1,421 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/squid.gpg +inherit autotools flag-o-matic linux-info pam systemd toolchain-funcs verify-sig + +DESCRIPTION="Full-featured web proxy cache" +HOMEPAGE="https://www.squid-cache.org/"; + +MY_PV_MAJOR=$(ver_cut 1) +MY_PV_MINOR=$(ver_cut 2) +# Upstream patch ID for the most recent bug-fixed update to the formal release. +#r=-20181117-r0022167 +r= +if [[ -z ${r} ]]; then + SRC_URI=" + https://github.com/squid-cache/squid/releases/download/SQUID_${MY_PV_MAJOR}_${MY_PV_MINOR}/${P}.tar.xz + https://dev.gentoo.org/~juippis/distfiles/squid-6.9-memleak_fix.patch + verify-sig? ( https://github.com/squid-cache/squid/releases/download/SQUID_${MY_PV_MAJOR}_${MY_PV_MINOR}/${P}.tar.xz.asc ) + " +else + SRC_URI=" + http://static.squid-cache.org/Versions/v${MY_PV_MAJOR}/${P}${r}.tar.bz2 + https://dev.gentoo.org/~juippis/distfiles/squid-6.9-memleak_fix.patch + " + S="${S}${r}" +fi + +LICENSE="GPL-2+" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" +IUSE="caps gnutls pam ldap samba sasl kerberos nis radius ssl snmp selinux logrotate test ecap" +IUSE+=" esi ssl-crtd mysql postgres sqlite systemd perl qos tproxy +htcp valgrind +wccp +wccpv2" +RESTRICT="!test? ( test )" +REQUIRED_USE="tproxy? ( caps ) qos? ( caps ) ssl-crtd? ( ssl )" + +DEPEND=" + acct-group/squid + acct-user/squid + dev-libs/libltdl + sys-libs/tdb + virtual/libcrypt:= + caps? ( >=sys-libs/libcap-2.16 ) + ecap? ( net-libs/libecap:1 ) + esi? ( + dev-libs/expat + dev-libs/libxml2:= + ) + ldap? ( net-nds/openldap:= ) + gnutls? ( >=net-libs/gnutls-3.1.5:= ) + logrotate? ( app-admin/logrotate ) + nis? ( + net-libs/libtirpc:= + net-libs/libnsl:= + ) + kerberos? ( virtual/krb5 ) + pam? ( sys-libs/pam ) + qos? ( net-libs/libnetfilter_conntrack ) + ssl? ( + dev-libs/nettle:= + !gnutls? ( + dev-libs/openssl:= + ) + ) + sasl? ( dev-libs/cyrus-sasl ) + systemd? ( sys-apps/systemd:= ) +" +RDEPEND=" + ${DEPEND} + mysql? ( dev-perl/DBD-mysql ) + postgres? ( dev-perl/DBD-Pg ) + perl? ( dev-lang/perl ) + samba? ( net-fs/samba ) + selinux? ( sec-policy/selinux-squid ) + sqlite? ( dev-perl/DBD-SQLite ) +" +DEPEND+=" valgrind? ( dev-debug/valgrind )" +BDEPEND=" + dev-lang/perl + ecap? ( virtual/pkgconfig ) + test? ( dev-util/cppunit ) + verify-sig? ( sec-keys/openpgp-keys-squid ) +" + +PATCHES=( + "${FILESDIR}"/${PN}-6.2-gentoo.patch + "${FILESDIR}"/${PN}-4.17-use-system-libltdl.patch + "${DISTDIR}"/${PN}-6.9-memleak_fix.patch + "${FILESDIR}"/${PN}-6.12-ar.patch + "${FILESDIR}"/${PN}-6.14-proxy_auth_data.patch + "${FILESDIR}"/${PN}-6.14-cachemgr-dont_show_hostname.patch +) + +pkg_pretend() { + if use tproxy; then + local CONFIG_CHECK="~NF_CONNTRACK ~NETFILTER_XT_MATCH_SOCKET ~NETFILTER_XT_TARGET_TPROXY" + linux-info_pkg_setup + fi +} + +src_unpack() { + if use verify-sig ; then + # Needed for downloaded patch (which is unsigned, which is fine) + verify-sig_verify_detached "${DISTDIR}"/${P}.tar.xz{,.asc} + fi + + default +} + +src_prepare() { + default + + # Fixup various paths + sed -i -e 's:/usr/local/squid/etc:/etc/squid:' \ + INSTALL QUICKSTART \ + scripts/fileno-to-pathname.pl \ + scripts/check_cache.pl \ + tools/cachemgr.cgi.8 \ + tools/purge/conffile.hh \ + tools/purge/purge.1 || die + sed -i -e 's:/usr/local/squid/sbin:/usr/sbin:' \ + INSTALL QUICKSTART || die + sed -i -e 's:/usr/local/squid/var/cache:/var/cache/squid:' \ + QUICKSTART || die + sed -i -e 's:/usr/local/squid/var/logs:/var/log/squid:' \ + QUICKSTART \ + src/log/access_log.cc || die + sed -i -e 's:/usr/local/squid/logs:/var/log/squid:' \ + src/log/access_log.cc || die + sed -i -e 