diff --git a/backport-CVE-2024-25111.patch b/backport-CVE-2024-25111.patch deleted file mode 100644 index 25de47ef787f0d01e6662c71be04eb4c607b7ec1..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-25111.patch +++ /dev/null @@ -1,248 +0,0 @@ -From 4658d0fc049738c2e6cd25fc0af10e820cf4c11a Mon Sep 17 00:00:00 2001 -From: Alex Rousskov -Date: Tue, 31 Oct 2023 11:35:02 +0000 -Subject: [PATCH] Fix infinite recursion when parsing HTTP chunks (#1553) - -This change stops infinite HttpStateData recursion with at-max-capacity -inBuf. Such inBuf prevents progress in the following call chain: - -* processReply() -* processReplyBody() and decodeAndWriteReplyBody() -* maybeReadVirginBody() -* maybeMakeSpaceAvailable() -- tries but fails to quit processing -* processReply() - -HttpStateData::maybeMakeSpaceAvailable() no longer calls processReply(), -preventing recursion. - -maybeReadVirginBody() now aborts transactions that would otherwise get -stalled due to full read buffer at its maximum capacity. This change -requires that all maybeReadVirginBody() callers do actually need more -response data to make progress. AFAICT, that (natural) invariant holds. - -We moved transaction stalling check from maybeMakeSpaceAvailable() into -its previous callers. Without that move, maybeMakeSpaceAvailable() would -have to handle both abortTransaction() and delayRead() cases. Besides -increased code complexity, that would trigger some premature delayRead() -calls (at maybeReadVirginBody() time). Deciding whether to delay socket -reads is complicated, the delay mechanism is expensive, and delaying may -become unnecessary by the time the socket becomes readable, so it is -best to continue to only delayRead() at readReply() time, when there is -no other choice left. - -maybeReadVirginBody() mishandled cases where progress was possible, but -not _immediately_ -- it did nothing in those cases, probably stalling -transactions when maybeMakeSpaceAvailable() returned false but did not -call processReply(). This is now fixed: maybeReadVirginBody() now starts -waiting for the socket to be ready for reading in those cases, -effectively passing control to readReply() that handles them. - -maybeReadVirginBody() prematurely grew buffer for future socket reads. -As a (positive) side effect of the above refactoring, we now delay -buffer growth until the actual read(2) time, which is best for -performance. Most likely, this premature buffer growth was an accident: -maybeReadVirginBody() correctly called maybeMakeSpaceAvailable() with -doGrow set to false. However, maybeMakeSpaceAvailable() misinterpreted -doGrow as a "do not actually do it" parameter. That bug is now gone. - -This recursion bug was discovered and detailed by Joshua Rogers at -https://megamansec.github.io/Squid-Security-Audit/ -where it was filed as "Chunked Encoding Stack Overflow". - -Conflict: NA -Reference: https://github.com/squid-cache/squid/commit/4658d0fc049738c2e6cd25fc0af10e820cf4c11a ---- - src/http.cc | 109 +++++++++++++++++++++++++++++++++++++--------------- - src/http.h | 15 +++----- - 2 files changed, 84 insertions(+), 40 deletions(-) - -diff --git a/src/http.cc b/src/http.cc -index 138c845c7b0..0829c25142f 100644 ---- a/src/http.cc -+++ b/src/http.cc -@@ -54,6 +54,7 @@ - #include "RefreshPattern.h" - #include "rfc1738.h" - #include "SquidConfig.h" -+#include "SquidMath.h" - #include "StatCounters.h" - #include "Store.h" - #include "StrList.h" -@@ -1200,16 +1201,24 @@ HttpStateData::readReply(const CommIoCbParams &io) - * Plus, it breaks our lame *HalfClosed() detection - */ - -- Must(maybeMakeSpaceAvailable(true)); -- CommIoCbParams rd(this); // will be expanded with ReadNow results -- rd.conn = io.conn; -- rd.size = entry->bytesWanted(Range(0, inBuf.spaceSize())); -+ const auto moreDataPermission = canBufferMoreReplyBytes(); -+ if (!moreDataPermission) { -+ abortTransaction("ready to read required data, but the read buffer is full and cannot be drained"); -+ return; -+ } -+ -+ const auto readSizeMax = maybeMakeSpaceAvailable(moreDataPermission.value()); -+ // TODO: Move this logic inside maybeMakeSpaceAvailable(): -+ const auto readSizeWanted = readSizeMax ? entry->bytesWanted(Range(0, readSizeMax)) : 0; - -- if (rd.size <= 0) { -+ if (readSizeWanted <= 0) { - delayRead(); - return; - } - -+ CommIoCbParams rd(this); // will be expanded with ReadNow results -+ rd.conn = io.conn; -+ rd.size = readSizeWanted; - switch (Comm::ReadNow(rd, inBuf)) { - case Comm::INPROGRESS: - if (inBuf.isEmpty()) -@@ -1591,8 +1600,10 @@ HttpStateData::maybeReadVirginBody() - if (!Comm::IsConnOpen(serverConnection) || fd_table[serverConnection->fd].closing()) - return; - -- if (!maybeMakeSpaceAvailable(false)) -+ if (!canBufferMoreReplyBytes()) { -+ abortTransaction("more response bytes required, but the read buffer is full and cannot be drained"); - return; -+ } - - // XXX: get rid of the do_next_read flag - // check for the proper reasons preventing read(2) -@@ -1610,40 +1621,78 @@ HttpStateData::maybeReadVirginBody() - Comm::Read(serverConnection, call); - } - --bool --HttpStateData::maybeMakeSpaceAvailable(bool doGrow) -+/// Desired inBuf capacity based on various capacity preferences/limits: -+/// * a smaller buffer may not hold enough for look-ahead header/body parsers; -+/// * a smaller buffer may result in inefficient tiny network reads; -+/// * a bigger buffer may waste memory; -+/// * a bigger buffer may exceed SBuf storage capabilities (SBuf::maxSize); -+size_t -+HttpStateData::calcReadBufferCapacityLimit() const - { -- // how much we are allowed to buffer -- const int limitBuffer = (flags.headers_parsed ? Config.readAheadGap : Config.maxReplyHeaderSize); -- -- if (limitBuffer < 0 || inBuf.length() >= (SBuf::size_type)limitBuffer) { -- // when buffer is at or over limit already -- debugs(11, 7, "will not read up to " << limitBuffer << ". buffer has (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection); -- debugs(11, DBG_DATA, "buffer has {" << inBuf << "}"); -- // Process next response from buffer -- processReply(); -- return false; -+ if (!flags.headers_parsed) -+ return Config.maxReplyHeaderSize; -+ -+ // XXX: Our inBuf is not used to maintain the read-ahead gap, and using -+ // Config.readAheadGap like this creates huge read buffers for large -+ // read_ahead_gap values. TODO: Switch to using tcp_recv_bufsize as the -+ // primary read buffer capacity factor. -+ // -+ // TODO: Cannot reuse throwing NaturalCast() here. Consider removing -+ // .value() dereference in NaturalCast() or add/use NaturalCastOrMax(). -+ const auto configurationPreferences = NaturalSum(Config.readAheadGap).value_or(SBuf::maxSize); -+ -+ // TODO: Honor TeChunkedParser look-ahead and trailer parsing requirements -+ // (when explicit configurationPreferences are set too low). -+ -+ return std::min(configurationPreferences, SBuf::maxSize); -+} -+ -+/// The maximum number of virgin reply bytes we may buffer before we violate -+/// the currently configured response buffering limits. -+/// \retval std::nullopt means that no more virgin response bytes can be read -+/// \retval 0 means that more virgin response bytes may be read later -+/// \retval >0 is the number of bytes that can be read now (subject to other constraints) -+std::optional -+HttpStateData::canBufferMoreReplyBytes() const -+{ -+#if USE_ADAPTATION -+ // If we do not check this now, we may say the final "no" prematurely below -+ // because inBuf.length() will decrease as adaptation drains buffered bytes. -+ if (responseBodyBuffer) { -+ debugs(11, 3, "yes, but waiting for adaptation to drain read buffer"); -+ return 