aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThiruvadi Rajaraman <trajaraman@mvista.com>2017-06-05 15:01:26 +0530
committerArmin Kuster <akuster808@gmail.com>2017-11-16 15:32:42 -0800
commitd3eef0b4716dac147f5f4d1bcdfc49021f698790 (patch)
treec186519072c497d65a272ca32452268d8d0214bd
parent6d03884d6260f25e5359645ca589ae2e403991ff (diff)
downloadmeta-openembedded-contrib-d3eef0b4716dac147f5f4d1bcdfc49021f698790.tar.gz
meta-openembedded-contrib-d3eef0b4716dac147f5f4d1bcdfc49021f698790.tar.bz2
meta-openembedded-contrib-d3eef0b4716dac147f5f4d1bcdfc49021f698790.zip
squid: CVE-2016-10002 fix
Source: https://github.com/squid-cache/ MR: 70135 Type: Security Fix Disposition: Backport from squid-3.5.23 ChangeID: 2e0f83ac2c4c773dec769f388132cb888e0564d9 Description: squid: Information disclosure in HTTP request processing Due to incorrect HTTP conditional request handling Squid can deliver responses containing private data to clients it should not have reached. This problem allows a remote attacker to discover private and sensitive information about another clients browsing session. Potentially including credentials which allow access to further sensitive resources. author: Garri Djavadyan <garryd@comnet.uz> committer: Amos Jeffries <squid3@treenet.co.nz> Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Reviewed-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta-networking/recipes-daemons/squid/files/CVE-2016-10002.patch221
-rw-r--r--meta-networking/recipes-daemons/squid/squid_3.5.20.bb1
2 files changed, 222 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-10002.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-10002.patch
new file mode 100644
index 0000000000..5d4bd85130
--- /dev/null
+++ b/meta-networking/recipes-daemons/squid/files/CVE-2016-10002.patch
@@ -0,0 +1,221 @@
+revno: 14109
+revision-id: squid3@treenet.co.nz-20161111060325-yh8chavvnzuvfh3h
+parent: squid3@treenet.co.nz-20161101112231-k77st4up2sekl5zx
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3379
+author: Garri Djavadyan <garryd@comnet.uz>, Amos Jeffries <squid3@treenet.co.nz>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Fri 2016-11-11 19:03:25 +1300
+message:
+ Bug 3379: Combination of If-Match and a Cache Hit result in TCP Connection Failure
+
+revno: 14126
+revision-id: squid3@treenet.co.nz-20161215103357-827wow3k1y3k9yql
+parent: squid3@treenet.co.nz-20161215093634-ykbs6tv8pdusz7cj
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4169
+author: Garri Djavadyan <garryd@comnet.uz>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Thu 2016-12-15 23:33:57 +1300
+message:
+ Bug 4169: HIT marked as MISS when If-None-Match does not match
+
+Upstream-status: Backport
+
+CVE: CVE-2016-10002
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: squid-3.5.20/src/LogTags.h
+===================================================================
+--- squid-3.5.20.orig/src/LogTags.h 2016-07-01 17:07:50.000000000 +0530
++++ squid-3.5.20/src/LogTags.h 2017-06-05 13:26:12.476954933 +0530
+@@ -27,6 +27,7 @@
+ LOG_TCP_REFRESH_MODIFIED, // refresh from origin replaced existing entry
+ LOG_TCP_CLIENT_REFRESH_MISS,
+ LOG_TCP_IMS_HIT,
++ LOG_TCP_INM_HIT,
+ LOG_TCP_SWAPFAIL_MISS,
+ LOG_TCP_NEGATIVE_HIT,
+ LOG_TCP_MEM_HIT,
+@@ -53,6 +54,7 @@
+ return
+ (code == LOG_TCP_HIT) ||
+ (code == LOG_TCP_IMS_HIT) ||
++ (code == LOG_TCP_INM_HIT) ||
+ (code == LOG_TCP_REFRESH_FAIL_OLD) ||
+ (code == LOG_TCP_REFRESH_UNMODIFIED) ||
+ (code == LOG_TCP_NEGATIVE_HIT) ||
+Index: squid-3.5.20/src/client_side.cc
+===================================================================
+--- squid-3.5.20.orig/src/client_side.cc 2016-07-01 17:07:50.000000000 +0530
++++ squid-3.5.20/src/client_side.cc 2017-06-05 13:26:12.476954933 +0530
+@@ -415,6 +415,7 @@
+ statCounter.client_http.nearHitSvcTime.count(svc_time);
+ break;
+
++ case LOG_TCP_INM_HIT:
+ case LOG_TCP_IMS_HIT:
+ statCounter.client_http.nearMissSvcTime.count(svc_time);
+ break;
+Index: squid-3.5.20/src/client_side_reply.cc
+===================================================================
+--- squid-3.5.20.orig/src/client_side_reply.cc 2017-06-05 13:26:12.420954931 +0530
++++ squid-3.5.20/src/client_side_reply.cc 2017-06-05 13:33:40.688970895 +0530
+@@ -555,6 +555,7 @@
+ debugs(88, 5, "negative-HIT");
+ http->logType = LOG_TCP_NEGATIVE_HIT;
+ sendMoreData(result);
++ return;
+ } else if (blockedHit()) {
+ debugs(88, 5, "send_hit forces a MISS");
+ http->logType = LOG_TCP_MISS;
+@@ -606,15 +607,17 @@
+ http->logType = LOG_TCP_MISS;
+ processMiss();
+ }
++ return;
+ } else if (r->conditional()) {
+ debugs(88, 5, "conditional HIT");
+- processConditional(result);