's:/usr/local/squid/libexec:/usr/libexec/squid:' \ + src/acl/external/unix_group/ext_unix_group_acl.8 \ + src/acl/external/session/ext_session_acl.8 || die + sed -i -e 's:/usr/local/squid/cache:/var/cache/squid:' \ + scripts/check_cache.pl || die + # /var/run/squid to /run/squid + sed -i -e 's:$(localstatedir)::' \ + src/ipc/Makefile.am || die + sed -i 's:/var/run/:/run/:g' tools/systemd/squid.service || die + + sed -i -e 's:_LTDL_SETUP:LTDL_INIT([installable]):' \ + libltdl/configure.ac || die + + # https://bugs.gentoo.org/956509 + AT_NO_RECURSIVE="yes" eautoreconf +} + +src_configure() { + # Workaround for bug #921688 + append-cxxflags -std=gnu++17 + + local myeconfargs=( + --cache-file="${S}"/config.cache + + --datadir=/usr/share/squid + --libexecdir=/usr/libexec/squid + --localstatedir=/var + --sysconfdir=/etc/squid + --with-default-user=squid + --with-logdir=/var/log/squid + --with-pidfile=/run/squid.pid + + --enable-build-info="Gentoo ${PF} (r: ${r:-NONE})" + --enable-log-daemon-helpers + --enable-url-rewrite-helpers + --enable-cache-digests + --enable-delay-pools + --enable-disk-io + --enable-eui + --enable-icmp + --enable-ipv6 + --enable-follow-x-forwarded-for + --enable-removal-policies="lru,heap" + --disable-strict-error-checking + --disable-arch-native + + --with-large-files + --with-build-environment=default + + --with-tdb + + --without-included-ltdl + --with-ltdl-include="${ESYSROOT}"/usr/include + --with-ltdl-lib="${ESYSROOT}"/usr/$(get_libdir) + + $(use_with caps cap) + $(use_enable snmp) + $(use_with ssl openssl) + $(use_with ssl nettle) + $(use_with gnutls) + $(use_with ldap) + $(use_enable ssl-crtd) + $(use_with systemd) + $(use_with test cppunit) + $(use_enable ecap) + $(use_enable esi) + $(use_enable esi expat) + $(use_enable esi xml2) + $(use_enable htcp) + $(use_with valgrind valgrind-debug) + $(use_enable wccp) + $(use_enable wccpv2) + ) + + # Basic modules + local basic_modules=( + NCSA + POP3 + getpwnam + + $(usev samba 'SMB') + $(usev ldap 'SMB_LM LDAP') + $(usev pam 'PAM') + $(usev sasl 'SASL') + $(usev nis 'NIS') + $(usev radius 'RADIUS') + ) + + use nis && append-cppflags "-I${ESYSROOT}/usr/include/tirpc" + + if use mysql || use postgres || use sqlite; then + basic_modules+=( DB ) + fi + + # Digests + local digest_modules=( + file + + $(usev ldap 'LDAP eDirectory') + ) + + # Kerberos + local negotiate_modules=( none ) + + myeconfargs+=( --without-mit-krb5 --without-heimdal-krb5 ) + + if use kerberos; then + # We intentionally overwrite negotiate_modules here to lose + # the 'none'. + negotiate_modules=( kerberos wrapper ) + + if has_version app-crypt/heimdal; then + myeconfargs+=( + --without-mit-krb5 + --with-heimdal-krb5 + ) + else + myeconfargs+=( + --with-mit-krb5 + --without-heimdal-krb5 + ) + fi + fi + + # NTLM modules + local ntlm_modules=( none ) + + if use samba ; then + # We intentionally overwrite ntlm_modules here to lose + # the 'none'. + ntlm_modules=( SMB_LM ) + fi + + # External helpers + local ext_helpers=( + file_userip + session + unix_group + delayer + time_quota + + $(usev samba 'wbinfo_group') + $(usev ldap 'LDAP_group eDirectory_userip') + ) + + use ldap && use kerberos && ext_helpers+=( kerberos_ldap_group ) + if use mysql || use postgres || use sqlite; then + ext_helpers+=( SQL_session ) + fi + + # Storage modules + local storeio_modules=( + aufs + diskd + rock + ufs + ) + + # + local transparent + if use kernel_linux; then + myeconfargs+=( + --enable-linux-netfilter + $(usev qos '--enable-zph-qos --with-netfilter-conntrack') + ) + fi + + tc-export_build_env BUILD_CXX + export BUILDCXX="${BUILD_CXX}" + export