0; // yes, we may be able to buffer more (but later) -+ } -+#endif -+ -+ const auto maxCapacity = calcReadBufferCapacityLimit(); -+ if (inBuf.length() >= maxCapacity) { -+ debugs(11, 3, "no, due to a full buffer: " << inBuf.length() << '/' << inBuf.spaceSize() << "; limit: " << maxCapacity); -+ return std::nullopt; // no, configuration prohibits buffering more - } - -+ const auto maxReadSize = maxCapacity - inBuf.length(); // positive -+ debugs(11, 7, "yes, may read up to " << maxReadSize << " into " << inBuf.length() << '/' << inBuf.spaceSize()); -+ return maxReadSize; // yes, can read up to this many bytes (subject to other constraints) -+} -+ -+/// prepare read buffer for reading -+/// \return the maximum number of bytes the caller should attempt to read -+/// \retval 0 means that the caller should delay reading -+size_t -+HttpStateData::maybeMakeSpaceAvailable(const size_t maxReadSize) -+{ - // how much we want to read -- const size_t read_size = calcBufferSpaceToReserve(inBuf.spaceSize(), (limitBuffer - inBuf.length())); -+ const size_t read_size = calcBufferSpaceToReserve(inBuf.spaceSize(), maxReadSize); - -- if (!read_size) { -+ if (read_size < 2) { - debugs(11, 7, "will not read up to " << read_size << " into buffer (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection); -- return false; -+ return 0; - } - -- // just report whether we could grow or not, do not actually do it -- if (doGrow) -- return (read_size >= 2); -- - // we may need to grow the buffer - inBuf.reserveSpace(read_size); -- debugs(11, 8, (!flags.do_next_read ? "will not" : "may") << -- " read up to " << read_size << " bytes info buf(" << inBuf.length() << "/" << inBuf.spaceSize() << -- ") from " << serverConnection); -- -- return (inBuf.spaceSize() >= 2); // only read if there is 1+ bytes of space available -+ debugs(11, 7, "may read up to " << read_size << " bytes info buffer (" << inBuf.length() << "/" << inBuf.spaceSize() << ") from " << serverConnection); -+ return read_size; - } - - /// called after writing the very last request byte (body, last-chunk, etc) -diff --git a/src/http.h b/src/http.h -index 7baffe36499..4f59af90ba8 100644 ---- a/src/http.h -+++ b/src/http.h -@@ -15,6 +15,8 @@ - #include "http/StateFlags.h" - #include "sbuf/SBuf.h" - -+#include -+ - class FwdState; - class HttpHeader; - class String; -@@ -114,16 +116,9 @@ class HttpStateData : public Client - - void abortTransaction(const char *reason) { abortAll(reason); } // abnormal termination - -- /** -- * determine if read buffer can have space made available -- * for a read. -- * -- * \param grow whether to actually expand the buffer -- * -- * \return whether the buffer can be grown to provide space -- * regardless of whether the grow actually happened. -- */ -- bool maybeMakeSpaceAvailable(bool grow); -+ size_t calcReadBufferCapacityLimit() const; -+ std::optional canBufferMoreReplyBytes() const; -+ size_t maybeMakeSpaceAvailable(size_t maxReadSize); - - // consuming request body - virtual void handleMoreRequestBodyAvailable(); diff --git a/backport-CVE-2024-37894.patch b/backport-CVE-2024-37894.patch deleted file mode 100644 index 92d6a73f088e10b71b2a70b25b9b166d0340217a..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-37894.patch +++ /dev/null @@ -1,25 +0,0 @@ -From f411fe7d75197852f0e5ee85027a06d58dd8df4c Mon Sep 17 00:00:00 2001 -From: Francesco Chemolli -Date: Sun, 2 Jun 2024 16:41:08 +0200 -Subject: [PATCH] Force downcast in TrieNode::add - ---- - lib/libTrie/TrieNode.cc | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/libTrie/TrieNode.cc b/lib/libTrie/TrieNode.cc -index 0f991a0..d417e0f 100644 ---- a/lib/libTrie/TrieNode.cc -+++ b/lib/libTrie/TrieNode.cc -@@ -32,7 +32,7 @@ TrieNode::add(char const *aString, size_t theLength, void *privatedata, TrieChar - /* We trust that privatedata