+- } else {
+- /*
+- * plain ol' cache hit
+- */
+- debugs(88, 5, "plain old HIT");
++ if (processConditional(result))
++ return;
++ }
+
++ /*
++ * plain ol' cache hit
++ */
++ debugs(88, 5, "plain old HIT");
+ #if USE_DELAY_POOLS
+ if (e->store_status != STORE_OK)
+ http->logType = LOG_TCP_MISS;
+@@ -626,7 +629,6 @@
+ http->logType = LOG_TCP_OFFLINE_HIT;
+
+ sendMoreData(result);
+- }
+ }
+
+ /**
+@@ -720,17 +722,16 @@
+ }
+
+ /// process conditional request from client
+-void
++bool
+ clientReplyContext::processConditional(StoreIOBuffer &result)
+ {
+ StoreEntry *const e = http->storeEntry();
+
+ if (e->getReply()->sline.status() != Http::scOkay) {
+- debugs(88, 4, "clientReplyContext::processConditional: Reply code " <<
+- e->getReply()->sline.status() << " != 200");
++ debugs(88, 4, "Reply code " << e->getReply()->sline.status() << " != 200");
+ http->logType = LOG_TCP_MISS;
+ processMiss();
+- return;
++ return true;
+ }
+
+ HttpRequest &r = *http->request;
+@@ -738,51 +739,39 @@
+ if (r.header.has(HDR_IF_MATCH) && !e->hasIfMatchEtag(r)) {
+ // RFC 2616: reply with 412 Precondition Failed if If-Match did not match
+ sendPreconditionFailedError();
+- return;
++ return true;
+ }
+
+- bool matchedIfNoneMatch = false;
+ if (r.header.has(HDR_IF_NONE_MATCH)) {
+- if (!e->hasIfNoneMatchEtag(r)) {
+- // RFC 2616: ignore IMS if If-None-Match did not match
+- r.flags.ims = false;
+- r.ims = -1;
+- r.imslen = 0;
+- r.header.delById(HDR_IF_MODIFIED_SINCE);
+- http->logType = LOG_TCP_MISS;
+- sendMoreData(result);
+- return;
+- }
++ // RFC 7232: If-None-Match recipient MUST ignore IMS
++ r.flags.ims = false;
++ r.ims = -1;
++ r.imslen = 0;
++ r.header.delById(HDR_IF_MODIFIED_SINCE);
+
+- if (!r.flags.ims) {
+- // RFC 2616: if If-None-Match matched and there is no IMS,
+- // reply with 304 Not Modified or 412 Precondition Failed
++ if (e->hasIfNoneMatchEtag(r)) {
+ sendNotModifiedOrPreconditionFailedError();
+- return;
++ return true;
+ }
+
+- // otherwise check IMS below to decide if we reply with 304 or 412
+- matchedIfNoneMatch = true;
++ // None-Match is true (no ETag matched); treat as an unconditional hit
++ return false;
+ }
+
+ if (r.flags.ims) {
+ // handle If-Modified-Since requests from the client
+- if (e->modifiedSince(&r)) {
+- http->logType = LOG_TCP_IMS_HIT;
+- sendMoreData(result);
+- return;
+- }
++ if (e->modifiedSince(&r)) {
++ // Modified-Since is true; treat as an unconditional hit
++ return false;
+
+- if (matchedIfNoneMatch) {
+- // If-None-Match matched, reply with 304 Not Modified or
+- // 412 Precondition Failed
+- sendNotModifiedOrPreconditionFailedError();
+- return;
++ } else {
++ // otherwise reply with 304 Not Modified
++ sendNotModified();
+ }
+-
+- // otherwise reply with 304 Not Modified
+- sendNotModified();
++ return true;
+ }
++
++ return false;
+ }
+
+ /// whether squid.conf send_hit prevents us from serving this hit
+@@ -1928,7 +1917,12 @@
+ StoreEntry *e = http->storeEntry();
+ const time_t timestamp = e->timestamp;
+ HttpReply *const temprep = e->getReply()->make304();
+- http->logType = LOG_TCP_IMS_HIT;
++ // log as TCP_INM_HIT if code 304 generated for
++ // If-None-Match request
++ if (!http->request->flags.ims)
++ http->logType = LOG_TCP_INM_HIT;
++ else
++ http->logType = LOG_TCP_IMS_HIT;
+ removeClientStoreReference(&sc, http);
+ createStoreEntry(http->request->method, RequestFlags());
+ e = http->storeEntry();
+Index: squid-3.5.20/src/client_side_reply.h
+===================================================================
+--- squid-3.5.20.orig/src/client_side_reply.h 2016-07-01 17:07:50.000000000 +0530
++++ squid-3.5.20/src/client_side_reply.h 2017-06-05 13:26:12.476954933 +0530
+@@ -114,7 +114,7 @@
+ bool alwaysAllowResponse(Http::StatusCode sline) const;
+ int checkTransferDone();
+ void processOnlyIfCachedMiss();
+- void processConditional(StoreIOBuffer &result);
++ bool processConditional(StoreIOBuffer &result);
+ void cacheHit(StoreIOBuffer result);
+ void handleIMSReply(StoreIOBuffer result);
+ void sendMoreData(StoreIOBuffer result);
diff --git a/meta-networking/recipes-daemons/squid/squid_3.5.20.bb b/meta-networking/recipes-daemons/squid/squid_3.5.20.bb
index 4b806a91a9..aa244b3f5b 100644
--- a/meta-networking/recipes-daemons/squid/squid_3.5.20.bb
+++ b/meta-networking/recipes-daemons/squid/squid_3.5.20.bb
@@ -22,6 +22,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${MIN_VER}/${BPN}-${P
file://set_sysroot_patch.patch \
file://squid-don-t-do-squid-conf-tests-at-build-time.patch \
file://CVE-2016-10003.patch \
+ file://CVE-2016-10002.patch \
"
LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \