squid: CVE-2016-10003

Source: http://www.squid-cache.org/
MR: 70144
Type: Security Fix
Disposition: Backport from http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_10_a.patch
ChangeID: f713fe5b0b38ba5402a9c0947289ee9a0ea5bcbe
Description:

  Do not share private responses with collapsed client(s).

  This excessive sharing problem with collapsed forwarding code has
  several layers. In most cases, the core CF code does not share
  uncachable or private response with collapsed clients because of the
  refreshCheckHTTP() check. However, some responses might not be subject
  to that (or equivalent) check. More importantly, collapsed revalidation
  code does not check its responses at all and, hence, easily shares
  private responses.

  This short-term fix incorrectly assumes that an entry may become private
  (KEY_PRIVATE) only when it cannot be shared among multiple clients
  (e.g., because of a Cache-Control:private response header). However,
  there are a few other cases when an entry becomes private. One of them
  is a DISK_NO_SPACE_LEFT error inside storeSwapOutFileClosed() where
  StoreEntry::releaseRequest() sets KEY_PRIVATE for a sharable entry [that
  may still be perfectly preserved in the memory cache]. Consequently, the
  short-term fix reduces CF effectiveness. The extent of this reduction is
  probably environment-dependent.

Author: Eduard Bagdasaryan <eduard.bagdasaryan@measurement-factory.com>
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

2 files changed, 34 insertions, 0 deletions

diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-10003.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-10003.patch
new file mode 100644
index 0000000000..cf94e751ff
--- /dev/null
+++ b/meta-networking/recipes-daemons/squid/files/CVE-2016-10003.patch
@@ -0,0 +1,33 @@
+author: Eduard Bagdasaryan <eduard.bagdasaryan@measurement-factory.com>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: trunk
+timestamp: Fri 2016-12-16 15:43:39 +1300
+message:
+
+  Do not share private responses with collapsed client(s).
+
+Upstream-status: Backport
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: squid-3.5.20/src/client_side_reply.cc
+===================================================================
+--- squid-3.5.20.orig/src/client_side_reply.cc	2016-07-01 17:07:50.000000000 +0530
++++ squid-3.5.20/src/client_side_reply.cc	2017-05-31 13:15:46.541291519 +0530
+@@ -473,6 +482,17 @@
+         return;
+     }
+ 
++ 
++    // The previously identified hit suddenly became unsharable!
++    // This is common for collapsed forwarding slaves but might also
++    // happen to regular hits because we are called asynchronously.
++    if (EBIT_TEST(e->flags, KEY_PRIVATE)) {
++        debugs(88, 3, "unsharable " << *e << ". MISS");
++        http->logType = LOG_TCP_MISS;
++        processMiss();
++        return;
++    }
++
+     if (result.length == 0) {
+         debugs(88, 5, "store IO buffer has no content. MISS");
+         /* the store couldn't get enough data from the file for us to id the
diff --git a/meta-networking/recipes-daemons/squid/squid_3.5.20.bb b/meta-networking/recipes-daemons/squid/squid_3.5.20.bb
index fc7f7689be..4b806a91a9 100644
--- a/meta-networking/recipes-daemons/squid/squid_3.5.20.bb
+++ b/meta-networking/recipes-daemons/squid/squid_3.5.20.bb
@@ -21,6 +21,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${MIN_VER}/${BPN}-${P
            file://volatiles.03_squid \
            file://set_sysroot_patch.patch \
            file://squid-don-t-do-squid-conf-tests-at-build-time.patch \
+	   file://CVE-2016-10003.patch \
 "
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \