Version in base suite: 4.13-10+deb11u2 Base version: squid_4.13-10+deb11u2 Target version: squid_4.13-10+deb11u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/squid/squid_4.13-10+deb11u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/squid/squid_4.13-10+deb11u3.dsc changelog | 19 + patches/0001-Default-configuration-file-for-debian.patch | 10 patches/0002-Change-default-file-locations-for-debian.patch | 2 patches/0003-installed-binary-for-debian-ci.patch | 14 - patches/0005-Use-RuntimeDirectory-to-create-run-squid.patch | 4 patches/0006-SQUID-2020_11.patch | 6 patches/0007-CVE-2021-28651.patch | 4 patches/0008-CVE-2021-28662-squid-4-b1c37c9e7b30d0efb5e5ccf8200f2a646b9c36f8.patch | 4 patches/0009-CVE-2021-28652-squid-4-0003e3518dc95e4b5ab46b5140af79b22253048e.patch | 100 +++----- patches/0010-CVE-2021-31806-CVE-2021-31807-CVE-2021-31808-squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch | 24 -- patches/0011-squid-4-1e05a85bd28c22c9ca5d3ac9f5e86d6269ec0a8c.patch | 12 - patches/0012-squid-4-780c4ea1b4c9d2fb41f6962aa6ed73ae57f74b2b.patch | 16 - patches/0013-squid-4-b003a0da7865caa25b5d1e70c79329b32409b02a.patch | 39 +-- patches/0014-SQUID-2022_1.patch | 4 patches/0015-SQUID-2022_2.patch | 4 patches/CVE-2023-46724.patch | 34 ++ patches/CVE-2023-46846.patch | 103 ++++++++ patches/CVE-2023-46847.patch | 31 ++ patches/CVE-2023-49285.patch | 25 ++ patches/CVE-2023-49286.patch | 70 +++++ patches/CVE-2023-50269.patch | 57 ++++ patches/CVE-2024-23638.patch | 21 + patches/CVE-2024-25617.patch | 117 ++++++++++ patches/series | 9 24 files changed, 582 insertions(+), 147 deletions(-) diff -Nru squid-4.13/debian/changelog squid-4.13/debian/changelog --- squid-4.13/debian/changelog 2022-09-25 13:13:57.000000000 +0000 +++ squid-4.13/debian/changelog 2024-03-07 19:52:04.000000000 +0000 @@ -1,3 +1,22 @@ +squid (4.13-10+deb11u3) bullseye-security; urgency=high + + * Non-maintainer upload. + * Fix CVE-2023-46724, CVE-2023-46846, CVE-2023-46847 CVE-2023-49285, + CVE-2023-49286, CVE-2023-50269, CVE-2024-23638, CVE-2024-25617. + * Several security vulnerabilities have been discovered in Squid, a full + featured web proxy cache. Due to programming errors in Squid's HTTP request + parsing, remote attackers may be able to execute a denial of service attack + by sending large X-Forwarded-For header or trigger a stack buffer overflow + while performing HTTP Digest authentication. Other issues facilitate + request smuggling past a firewall or a denial of service against Squid's + Helper process management. + In regard to CVE-2023-46728: Please note that support for the Gopher + protocol has simply been removed in future Squid versions. There are no + plans by the upstream developers of Squid to fix this issue. We recommend + to reject all Gopher URL requests instead. + + -- Markus Koschany Thu, 07 Mar 2024 20:52:04 +0100 + squid (4.13-10+deb11u2) bullseye-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru squid-4.13/debian/patches/0001-Default-configuration-file-for-debian.patch squid-4.13/debian/patches/0001-Default-configuration-file-for-debian.patch --- squid-4.13/debian/patches/0001-Default-configuration-file-for-debian.patch 2022-09-25 13:02:30.000000000 +0000 +++ squid-4.13/debian/patches/0001-Default-configuration-file-for-debian.patch 2024-03-07 19:52:04.000000000 +0000 @@ -6,11 +6,9 @@ src/cf.data.pre | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) -diff --git a/src/cf.data.pre b/src/cf.data.pre -index 588e0f81..c1356475 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre -@@ -1693,11 +1693,12 @@ http_access deny manager +@@ -1752,11 +1752,12 @@ http_access deny manager # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # @@ -24,7 +22,7 @@ http_access allow localhost # And finally deny all other access to this proxy -@@ -4815,7 +4816,7 @@ DOC_END +@@ -5006,7 +5007,7 @@ DOC_END NAME: logfile_rotate TYPE: int @@ -33,7 +31,7 @@ LOC: Config.Log.rotateNumber DOC_START Specifies the default number of logfile rotations to make when you -@@ -4839,6 +4840,8 @@ DOC_START +@@ -5030,6 +5031,8 @@ DOC_START in the habit of using 'squid -k rotate' instead of 'kill -USR1 '. @@ -42,7 +40,7 @@ DOC_END NAME: mime_table -@@ -9418,8 +9421,8 @@ DOC_START +@@ -9626,8 +9629,8 @@ DOC_START WARNING: This option will restrict the situations under which IPv6 diff -Nru squid-4.13/debian/patches/0002-Change-default-file-locations-for-debian.patch squid-4.13/debian/patches/0002-Change-default-file-locations-for-debian.patch --- squid-4.13/debian/patches/0002-Change-default-file-locations-for-debian.patch 2022-09-25 13:02:30.000000000 +0000 +++ squid-4.13/debian/patches/0002-Change-default-file-locations-for-debian.patch 2024-03-07 19:52:04.000000000 +0000 @@ -8,7 +8,7 @@ --- a/src/Common.am +++ b/src/Common.am -@@ -16,7 +16,7 @@ +@@ -16,7 +16,7 @@ DEFAULT_ICP_PORT = 3130 DEFAULT_PREFIX = $(prefix) DEFAULT_CONFIG_DIR = $(sysconfdir) DEFAULT_CONFIG_FILE = $(DEFAULT_CONFIG_DIR)/squid.conf diff -Nru squid-4.13/debian/patches/0003-installed-binary-for-debian-ci.patch squid-4.13/debian/patches/0003-installed-binary-for-debian-ci.patch --- squid-4.13/debian/patches/0003-installed-binary-for-debian-ci.patch 2022-09-25 13:02:30.000000000 +0000 +++ squid-4.13/debian/patches/0003-installed-binary-for-debian-ci.patch 2024-03-07 19:52:04.000000000 +0000 @@ -2,10 +2,8 @@ Date: Sat, 21 Jul 2018 21:07:00 +1300 Subject: Use installed squid binary for Debian CI testing -Index: pkg-squid/test-suite/Makefile.am -=================================================================== ---- pkg-squid.orig/test-suite/Makefile.am -+++ pkg-squid/test-suite/Makefile.am +--- a/test-suite/Makefile.am ++++ b/test-suite/Makefile.am @@ -150,7 +150,7 @@ VirtualDeleteOperator_SOURCES = VirtualD squid-conf-tests: $(top_builddir)/src/squid.conf.default $(srcdir)/squidconf/* @failed=0; cfglist="$?"; rm -f $@ || $(TRUE); \ @@ -15,11 +13,9 @@ { echo "FAIL: squid.conf test: $$cfg" | \ sed s%$(top_builddir)/src/%% | \ sed s%$(srcdir)/squidconf/%% ; \ -Index: pkg-squid/test-suite/Makefile.in -=================================================================== ---- pkg-squid.orig/test-suite/Makefile.in -+++ pkg-squid/test-suite/Makefile.in -@@ -1477,7 +1477,7 @@ STUB.h: $(top_srcdir)/src/tests/STUB.h +--- a/test-suite/Makefile.in ++++ b/test-suite/Makefile.in +@@ -1534,7 +1534,7 @@ STUB.h: $(top_srcdir)/src/tests/STUB.h squid-conf-tests: $(top_builddir)/src/squid.conf.default $(srcdir)/squidconf/* @failed=0; cfglist="$?"; rm -f $@ || $(TRUE); \ for cfg in $$cfglist ; do \ diff -Nru squid-4.13/debian/patches/0005-Use-RuntimeDirectory-to-create-run-squid.patch squid-4.13/debian/patches/0005-Use-RuntimeDirectory-to-create-run-squid.patch --- squid-4.13/debian/patches/0005-Use-RuntimeDirectory-to-create-run-squid.patch 2022-09-25 13:02:30.000000000 +0000 +++ squid-4.13/debian/patches/0005-Use-RuntimeDirectory-to-create-run-squid.patch 2024-03-07 19:52:04.000000000 +0000 @@ -9,11 +9,9 @@ tools/systemd/squid.service | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) -diff --git a/tools/systemd/squid.service b/tools/systemd/squid.service -index 4094f0c..b1b0526 100644 --- a/tools/systemd/squid.service +++ b/tools/systemd/squid.service -@@ -12,7 +12,10 @@ After=network.target network-online.target nss-lookup.target +@@ -12,7 +12,10 @@ After=network.target network-online.targ [Service] Type=notify diff -Nru squid-4.13/debian/patches/0006-SQUID-2020_11.patch squid-4.13/debian/patches/0006-SQUID-2020_11.patch --- squid-4.13/debian/patches/0006-SQUID-2020_11.patch 2022-09-25 13:02:30.000000000 +0000 +++ squid-4.13/debian/patches/0006-SQUID-2020_11.patch 2024-03-07 19:52:04.000000000 +0000 @@ -28,11 +28,9 @@ Co-authored-by: Alex Rousskov -diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc -index e4909ff1d..80131e17d 100644 --- a/src/anyp/Uri.cc +++ b/src/anyp/Uri.cc -@@ -343,8 +343,9 @@ AnyP::Uri::parse(const HttpRequestMethod& method, const SBuf &rawUrl) +@@ -343,8 +343,9 @@ AnyP::Uri::parse(const HttpRequestMethod return false; *dst = '\0'; @@ -44,7 +42,7 @@ urlpath[0] = '/'; dst = &urlpath[1]; } else { -@@ -358,11 +359,6 @@ AnyP::Uri::parse(const HttpRequestMethod& method, const SBuf &rawUrl) +@@ -358,11 +359,6 @@ AnyP::Uri::parse(const HttpRequestMethod /* We -could- be at the end of the buffer here */ if (i > l) return false; diff -Nru squid-4.13/debian/patches/0007-CVE-2021-28651.patch squid-4.13/debian/patches/0007-CVE-2021-28651.patch --- squid-4.13/debian/patches/0007-CVE-2021-28651.patch 2022-09-25 13:02:30.000000000 +0000 +++ squid-4.13/debian/patches/0007-CVE-2021-28651.patch 2024-03-07 19:52:04.000000000 +0000 @@ -11,8 +11,8 @@ Reviewed-By: Francisco Vilmar Cardoso Ruviaro Last-Update: 2021-05-27 ---- squid-4.13.orig/src/urn.cc -+++ squid-4.13/src/urn.cc +--- a/src/urn.cc ++++ b/src/urn.cc @@ -412,6 +412,7 @@ urnParseReply(const char *inbuf, const H } diff -Nru squid-4.13/debian/patches/0008-CVE-2021-28662-squid-4-b1c37c9e7b30d0efb5e5ccf8200f2a646b9c36f8.patch squid-4.13/debian/patches/0008-CVE-2021-28662-squid-4-b1c37c9e7b30d0efb5e5ccf8200f2a646b9c36f8.patch --- squid-4.13/debian/patches/0008-CVE-2021-28662-squid-4-b1c37c9e7b30d0efb5e5ccf8200f2a646b9c36f8.patch 2022-09-25 13:02:30.000000000 +0000 +++ squid-4.13/debian/patches/0008-CVE-2021-28662-squid-4-b1c37c9e7b30d0efb5e5ccf8200f2a646b9c36f8.patch 2024-03-07 19:52:04.000000000 +0000 @@ -4,11 +4,9 @@ Limit HeaderLookupTable_t::lookup() to BadHdr and specific IDs -diff --git a/src/http/RegisteredHeaders.cc b/src/http/RegisteredHeaders.cc -index 6b420638e..348a1bb82 100644 --- a/src/http/RegisteredHeaders.cc +++ b/src/http/RegisteredHeaders.cc -@@ -37,7 +37,7 @@ HeaderTableRecord::HeaderTableRecord(const char *n, HdrType theId, HdrFieldType +@@ -37,7 +37,7 @@ HeaderTableRecord::HeaderTableRecord(con const HeaderTableRecord& HeaderLookupTable_t::lookup (const char *buf, const std::size_t len) const { const HeaderTableRecord *r = HttpHeaderHashTable::lookup(buf, len); diff -Nru squid-4.13/debian/patches/0009-CVE-2021-28652-squid-4-0003e3518dc95e4b5ab46b5140af79b22253048e.patch squid-4.13/debian/patches/0009-CVE-2021-28652-squid-4-0003e3518dc95e4b5ab46b5140af79b22253048e.patch --- squid-4.13/debian/patches/0009-CVE-2021-28652-squid-4-0003e3518dc95e4b5ab46b5140af79b22253048e.patch 2022-09-25 13:02:30.000000000 +0000 +++ squid-4.13/debian/patches/0009-CVE-2021-28652-squid-4-0003e3518dc95e4b5ab46b5140af79b22253048e.patch 2024-03-07 19:52:04.000000000 +0000 @@ -24,8 +24,6 @@ are left to future updates. As is refactoring the QueryParams data storage to avoid SBuf data copying. -diff --git a/src/CacheManager.h b/src/CacheManager.h -index 78a69f799..74705c58a 100644 --- a/src/CacheManager.h +++ b/src/CacheManager.h @@ -9,6 +9,7 @@ @@ -45,8 +43,6 @@ void ParseHeaders(const HttpRequest * request, Mgr::ActionParams ¶ms); int CheckPassword(const Mgr::Command &cmd); char *PasswdGet(Mgr::ActionPasswordList *, const char *); -diff --git a/src/cache_manager.cc b/src/cache_manager.cc -index 9fe9bbb89..8055ece6b 100644 --- a/src/cache_manager.cc +++ b/src/cache_manager.cc @@ -26,7 +26,9 @@ @@ -59,7 +55,7 @@ #include "sbuf/StringConvert.h" #include "SquidConfig.h" #include "SquidTime.h" -@@ -147,82 +149,87 @@ CacheManager::createRequestedAction(const Mgr::ActionParams ¶ms) +@@ -147,82 +149,87 @@ CacheManager::createRequestedAction(cons return cmd->profile->creator->create(cmd); } @@ -141,18 +137,18 @@ + static const SBuf internalMagicPrefix("/squid-internal-mgr/"); + if (!tok.skip(internalMagicPrefix) && !tok.skip('/')) + throw TextException("invalid URL path", Here()); ++ ++ Mgr::Command::Pointer cmd = new Mgr::Command(); ++ cmd->params.httpUri = SBufToString(uri.absolute()); - debugs(16, 3, HERE << "MGR request: t=" << t << ", host='" << host << "', request='" << request << "', pos=" << pos << - ", password='" << password << "', params='" << params << "'"); -+ Mgr::Command::Pointer cmd = new Mgr::Command(); -+ cmd->params.httpUri = SBufToString(uri.absolute()); ++ const auto &fieldChars = MgrFieldChars(uri.getScheme()); - Mgr::ActionProfile::Pointer profile = findAction(request); - if (!profile) { - debugs(16, DBG_IMPORTANT, "CacheManager::ParseUrl: action '" << request << "' not found"); - return NULL; -+ const auto &fieldChars = MgrFieldChars(uri.getScheme()); -+ + SBuf action; + if (!tok.prefix(action, fieldChars)) { + if (uri.getScheme() == AnyP::PROTO_CACHE_OBJECT) { @@ -208,7 +204,7 @@ return cmd; } -@@ -305,11 +312,15 @@ CacheManager::CheckPassword(const Mgr::Command &cmd) +@@ -305,11 +312,15 @@ CacheManager::CheckPassword(const Mgr::C void CacheManager::Start(const Comm::ConnectionPointer &client, HttpRequest * request, StoreEntry * entry) { @@ -233,8 +229,6 @@ return instance; } - -diff --git a/src/mgr/QueryParams.cc b/src/mgr/QueryParams.cc -index 831694245..a53dee1c7 100644 --- a/src/mgr/QueryParams.cc +++ b/src/mgr/QueryParams.cc @@ -14,6 +14,10 @@ @@ -248,7 +242,7 @@ Mgr::QueryParam::Pointer Mgr::QueryParams::get(const String& name) const -@@ -65,61 +69,76 @@ Mgr::QueryParams::find(const String& name) const +@@ -65,61 +69,76 @@ Mgr::QueryParams::find(const String& nam return iter; } @@ -264,6 +258,37 @@ + */ +Mgr::QueryParam::Pointer +ParseParamValue(const SBuf &rawValue) ++{ ++ static const CharacterSet comma("comma", ","); ++ ++ Parser::Tokenizer tok(rawValue); ++ std::vector array; ++ int64_t intVal = 0; ++ while (tok.int64(intVal, 10, false)) { ++ Must(intVal >= std::numeric_limits::min()); ++ Must(intVal <= std::numeric_limits::max()); ++ array.emplace_back(intVal); ++ // integer list has comma between values. ++ // Require at least one potential DIGIT after the skipped ',' ++ if (tok.remaining().length() > 1) ++ (void)tok.skipOne(comma); ++ } ++ ++ if (tok.atEnd()) ++ return new Mgr::IntParam(array); ++ else ++ return new Mgr::StringParam(SBufToString(rawValue)); ++} ++ ++/** ++ * Syntax: ++ * query = [ param *( '&' param ) ] ++ * param = name '=' value ++ * name = [a-zA-Z0-9]+ ++ * value = *pchar | ( 1*DIGIT *( ',' 1*DIGIT ) ) ++ */ ++void ++Mgr::QueryParams::Parse(Parser::Tokenizer &tok, QueryParams &aParams) { - bool parsed = false; - regmatch_t pmatch[3]; @@ -289,42 +314,15 @@ - param.first = paramStr.substr(pmatch[1].rm_so, pmatch[1].rm_eo); - param.second = new StringParam(paramStr.substr(pmatch[2].rm_so, pmatch[2].rm_eo)); - parsed = true; -+ static const CharacterSet comma("comma", ","); -+ -+ Parser::Tokenizer tok(rawValue); -+ std::vector array; -+ int64_t intVal = 0; -+ while (tok.int64(intVal, 10, false)) { -+ Must(intVal >= std::numeric_limits::min()); -+ Must(intVal <= std::numeric_limits::max()); -+ array.emplace_back(intVal); -+ // integer list has comma between values. -+ // Require at least one potential DIGIT after the skipped ',' -+ if (tok.remaining().length() > 1) -+ (void)tok.skipOne(comma); - } +- } - regfree(&stringExpr); - regfree(&intExpr); - return parsed; -+ -+ if (tok.atEnd()) -+ return new Mgr::IntParam(array); -+ else -+ return new Mgr::StringParam(SBufToString(rawValue)); - } - +-} +- -bool -Mgr::QueryParams::Parse(const String& aParamsStr, QueryParams& aParams) -+/** -+ * Syntax: -+ * query = [ param *( '&' param ) ] -+ * param = name '=' value -+ * name = [a-zA-Z0-9]+ -+ * value = *pchar | ( 1*DIGIT *( ',' 1*DIGIT ) ) -+ */ -+void -+Mgr::QueryParams::Parse(Parser::Tokenizer &tok, QueryParams &aParams) - { +-{ - if (aParamsStr.size() != 0) { - Param param; - size_t n = 0; @@ -374,13 +372,11 @@ } Mgr::QueryParam::Pointer -@@ -138,4 +157,3 @@ Mgr::QueryParams::CreateParam(QueryParam::Type aType) +@@ -138,4 +157,3 @@ Mgr::QueryParams::CreateParam(QueryParam } return NULL; } - -diff --git a/src/mgr/QueryParams.h b/src/mgr/QueryParams.h -index bb8f40308..450c20f86 100644 --- a/src/mgr/QueryParams.h +++ b/src/mgr/QueryParams.h @@ -13,9 +13,11 @@ @@ -413,11 +409,9 @@ private: Params params; -diff --git a/src/tests/stub_libmgr.cc b/src/tests/stub_libmgr.cc -index f8be88a58..cd3ffc2de 100644 --- a/src/tests/stub_libmgr.cc +++ b/src/tests/stub_libmgr.cc -@@ -174,11 +174,10 @@ void Mgr::IoAction::dump(StoreEntry* entry) STUB +@@ -174,11 +174,10 @@ void Mgr::IoAction::dump(StoreEntry* ent Mgr::QueryParam::Pointer Mgr::QueryParams::get(const String& name) const STUB_RETVAL(Mgr::QueryParam::Pointer(NULL)) void Mgr::QueryParams::pack(Ipc::TypedMsgHdr& msg) const STUB void Mgr::QueryParams::unpack(const Ipc::TypedMsgHdr& msg) STUB @@ -430,8 +424,6 @@ #include "mgr/Registration.h" //void Mgr::RegisterAction(char const * action, char const * desc, OBJH * handler, int pw_req_flag, int atomic); -diff --git a/src/tests/testCacheManager.cc b/src/tests/testCacheManager.cc -index f02396176..7d6631aae 100644 --- a/src/tests/testCacheManager.cc +++ b/src/tests/testCacheManager.cc @@ -7,6 +7,7 @@ @@ -609,11 +601,9 @@ + } + } +} -diff --git a/src/tests/testCacheManager.h b/src/tests/testCacheManager.h -index 6d32d69e5..fee15846a 100644 --- a/src/tests/testCacheManager.h +++ b/src/tests/testCacheManager.h -@@ -20,6 +20,7 @@ class testCacheManager : public CPPUNIT_NS::TestFixture +@@ -20,6 +20,7 @@ class testCacheManager : public CPPUNIT_ CPPUNIT_TEST_SUITE( testCacheManager ); CPPUNIT_TEST( testCreate ); CPPUNIT_TEST( testRegister ); diff -Nru squid-4.13/debian/patches/0010-CVE-2021-31806-CVE-2021-31807-CVE-2021-31808-squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch squid-4.13/debian/patches/0010-CVE-2021-31806-CVE-2021-31807-CVE-2021-31808-squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch --- squid-4.13/debian/patches/0010-CVE-2021-31806-CVE-2021-31807-CVE-2021-31808-squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch 2022-09-25 13:02:30.000000000 +0000 +++ squid-4.13/debian/patches/0010-CVE-2021-31806-CVE-2021-31807-CVE-2021-31808-squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch 2024-03-07 19:52:04.000000000 +0000 @@ -6,11 +6,9 @@ Also removed some effectively unused code. -diff --git a/src/HttpHdrRange.cc b/src/HttpHdrRange.cc -index 92b6660d1..7da29765c 100644 --- a/src/HttpHdrRange.cc +++ b/src/HttpHdrRange.cc -@@ -526,23 +526,6 @@ HttpHdrRange::offsetLimitExceeded(const int64_t limit) const +@@ -526,23 +526,6 @@ HttpHdrRange::offsetLimitExceeded(const return true; } @@ -34,8 +32,6 @@ const HttpHdrRangeSpec * HttpHdrRangeIter::currentSpec() const { -diff --git a/src/HttpHeaderRange.h b/src/HttpHeaderRange.h -index b4c6d7fd2..fb2956365 100644 --- a/src/HttpHeaderRange.h +++ b/src/HttpHeaderRange.h @@ -78,7 +78,6 @@ public: @@ -58,11 +54,9 @@ }; #endif /* SQUID_HTTPHEADERRANGE_H */ -diff --git a/src/client_side.cc b/src/client_side.cc -index 946081465..f57f3f7ef 100644 --- a/src/client_side.cc +++ b/src/client_side.cc -@@ -728,8 +728,8 @@ clientPackRangeHdr(const HttpReply * rep, const HttpHdrRangeSpec * spec, String +@@ -728,8 +728,8 @@ clientPackRangeHdr(const HttpReply * rep * warning: assumes that HTTP headers for individual ranges at the * time of the actuall assembly will be exactly the same as * the headers when clientMRangeCLen() is called */ @@ -73,11 +67,9 @@ { int64_t clen = 0; MemBuf mb; -diff --git a/src/client_side_request.cc b/src/client_side_request.cc -index 7d6e838f0..ab08fd20e 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc -@@ -1094,9 +1094,6 @@ clientInterpretRequestHeaders(ClientHttpRequest * http) +@@ -1094,9 +1094,6 @@ clientInterpretRequestHeaders(ClientHttp * iter up at this point. */ node->readBuffer.offset = request->range->lowestOffset(0); @@ -87,7 +79,7 @@ } } -@@ -1954,6 +1951,30 @@ ClientHttpRequest::setErrorUri(const char *aUri) +@@ -1954,6 +1951,30 @@ ClientHttpRequest::setErrorUri(const cha #include "client_side_request.cci" #endif @@ -118,8 +110,6 @@ #if USE_ADAPTATION /// Initiate an asynchronous adaptation transaction which will call us back. void -diff --git a/src/client_side_request.h b/src/client_side_request.h -index 1258d5218..3ea46f5c7 100644 --- a/src/client_side_request.h +++ b/src/client_side_request.h @@ -131,7 +131,7 @@ public: @@ -143,11 +133,9 @@ /// Build an error reply. For use with the callouts. void calloutsError(const err_type error, const int errDetail); -diff --git a/src/http/Stream.cc b/src/http/Stream.cc -index e2594b624..338503b4a 100644 --- a/src/http/Stream.cc +++ b/src/http/Stream.cc -@@ -444,59 +444,27 @@ Http::Stream::buildRangeHeader(HttpReply *rep) +@@ -444,59 +444,27 @@ Http::Stream::buildRangeHeader(HttpReply } else { /* XXX: TODO: Review, this unconditional set may be wrong. */ rep->sline.set(rep->sline.version, Http::scPartialContent); @@ -214,7 +202,7 @@ } /* replace Content-Length header */ -@@ -504,9 +472,6 @@ Http::Stream::buildRangeHeader(HttpReply *rep) +@@ -504,9 +472,6 @@ Http::Stream::buildRangeHeader(HttpReply hdr->delById(Http::HdrType::CONTENT_LENGTH); hdr->putInt64(Http::HdrType::CONTENT_LENGTH, actual_clen); debugs(33, 3, "actual content length: " << actual_clen); diff -Nru squid-4.13/debian/patches/0011-squid-4-1e05a85bd28c22c9ca5d3ac9f5e86d6269ec0a8c.patch squid-4.13/debian/patches/0011-squid-4-1e05a85bd28c22c9ca5d3ac9f5e86d6269ec0a8c.patch --- squid-4.13/debian/patches/0011-squid-4-1e05a85bd28c22c9ca5d3ac9f5e86d6269ec0a8c.patch 2022-09-25 13:02:30.000000000 +0000 +++ squid-4.13/debian/patches/0011-squid-4-1e05a85bd28c22c9ca5d3ac9f5e86d6269ec0a8c.patch 2024-03-07 19:52:04.000000000 +0000 @@ -4,11 +4,9 @@ Handle more partial responses (#791) -diff --git a/src/HttpHdrContRange.cc b/src/HttpHdrContRange.cc -index b0e011fec..be07b4a3d 100644 --- a/src/HttpHdrContRange.cc +++ b/src/HttpHdrContRange.cc -@@ -161,9 +161,13 @@ httpHdrContRangeParseInit(HttpHdrContRange * range, const char *str) +@@ -161,9 +161,13 @@ httpHdrContRangeParseInit(HttpHdrContRan ++p; @@ -24,7 +22,7 @@ return 0; else if (range->elength <= 0) { /* Additional paranoidal check for BUG2155 - entity-length MUST be > 0 */ -@@ -174,6 +178,12 @@ httpHdrContRangeParseInit(HttpHdrContRange * range, const char *str) +@@ -174,6 +178,12 @@ httpHdrContRangeParseInit(HttpHdrContRan return 0; } @@ -37,8 +35,6 @@ debugs(68, 8, "parsed content-range field: " << (long int) range->spec.offset << "-" << (long int) range->spec.offset + range->spec.length - 1 << " / " << -diff --git a/src/HttpHeaderRange.h b/src/HttpHeaderRange.h -index fb2956365..21fc7f6b2 100644 --- a/src/HttpHeaderRange.h +++ b/src/HttpHeaderRange.h @@ -18,8 +18,11 @@ @@ -55,8 +51,6 @@ class HttpHdrRangeSpec { MEMPROXY_CLASS(HttpHdrRangeSpec); -diff --git a/src/clients/Client.cc b/src/clients/Client.cc -index b6ce419a6..f5defbb63 100644 --- a/src/clients/Client.cc +++ b/src/clients/Client.cc @@ -533,8 +533,11 @@ Client::haveParsedReplyHeaders() @@ -73,8 +67,6 @@ } /// whether to prevent caching of an otherwise cachable response -diff --git a/src/http/Stream.cc b/src/http/Stream.cc -index 338503b4a..cea509a55 100644 --- a/src/http/Stream.cc +++ b/src/http/Stream.cc @@ -163,12 +163,13 @@ Http::Stream::getNextRangeOffset() const diff -Nru squid-4.13/debian/patches/0012-squid-4-780c4ea1b4c9d2fb41f6962aa6ed73ae57f74b2b.patch squid-4.13/debian/patches/0012-squid-4-780c4ea1b4c9d2fb41f6962aa6ed73ae57f74b2b.patch --- squid-4.13/debian/patches/0012-squid-4-780c4ea1b4c9d2fb41f6962aa6ed73ae57f74b2b.patch 2022-09-25 13:02:30.000000000 +0000 +++ squid-4.13/debian/patches/0012-squid-4-780c4ea1b4c9d2fb41f6962aa6ed73ae57f74b2b.patch 2024-03-07 19:52:04.000000000 +0000 @@ -4,11 +4,9 @@ Improve handling of Gopher responses (#1022) -diff --git a/src/gopher.cc b/src/gopher.cc -index 169b0e182..6187da18b 100644 --- a/src/gopher.cc +++ b/src/gopher.cc -@@ -371,7 +371,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) +@@ -371,7 +371,6 @@ gopherToHTML(GopherStateData * gopherSta char *lpos = NULL; char *tline = NULL; LOCAL_ARRAY(char, line, TEMP_BUF_SIZE); @@ -16,7 +14,7 @@ char *name = NULL; char *selector = NULL; char *host = NULL; -@@ -381,7 +380,6 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) +@@ -381,7 +380,6 @@ gopherToHTML(GopherStateData * gopherSta char gtype; StoreEntry *entry = NULL; @@ -24,7 +22,7 @@ memset(line, '\0', TEMP_BUF_SIZE); entry = gopherState->entry; -@@ -416,7 +414,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) +@@ -416,7 +414,7 @@ gopherToHTML(GopherStateData * gopherSta return; } @@ -33,7 +31,7 @@ if (!gopherState->HTML_header_added) { if (gopherState->conversion == GopherStateData::HTML_CSO_RESULT) -@@ -583,34 +581,34 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) +@@ -583,34 +581,34 @@ gopherToHTML(GopherStateData * gopherSta break; } @@ -82,7 +80,7 @@ } else { memset(line, '\0', TEMP_BUF_SIZE); continue; -@@ -643,13 +641,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) +@@ -643,13 +641,12 @@ gopherToHTML(GopherStateData * gopherSta break; if (gopherState->cso_recno != recno) { @@ -98,7 +96,7 @@ break; } else { int code; -@@ -677,8 +674,7 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) +@@ -677,8 +674,7 @@ gopherToHTML(GopherStateData * gopherSta case 502: { /* Too Many Matches */ /* Print the message the server returns */ @@ -108,7 +106,7 @@ break; } -@@ -694,13 +690,12 @@ gopherToHTML(GopherStateData * gopherState, char *inbuf, int len) +@@ -694,13 +690,12 @@ gopherToHTML(GopherStateData * gopherSta } /* while loop */ diff -Nru squid-4.13/debian/patches/0013-squid-4-b003a0da7865caa25b5d1e70c79329b32409b02a.patch squid-4.13/debian/patches/0013-squid-4-b003a0da7865caa25b5d1e70c79329b32409b02a.patch --- squid-4.13/debian/patches/0013-squid-4-b003a0da7865caa25b5d1e70c79329b32409b02a.patch 2022-09-25 13:02:30.000000000 +0000 +++ squid-4.13/debian/patches/0013-squid-4-b003a0da7865caa25b5d1e70c79329b32409b02a.patch 2024-03-07 19:52:04.000000000 +0000 @@ -11,11 +11,9 @@ Update the main WCCPv2 parsing checks to throw meaningful exceptions when detected. -diff --git a/src/wccp2.cc b/src/wccp2.cc -index ee592449c..6ef469e91 100644 --- a/src/wccp2.cc +++ b/src/wccp2.cc -@@ -1108,6 +1108,59 @@ wccp2ConnectionClose(void) +@@ -1104,6 +1104,59 @@ wccp2ConnectionClose(void) * Functions for handling the requests. */ @@ -75,7 +73,7 @@ /* * Accept the UDP packet */ -@@ -1124,8 +1177,6 @@ wccp2HandleUdp(int sock, void *) +@@ -1120,8 +1173,6 @@ wccp2HandleUdp(int sock, void *) /* These structs form the parts of the packet */ @@ -84,7 +82,7 @@ struct wccp2_security_none_t *security_info = NULL; struct wccp2_service_info_t *service_info = NULL; -@@ -1141,14 +1192,13 @@ wccp2HandleUdp(int sock, void *) +@@ -1137,14 +1188,13 @@ wccp2HandleUdp(int sock, void *) struct wccp2_cache_identity_info_t *cache_identity = NULL; struct wccp2_capability_info_header_t *router_capability_header = NULL; @@ -100,7 +98,7 @@ uint32_t tmp; char *ptr; int num_caches; -@@ -1161,20 +1211,18 @@ wccp2HandleUdp(int sock, void *) +@@ -1157,20 +1207,18 @@ wccp2HandleUdp(int sock, void *) Ip::Address from_tmp; from_tmp.setIPv4(); @@ -130,7 +128,7 @@ /* FIXME INET6 : drop conversion boundary */ from_tmp.getSockAddr(from); -@@ -1182,73 +1230,60 @@ wccp2HandleUdp(int sock, void *) +@@ -1178,73 +1226,60 @@ wccp2HandleUdp(int sock, void *) debugs(80, 3, "Incoming WCCPv2 I_SEE_YOU length " << ntohs(wccp2_i_see_you.length) << "."); /* Record the total data length */ @@ -221,12 +219,13 @@ - debugs(80, DBG_IMPORTANT, "Duplicate router_capability definition"); - return; - } +- +- router_capability_header = (struct wccp2_capability_info_header_t *) &wccp2_i_see_you.data[offset]; + case WCCP2_CAPABILITY_INFO: { + Must2(!router_capability_header, "duplicate router_capability definition"); + SetField(router_capability_header, itemHeader, itemHeader, itemSize, + "router_capability definition truncated"); - -- router_capability_header = (struct wccp2_capability_info_header_t *) &wccp2_i_see_you.data[offset]; ++ + CheckFieldDataLength(router_capability_header, ntohs(router_capability_header->capability_info_length), + itemHeader, itemSize, "capability info truncated"); + router_capability_data_start = reinterpret_cast(router_capability_header) + @@ -236,7 +235,7 @@ /* Nothing to do for the types below */ -@@ -1257,22 +1292,17 @@ wccp2HandleUdp(int sock, void *) +@@ -1253,22 +1288,17 @@ wccp2HandleUdp(int sock, void *) break; default: @@ -266,7 +265,7 @@ debugs(80, 5, "Complete packet received"); -@@ -1308,10 +1338,7 @@ wccp2HandleUdp(int sock, void *) +@@ -1304,10 +1334,7 @@ wccp2HandleUdp(int sock, void *) break; } @@ -278,7 +277,7 @@ /* Set the router id */ router_list_ptr->info->router_address = router_identity_info->router_id_element.router_address; -@@ -1331,11 +1358,20 @@ wccp2HandleUdp(int sock, void *) +@@ -1327,11 +1354,20 @@ wccp2HandleUdp(int sock, void *) } } else { @@ -304,7 +303,7 @@ switch (ntohs(router_capability_element->capability_type)) { -@@ -1377,7 +1413,7 @@ wccp2HandleUdp(int sock, void *) +@@ -1373,7 +1409,7 @@ wccp2HandleUdp(int sock, void *) debugs(80, DBG_IMPORTANT, "Unknown capability type in WCCPv2 Packet (" << ntohs(router_capability_element->capability_type) << ")."); } @@ -313,7 +312,7 @@ } } -@@ -1396,23 +1432,34 @@ wccp2HandleUdp(int sock, void *) +@@ -1392,23 +1428,34 @@ wccp2HandleUdp(int sock, void *) num_caches = 0; /* Check to see if we're the master cache and update the cache list */ @@ -353,7 +352,7 @@ ptr += sizeof(tmp); if (ntohl(tmp) != 0) { -@@ -1426,7 +1473,8 @@ wccp2HandleUdp(int sock, void *) +@@ -1422,7 +1469,8 @@ wccp2HandleUdp(int sock, void *) case WCCP2_ASSIGNMENT_METHOD_HASH: @@ -363,7 +362,7 @@ ptr += sizeof(struct wccp2_cache_identity_info_t); -@@ -1437,13 +1485,15 @@ wccp2HandleUdp(int sock, void *) +@@ -1433,13 +1481,15 @@ wccp2HandleUdp(int sock, void *) case WCCP2_ASSIGNMENT_METHOD_MASK: @@ -381,7 +380,7 @@ ptr += sizeof(struct wccp2_cache_mask_identity_info_t); -@@ -1474,10 +1524,7 @@ wccp2HandleUdp(int sock, void *) +@@ -1470,10 +1520,7 @@ wccp2HandleUdp(int sock, void *) debugs (80, 5, "checking cache list: (" << std::hex << cache_address.s_addr << ":" << router_list_ptr->local_ip.s_addr << ")"); /* Check to see if it's the master, or us */ @@ -393,7 +392,7 @@ if (cache_address.s_addr < router_list_ptr->local_ip.s_addr) { service_list_ptr->lowest_ip = 0; -@@ -1494,7 +1541,7 @@ wccp2HandleUdp(int sock, void *) +@@ -1490,7 +1537,7 @@ wccp2HandleUdp(int sock, void *) cache_list_ptr->next = NULL; service_list_ptr->lowest_ip = 1; @@ -402,7 +401,7 @@ num_caches = 1; } -@@ -1502,7 +1549,7 @@ wccp2HandleUdp(int sock, void *) +@@ -1498,7 +1545,7 @@ wccp2HandleUdp(int sock, void *) router_list_ptr->num_caches = htonl(num_caches); @@ -411,7 +410,7 @@ if (ntohl(router_view_header->change_number) != router_list_ptr->member_change) { debugs(80, 4, "Change detected - queueing up new assignment"); router_list_ptr->member_change = ntohl(router_view_header->change_number); -@@ -1515,6 +1562,10 @@ wccp2HandleUdp(int sock, void *) +@@ -1511,6 +1558,10 @@ wccp2HandleUdp(int sock, void *) eventDelete(wccp2AssignBuckets, NULL); debugs(80, 5, "I am not the lowest ip cache - not assigning buckets"); } diff -Nru squid-4.13/debian/patches/0014-SQUID-2022_1.patch squid-4.13/debian/patches/0014-SQUID-2022_1.patch --- squid-4.13/debian/patches/0014-SQUID-2022_1.patch 2022-09-25 13:13:57.000000000 +0000 +++ squid-4.13/debian/patches/0014-SQUID-2022_1.patch 2024-03-07 19:52:04.000000000 +0000 @@ -4,11 +4,9 @@ Fix typo in manager ACL (#1113) -diff --git a/src/cf.data.pre b/src/cf.data.pre -index 4aef432ca..f15d56b13 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre -@@ -1001,7 +1001,7 @@ DEFAULT: ssl::certUntrusted ssl_error X509_V_ERR_INVALID_CA X509_V_ERR_SELF_SIGN +@@ -1001,7 +1001,7 @@ DEFAULT: ssl::certUntrusted ssl_error X5 DEFAULT: ssl::certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ENDIF DEFAULT: all src all diff -Nru squid-4.13/debian/patches/0015-SQUID-2022_2.patch squid-4.13/debian/patches/0015-SQUID-2022_2.patch --- squid-4.13/debian/patches/0015-SQUID-2022_2.patch 2022-09-25 13:13:57.000000000 +0000 +++ squid-4.13/debian/patches/0015-SQUID-2022_2.patch 2024-03-07 19:52:04.000000000 +0000 @@ -10,11 +10,9 @@ Improve debugs and checks sequence to clarify cases and ensure that all are handled correctly. -diff --git a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc -index 5d9637290..f00fd51f8 100644 --- a/lib/ntlmauth/ntlmauth.cc +++ b/lib/ntlmauth/ntlmauth.cc -@@ -107,10 +107,19 @@ ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr +@@ -107,10 +107,19 @@ ntlm_fetch_string(const ntlmhdr *packet, int32_t o = le32toh(str->offset); // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o); diff -Nru squid-4.13/debian/patches/CVE-2023-46724.patch squid-4.13/debian/patches/CVE-2023-46724.patch --- squid-4.13/debian/patches/CVE-2023-46724.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-4.13/debian/patches/CVE-2023-46724.patch 2024-03-07 19:52:04.000000000 +0000 @@ -0,0 +1,34 @@ +From: Markus Koschany +Date: Mon, 19 Feb 2024 12:09:15 +0100 +Subject: CVE-2023-46724 + +Bug-Debian: https://bugs.debian.org/1055252 +Origin: http://www.squid-cache.org/Versions/v5/SQUID-2023_4.patch +--- + src/anyp/Uri.cc | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc +index 94b3bb4..7ccad93 100644 +--- a/src/anyp/Uri.cc ++++ b/src/anyp/Uri.cc +@@ -173,6 +173,10 @@ urlInitialize(void) + assert(0 == matchDomainName("*.foo.com", ".foo.com", mdnHonorWildcards)); + assert(0 != matchDomainName("*.foo.com", "foo.com", mdnHonorWildcards)); + ++ assert(0 != matchDomainName("foo.com", "")); ++ assert(0 != matchDomainName("foo.com", "", mdnHonorWildcards)); ++ assert(0 != matchDomainName("foo.com", "", mdnRejectSubsubDomains)); ++ + /* more cases? */ + } + +@@ -756,6 +760,8 @@ matchDomainName(const char *h, const char *d, MatchDomainNameFlags flags) + return -1; + + dl = strlen(d); ++ if (dl == 0) ++ return 1; + + /* + * Start at the ends of the two strings and work towards the diff -Nru squid-4.13/debian/patches/CVE-2023-46846.patch squid-4.13/debian/patches/CVE-2023-46846.patch --- squid-4.13/debian/patches/CVE-2023-46846.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-4.13/debian/patches/CVE-2023-46846.patch 2024-03-07 19:52:04.000000000 +0000 @@ -0,0 +1,103 @@ +From: Markus Koschany +Date: Sat, 20 Jan 2024 11:00:59 +0100 +Subject: CVE-2023-46846 + +Bug-Debian: https://bugs.debian.org/1054537 +Origin: http://www.squid-cache.org/Versions/v5/SQUID-2023_1.patch +--- + src/http/one/Parser.cc | 9 +++------ + src/http/one/TeChunkedParser.cc | 7 ++++++- + src/parser/Tokenizer.cc | 13 +++++++++++++ + src/parser/Tokenizer.h | 6 ++++++ + 4 files changed, 28 insertions(+), 7 deletions(-) + +--- a/src/http/one/Parser.cc ++++ b/src/http/one/Parser.cc +@@ -64,17 +64,14 @@ Http::One::Parser::DelimiterCharacters() + bool + Http::One::Parser::skipLineTerminator(Http1::Tokenizer &tok) const + { +- if (tok.skip(Http1::CrLf())) +- return true; +- + if (Config.onoff.relaxed_header_parser && tok.skipOne(CharacterSet::LF)) + return true; + +- if (tok.atEnd() || (tok.remaining().length() == 1 && tok.remaining().at(0) == '\r')) +- return false; // need more data ++ if (tok.skipRequired("line-terminating CRLF", Http1::CrLf())) ++ return true; + + throw TexcHere("garbage instead of CRLF line terminator"); +- return false; // unreachable, but make naive compilers happy ++ return false; + } + + /// all characters except the LF line terminator +--- a/src/http/one/TeChunkedParser.cc ++++ b/src/http/one/TeChunkedParser.cc +@@ -84,6 +84,11 @@ Http::One::TeChunkedParser::parseChunkSi + { + Must(theChunkSize <= 0); // Should(), really + ++ static const SBuf bannedHexPrefixLower("0x"); ++ static const SBuf bannedHexPrefixUpper("0X"); ++ if (tok.skip(bannedHexPrefixLower) || tok.skip(bannedHexPrefixUpper)) ++ throw TextException("chunk starts with 0x", Here()); ++ + int64_t size = -1; + if (tok.int64(size, 16, false) && !tok.atEnd()) { + if (size < 0) +@@ -192,7 +197,7 @@ Http::One::TeChunkedParser::parseChunkEn + { + Must(theLeftBodySize == 0); // Should(), really + +- if (skipLineTerminator(tok)) { ++ if (tok.skipRequired("chunk CRLF", Http1::CrLf())) { + buf_ = tok.remaining(); // parse checkpoint + theChunkSize = 0; // done with the current chunk + parsingStage_ = Http1::HTTP_PARSE_CHUNK_SZ; +--- a/src/parser/Tokenizer.cc ++++ b/src/parser/Tokenizer.cc +@@ -11,6 +11,7 @@ + #include "squid.h" + #include "Debug.h" + #include "parser/Tokenizer.h" ++#include "sbuf/Stream.h" + + #include + #if HAVE_CTYPE_H +@@ -129,6 +130,18 @@ Parser::Tokenizer::skipAll(const Charact + } + + bool ++Parser::Tokenizer::skipRequired(const char *description, const SBuf &tokenToSkip) ++{ ++ if (skip(tokenToSkip) || tokenToSkip.isEmpty()) ++ return true; ++ ++ if (tokenToSkip.startsWith(buf_)) ++ return false; ++ ++ throw TextException(ToSBuf("cannot skip ", description), Here()); ++} ++ ++bool + Parser::Tokenizer::skipOne(const CharacterSet &chars) + { + if (!buf_.isEmpty() && chars[buf_[0]]) { +--- a/src/parser/Tokenizer.h ++++ b/src/parser/Tokenizer.h +@@ -115,6 +115,12 @@ public: + */ + SBuf::size_type skipAll(const CharacterSet &discardables); + ++ /** skips a given character sequence (string); +++ * does nothing if the sequence is empty ++ * returns false on mismatching prefix or InsufficientInput ++ */ ++ bool skipRequired(const char *description, const SBuf &tokenToSkip); ++ + /** Removes a single trailing character from the set. + * + * \return whether a character was removed diff -Nru squid-4.13/debian/patches/CVE-2023-46847.patch squid-4.13/debian/patches/CVE-2023-46847.patch --- squid-4.13/debian/patches/CVE-2023-46847.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-4.13/debian/patches/CVE-2023-46847.patch 2024-03-07 19:52:04.000000000 +0000 @@ -0,0 +1,31 @@ +From: Markus Koschany +Date: Thu, 11 Dec 2023 18:18:54 +0100 +Subject: CVE-2023-46847 + +Bug-Debian: https://bugs.debian.org/1055250 +Origin: https://github.com/squid-cache/squid/commit/052cf082b0faaef4eaaa4e94119d7a1437aac4a3 +--- + src/auth/digest/Config.cc | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/src/auth/digest/Config.cc ++++ b/src/auth/digest/Config.cc +@@ -847,11 +847,15 @@ Auth::Digest::Config::decode(char const + break; + + case DIGEST_NC: +- if (value.size() != 8) { ++ if (value.size() == 8) { ++ // for historical reasons, the nc value MUST be exactly 8 bytes ++ static_assert(sizeof(digest_request->nc) == 8 + 1, "bad nc buffer size"); ++ xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1); ++ debugs(29, 9, "Found noncecount '" << digest_request->nc << "'"); ++ } else { + debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'"); ++ digest_request->nc[0] = 0; + } +- xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1); +- debugs(29, 9, "Found noncecount '" << digest_request->nc << "'"); + break; + + case DIGEST_CNONCE: diff -Nru squid-4.13/debian/patches/CVE-2023-49285.patch squid-4.13/debian/patches/CVE-2023-49285.patch --- squid-4.13/debian/patches/CVE-2023-49285.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-4.13/debian/patches/CVE-2023-49285.patch 2024-03-07 19:52:04.000000000 +0000 @@ -0,0 +1,25 @@ +From: Markus Koschany +Date: Thu, 11 Dec 2023 18:24:51 +0100 +Subject: CVE-2023-49285 + +Origin: https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b +--- + lib/rfc1123.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/lib/rfc1123.c ++++ b/lib/rfc1123.c +@@ -50,7 +50,13 @@ make_month(const char *s) + char month[3]; + + month[0] = xtoupper(*s); ++ if (!month[0]) ++ return -1; // protects *(s + 1) below ++ + month[1] = xtolower(*(s + 1)); ++ if (!month[1]) ++ return -1; // protects *(s + 2) below ++ + month[2] = xtolower(*(s + 2)); + + for (i = 0; i < 12; i++) diff -Nru squid-4.13/debian/patches/CVE-2023-49286.patch squid-4.13/debian/patches/CVE-2023-49286.patch --- squid-4.13/debian/patches/CVE-2023-49286.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-4.13/debian/patches/CVE-2023-49286.patch 2024-03-07 19:52:04.000000000 +0000 @@ -0,0 +1,70 @@ +From: Markus Koschany +Date: Thu, 11 Dec 2023 18:26:45 +0100 +Subject: CVE-2023-49286 + +Origin: http://www.squid-cache.org/Versions/v6/SQUID-2023_8.patch +--- + src/ipc.cc | 33 +++++++++++++++++++++++++++------ + 1 file changed, 27 insertions(+), 6 deletions(-) + +--- a/src/ipc.cc ++++ b/src/ipc.cc +@@ -20,6 +20,12 @@ + #include "SquidIpc.h" + #include "tools.h" + ++#include ++ ++#if HAVE_UNISTD_H ++#include ++#endif ++ + static const char *hello_string = "hi there\n"; + #ifndef HELLO_BUF_SZ + #define HELLO_BUF_SZ 32 +@@ -365,6 +371,22 @@ ipcCreate(int type, const char *prog, co + } + + PutEnvironment(); ++ ++ // A dup(2) wrapper that reports and exits the process on errors. The ++ // exiting logic is only suitable for this child process context. ++ const auto dupOrExit = [prog,name](const int oldFd) { ++ const auto newFd = dup(oldFd); ++ if (newFd < 0) { ++ const auto savedErrno = errno; ++ debugs(54, DBG_CRITICAL, "ERROR: Helper process initialization failure: " << name); ++ debugs(54, DBG_CRITICAL, "helper (CHILD) PID: " << getpid()); ++ debugs(54, DBG_CRITICAL, "helper program name: " << prog); ++ debugs(54, DBG_CRITICAL, "dup(2) system call error for FD " << oldFd << ": " << xstrerr(savedErrno)); ++ _exit(1); ++ } ++ return newFd; ++ }; ++ + /* + * This double-dup stuff avoids problems when one of + * crfd, cwfd, or debug_log are in the rage 0-2. +@@ -372,17 +394,16 @@ ipcCreate(int type, const char *prog, co + + do { + /* First make sure 0-2 is occupied by something. Gets cleaned up later */ +- x = dup(crfd); +- assert(x > -1); +- } while (x < 3 && x > -1); ++ x = dupOrExit(crfd); ++ } while (x < 3); + + close(x); + +- t1 = dup(crfd); ++ t1 = dupOrExit(crfd); + +- t2 = dup(cwfd); ++ t2 = dupOrExit(cwfd); + +- t3 = dup(fileno(debug_log)); ++ t3 = dupOrExit(fileno(debug_log)); + + assert(t1 > 2 && t2 > 2 && t3 > 2); + diff -Nru squid-4.13/debian/patches/CVE-2023-50269.patch squid-4.13/debian/patches/CVE-2023-50269.patch --- squid-4.13/debian/patches/CVE-2023-50269.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-4.13/debian/patches/CVE-2023-50269.patch 2024-03-07 19:52:04.000000000 +0000 @@ -0,0 +1,57 @@ +From: Markus Koschany +Date: Tue, 26 Dec 2023 19:58:12 +0100 +Subject: CVE-2023-50269 + +Bug-Debian: https://bugs.debian.org/1058721 +Origin: http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch +--- + src/ClientRequestContext.h | 4 ++++ + src/client_side_request.cc | 17 +++++++++++++++-- + 2 files changed, 19 insertions(+), 2 deletions(-) + +--- a/src/ClientRequestContext.h ++++ b/src/ClientRequestContext.h +@@ -81,6 +81,10 @@ public: + #endif + ErrorState *error; ///< saved error page for centralized/delayed processing + bool readNextRequest; ///< whether Squid should read after error handling ++ ++#if FOLLOW_X_FORWARDED_FOR ++ size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far ++#endif + }; + + #endif /* SQUID_CLIENTREQUESTCONTEXT_H */ +--- a/src/client_side_request.cc ++++ b/src/client_side_request.cc +@@ -79,6 +79,11 @@ + static const char *const crlf = "\r\n"; + + #if FOLLOW_X_FORWARDED_FOR ++ ++#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX) ++#define SQUID_X_FORWARDED_FOR_HOP_MAX 64 ++#endif ++ + static void clientFollowXForwardedForCheck(allow_t answer, void *data); + #endif /* FOLLOW_X_FORWARDED_FOR */ + +@@ -486,8 +491,16 @@ clientFollowXForwardedForCheck(allow_t a + /* override the default src_addr tested if we have to go deeper than one level into XFF */ + Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr; + } +- calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); +- return; ++ if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) { ++ calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); ++ return; ++ } ++ const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name; ++ debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses"); ++ debugs(28, DBG_CRITICAL, "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber); ++ debugs(28, DBG_CRITICAL, "last/accepted address: " << request->indirect_client_addr); ++ debugs(28, DBG_CRITICAL, "ignored trailing addresses: " << request->x_forwarded_for_iterator); ++ // fall through to resume clientAccessCheck() processing + } + } + diff -Nru squid-4.13/debian/patches/CVE-2024-23638.patch squid-4.13/debian/patches/CVE-2024-23638.patch --- squid-4.13/debian/patches/CVE-2024-23638.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-4.13/debian/patches/CVE-2024-23638.patch 2024-03-07 19:52:04.000000000 +0000 @@ -0,0 +1,21 @@ +From: Markus Koschany +Date: Wed, 6 Mar 2024 14:46:19 +0100 +Subject: CVE-2024-23638 + +Origin: Origin: http://www.squid-cache.org/Versions/v5/SQUID-2023_11.patch +--- + src/cache_manager.cc | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/cache_manager.cc b/src/cache_manager.cc +index 0ed9a55..c352330 100644 +--- a/src/cache_manager.cc ++++ b/src/cache_manager.cc +@@ -323,7 +323,6 @@ CacheManager::Start(const Comm::ConnectionPointer &client, HttpRequest * request + const auto err = new ErrorState(ERR_INVALID_URL, Http::scNotFound, request); + err->url = xstrdup(entry->url()); + errorAppendEntry(entry, err); +- entry->expires = squid_curtime; + return; + } + diff -Nru squid-4.13/debian/patches/CVE-2024-25617.patch squid-4.13/debian/patches/CVE-2024-25617.patch --- squid-4.13/debian/patches/CVE-2024-25617.