BUILDCXXFLAGS="${BUILD_CXXFLAGS}" + tc-export CC AR + + # Should be able to drop this workaround with newer versions. + # https://bugs.squid-cache.org/show_bug.cgi?id=4224 + tc-is-cross-compiler && export squid_cv_gnu_atomics=no + + # Bug #719662 + append-atomic-flags + + print_options_without_comma() { + # IFS as ',' will cut off any trailing commas + ( + IFS=',' + options=( $(printf "%s," "${@}") ) + echo "${options[*]}" + ) + } + + myeconfargs+=( + --enable-storeio=$(print_options_without_comma "${storeio_modules[@]}") + --enable-auth-basic=$(print_options_without_comma "${basic_modules[@]}") + --enable-auth-digest=$(print_options_without_comma "${digest_modules[@]}") + --enable-auth-ntlm=$(print_options_without_comma "${ntlm_modules[@]}") + --enable-auth-negotiate=$(print_options_without_comma "${negotiate_modules[@]}") + --enable-external-acl-helpers=$(print_options_without_comma "${ext_helpers[@]}") + ) + + econf "${myeconfargs[@]}" +} + +src_test() { + default + + # Suppress QA warning (bug #877729) for no tests executed + # for some subsuites. The layout is odd and there's a bunch + # of useless/stub directories which confuses it. + find "${S}" -iname test-suite.log -delete || die +} + +src_install() { + default + + systemd_dounit tools/systemd/squid.service + + # Need suid root for looking into /etc/shadow + fowners root:squid /usr/libexec/squid/basic_ncsa_auth + fperms 4750 /usr/libexec/squid/basic_ncsa_auth + + if use pam; then + fowners root:squid /usr/libexec/squid/basic_pam_auth + fperms 4750 /usr/libexec/squid/basic_pam_auth + fi + + # Pinger needs suid as well + fowners root:squid /usr/libexec/squid/pinger + fperms 4750 /usr/libexec/squid/pinger + + # These scripts depend on perl + if ! use perl; then + local perl_scripts=( + basic_pop3_auth ext_delayer_acl helper-mux + log_db_daemon security_fake_certverify + storeid_file_rewrite url_lfs_rewrite + ) + + local script + for script in "${perl_scripts[@]}"; do + rm "${ED}"/usr/libexec/squid/${script} || die + done + fi + + # Cleanup + rm -r "${D}"/run "${D}"/var/cache || die + + dodoc CONTRIBUTORS CREDITS ChangeLog INSTALL QUICKSTART README SPONSORS doc/*.txt + newdoc src/auth/negotiate/kerberos/README README.kerberos + newdoc src/auth/basic/RADIUS/README README.RADIUS + newdoc src/acl/external/kerberos_ldap_group/README README.kerberos_ldap_group + dodoc RELEASENOTES.html + + if use pam; then + newpamd "${FILESDIR}"/squid.pam squid + fi + + newconfd "${FILESDIR}"/squid.confd-r2 squid + newinitd "${FILESDIR}"/squid.initd-r7 squid + + if use logrotate ; then + insinto /etc/logrotate.d + newins "${FILESDIR}"/squid.logrotate-r1 squid + else + exeinto /etc/cron.weekly + newexe "${FILESDIR}"/squid.cron-r1 squid.cron + fi + + diropts -m0750 -o squid -g squid + keepdir /var/log/squid /etc/ssl/squid /var/lib/squid + + # Hack for bug #834503 (see also bug #664940) + # Please keep this for a few years until it's no longer plausible + # someone is upgrading from < squid 5.7. + mv "${ED}"/usr/share/squid/errors{,.new} || die +} + +pkg_preinst() { + # Remove file in EROOT that the directory collides with. + rm -rf "${EROOT}"/usr/share/squid/errors || die + + # Following the collision protection check, reverse + # src_install's rename in ED. + mv "${ED}"/usr/share/squid/errors{.new,} || die +} + +pkg_postinst() { + elog "A good starting point to debug Squid issues is to use 'squidclient mgr:' commands such as 'squidclient mgr:info'." + + if [[ ${#r} -gt 0 ]]; then + elog "You are using a release with the official ${r} patch! Make sure you mention that, or send the output of 'squidclient mgr:info' when asking for support." + fi +}