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-4.13/debian/patches/CVE-2024-25617.patch 2024-03-07 19:52:04.000000000 +0000 @@ -0,0 +1,117 @@ +From: Markus Koschany +Date: Wed, 6 Mar 2024 14:49:00 +0100 +Subject: CVE-2024-25617 + +Origin: Origin: http://www.squid-cache.org/Versions/v6/SQUID-2024_2.patch +--- + src/SquidString.h | 11 ++++++++++- + src/cache_cf.cc | 12 ++++++++++++ + src/cf.data.pre | 26 ++++++++++++++++---------- + src/http.cc | 5 +++-- + 4 files changed, 41 insertions(+), 13 deletions(-) + +diff --git a/src/SquidString.h b/src/SquidString.h +index 9325a76..3b7fff6 100644 +--- a/src/SquidString.h ++++ b/src/SquidString.h +@@ -114,7 +114,16 @@ private: + + size_type len_; /* current length */ + +- static const size_type SizeMax_ = 65535; ///< 64K limit protects some fixed-size buffers ++ /// An earlier 64KB limit was meant to protect some fixed-size buffers, but ++ /// (a) we do not know where those buffers are (or whether they still exist) ++ /// (b) too many String users unknowingly exceeded that limit and asserted. ++ /// We are now using a larger limit to reduce the number of (b) cases, ++ /// especially cases where "compact" lists of items grow 50% in size when we ++ /// convert them to canonical form. The new limit is selected to withstand ++ /// concatenation and ~50% expansion of two HTTP headers limited by default ++ /// request_header_max_size and reply_header_max_size settings. ++ static const size_type SizeMax_ = 3*64*1024 - 1; ++ + /// returns true after increasing the first argument by extra if the sum does not exceed SizeMax_ + static bool SafeAdd(size_type &base, size_type extra) { if (extra <= SizeMax_ && base <= SizeMax_ - extra) { base += extra; return true; } return false; } + +diff --git a/src/cache_cf.cc b/src/cache_cf.cc +index 843fe69..f93ecad 100644 +--- a/src/cache_cf.cc ++++ b/src/cache_cf.cc +@@ -935,6 +935,18 @@ configDoConfigure(void) + (uint32_t)Config.maxRequestBufferSize, (uint32_t)Config.maxRequestHeaderSize); + } + ++ // Warn about the dangers of exceeding String limits when manipulating HTTP ++ // headers. Technically, we do not concatenate _requests_, so we could relax ++ // their check, but we keep the two checks the same for simplicity sake. ++ const auto safeRawHeaderValueSizeMax = (String::SizeMaxXXX()+1)/3; ++ // TODO: static_assert(safeRawHeaderValueSizeMax >= 64*1024); // no WARNINGs for default settings ++ if (Config.maxRequestHeaderSize > safeRawHeaderValueSizeMax) ++ debugs(3, DBG_CRITICAL, "WARNING: Increasing request_header_max_size beyond " << safeRawHeaderValueSizeMax << ++ " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxRequestHeaderSize << " bytes"); ++ if (Config.maxReplyHeaderSize > safeRawHeaderValueSizeMax) ++ debugs(3, DBG_CRITICAL, "WARNING: Increasing reply_header_max_size beyond " << safeRawHeaderValueSizeMax << ++ " bytes makes Squid more vulnerable to denial-of-service attacks; configured value: " << Config.maxReplyHeaderSize << " bytes"); ++ + /* + * Disable client side request pipelining if client_persistent_connections OFF. + * Waste of resources queueing any pipelined requests when the first will close the connection. +diff --git a/src/cf.data.pre b/src/cf.data.pre +index a1b41cf..a4c074a 100644 +--- a/src/cf.data.pre ++++ b/src/cf.data.pre +@@ -6191,11 +6191,14 @@ TYPE: b_size_t + DEFAULT: 64 KB + LOC: Config.maxRequestHeaderSize + DOC_START +- This specifies the maximum size for HTTP headers in a request. +- Request headers are usually relatively small (about 512 bytes). +- Placing a limit on the request header size will catch certain +- bugs (for example with persistent connections) and possibly +- buffer-overflow or denial-of-service attacks. ++ This directives limits the header size of a received HTTP request ++ (including request-line). Increasing this limit beyond its 64 KB default ++ exposes certain old Squid code to various denial-of-service attacks. This ++ limit also applies to received FTP commands. ++ ++ This limit has no direct affect on Squid memory consumption. ++ ++ Squid does not check this limit when sending requests. + DOC_END + + NAME: reply_header_max_size +@@ -6204,11 +6207,14 @@ TYPE: b_size_t + DEFAULT: 64 KB + LOC: Config.maxReplyHeaderSize + DOC_START +- This specifies the maximum size for HTTP headers in a reply. +- Reply headers are usually relatively small (about 512 bytes). +- Placing a limit on the reply header size will catch certain +- bugs (for example with persistent connections) and possibly +- buffer-overflow or denial-of-service attacks. ++ This directives limits the header size of a received HTTP response ++ (including status-line). Increasing this limit beyond its 64 KB default ++ exposes certain old Squid code to various denial-of-service attacks. This ++ limit also applies to FTP command responses. ++ ++ Squid also checks this limit when loading hit responses from disk cache. ++ ++ Squid does not check this limit when sending responses. + DOC_END + + NAME: request_body_max_size +diff --git a/src/http.cc b/src/http.cc +index 0409ea5..5b25912 100644 +--- a/src/http.cc ++++ b/src/http.cc +@@ -1872,8 +1872,9 @@ HttpStateData::httpBuildRequestHeader(HttpRequest * request, + + String strFwd = hdr_in->getList(Http::HdrType::X_FORWARDED_FOR); + +- // if we cannot double strFwd size, then it grew past 50% of the limit +- if (!strFwd.canGrowBy(strFwd.size())) { ++ // Detect unreasonably long header values. And paranoidly check String ++ // limits: a String ought to accommodate two reasonable-length values. ++ if (strFwd.size() > 32*1024 || !strFwd.canGrowBy(strFwd.size())) { + // There is probably a forwarding loop with Via detection disabled. + // If we do nothing, String will assert on overflow soon. + // TODO: Terminate all transactions with huge XFF? diff -Nru squid-4.13/debian/patches/series squid-4.13/debian/patches/series --- squid-4.13/debian/patches/series 2022-09-25 13:13:57.000000000 +0000 +++ squid-4.13/debian/patches/series 2024-03-07 19:52:04.000000000 +0000 @@ -1,7 +1,6 @@ 0001-Default-configuration-file-for-debian.patch 0002-Change-default-file-locations-for-debian.patch 0003-installed-binary-for-debian-ci.patch -#0004-upstream-bug5041.patch 0005-Use-RuntimeDirectory-to-create-run-squid.patch 0006-SQUID-2020_11.patch 0007-CVE-2021-28651.patch @@ -13,3 +12,11 @@ 0013-squid-4-b003a0da7865caa25b5d1e70c79329b32409b02a.patch 0014-SQUID-2022_1.patch 0015-SQUID-2022_2.patch +CVE-2023-46847.patch +CVE-2023-49285.patch +CVE-2023-49286.patch +CVE-2023-50269.patch +CVE-2023-46846.patch +CVE-2024-23638.patch +CVE-2024-25617.patch +CVE-2023-46724.patch