and existent keys have already been checked */ - - if (theLength) { -- int index = transform ? (*transform)(*aString): *aString; -+ const unsigned char index = transform ? (*transform)(*aString): *aString; - - if (!internal[index]) - internal[index] = new TrieNode; --- -2.41.0 - diff --git a/squid-3.0.STABLE1-perlpath.patch b/squid-3.0.STABLE1-perlpath.patch index 5ab22a057c0e88b776903297467c471301f8e1ee..ceebfbbfbb10422ae186ee54be168b2beafd797e 100644 --- a/squid-3.0.STABLE1-perlpath.patch +++ b/squid-3.0.STABLE1-perlpath.patch @@ -1,10 +1,10 @@ diff --git a/contrib/url-normalizer.pl b/contrib/url-normalizer.pl -index 4cb0480..4b89910 100755 +index b615d36..859130a 100755 --- a/contrib/url-normalizer.pl +++ b/contrib/url-normalizer.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl -Tw +#!/usr/bin/perl -Tw # - # * Copyright (C) 1996-2023 The Squid Software Foundation and contributors + # * Copyright (C) 1996-2024 The Squid Software Foundation and contributors # * diff --git a/squid-6.12.tar.xz b/squid-6.12.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..24e98fafc71c5e7cf73696cad194559fd21bc7f8 Binary files /dev/null and b/squid-6.12.tar.xz differ diff --git a/squid-6.12.tar.xz.asc b/squid-6.12.tar.xz.asc new file mode 100644 index 0000000000000000000000000000000000000000..8080835c9ef05c73652ccd7a945b6b23e9b26488 --- /dev/null +++ b/squid-6.12.tar.xz.asc @@ -0,0 +1,17 @@ +File: squid-6.12.tar.xz +Date: Fri Oct 11 08:30:43 PM UTC 2024 +Size: 2548220 +MD5 : 26a264b234e22e012ea531d4f5d43ed1 +SHA1: 2885015423b66f0b87e2e3ed0dfd17f3f124d7e6 +Key : 29B4B1F7CE03D1B1DED22F3028F85029FEF6E865 + 29B4 B1F7 CE03 D1B1 DED2 2F30 28F8 5029 FEF6 E865 +sub cv25519 2021-05-15 [E] + keyring = http://www.squid-cache.org/pgp.asc + keyserver = pool.sks-keyservers.net +-----BEGIN PGP SIGNATURE----- + +iHUEABYKAB0WIQQptLH3zgPRsd7SLzAo+FAp/vboZQUCZwmLBQAKCRAo+FAp/vbo +ZYYJAP9pMd7sF4qmLLMlHIu48KMKqGhJdkEEpZJbOvmXS4lpBQD/QzCU3cng78NN +orwehX0iYHf0lWvY8IjBV/9YEPi9iww= +=yaaw +-----END PGP SIGNATURE----- diff --git a/squid-6.6.tar.xz b/squid-6.6.tar.xz deleted file mode 100644 index 221c6caa6a2527ebb4c7696f4f5695c29f151003..0000000000000000000000000000000000000000 Binary files a/squid-6.6.tar.xz and /dev/null differ diff --git a/squid-6.6.tar.xz.asc b/squid-6.6.tar.xz.asc deleted file mode 100644 index 5059576329870601175acd3200632d4f062b255f..0000000000000000000000000000000000000000 --- a/squid-6.6.tar.xz.asc +++ /dev/null @@ -1,25 +0,0 @@ -File: squid-6.6.tar.xz -Date: Thu 07 Dec 2023 04:03:46 UTC -Size: 2554824 -MD5 : 5a41134ee1b7e75f62088acdec92d2ca -SHA1: f05e06a9dd3bf7501d2844e43d9ae1bd00e9edcc -Key : CD6DBF8EF3B17D3E - B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E - keyring = http://www.squid-cache.org/pgp.asc - keyserver = pool.sks-keyservers.net ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAmVxRCsACgkQzW2/jvOx -fT5VtQ/+M+mhaGYCp9YBi1GG9vyQwkkIyngL3vPpz7UxZHAR+mzk29zwlgdDgwWA -Zasaomg8S1Clq2dhNr7oo6RuZ7mKlhEeHba2WvL+1/VcBsPnazUwzYQiW7k9KxYe -n1At62duit+YnswTNnj6HJRKKK0nKlPmJycL1AThh9Tj6oHTsWBCItnSZ5eUjGX0 -aKiMrkrHtq3qheWkVZPCJEFDs88ECDrJD7s9cpAhun+/0v+4ECE65uJ2bZHK4f/E -TH5OIf8vltEB8sA/SSanMM/C+gZObET3TssrgHz92j0svMOlALLtitb0aHly21JV -fEKB200Ngac2y6rq3xDNiznmMn+SeCNUsiDcdauCrsUHNW9S9FhOxeWXy/Z7JK4A -mqVnnqvN9GFvv2EEC8J9lj+cwGOdaSW6L2aPVkub8Ij5O+e2Tg+uBm4ZC8vcACYz -+1oo8YyvcfO9EmNRE0vpFTWH9Ux5ptgdvsIxv41QN40RUYN7FBbOgey59mP3uq2Q -0g/b8lr1PnrwB74OrVGcXLwREFLXtkRC9vcdNjvdchCg60KlBNWEPSGJA2adS8HJ -4AGyVpU8GCpV3q74rJxIG6FUffL85CfT+1HRmQhzYiGJDzy1AaUJmcelyS4e6cjn -urAWH3mlAaPzj87OuaeZYGAZMWh/5iAarU+VHkZn6vI2Mvl9yMA= -=oyMI ------END PGP SIGNATURE----- diff --git a/squid.spec b/squid.spec index bc11b3b31f8dedb49b70229eded6349836e6937e..9a8264f741f0790c4ac643b6dc6e9e6775d3adbc 100644 --- a/squid.spec +++ b/squid.spec @@ -1,8 +1,8 @@ %define __perl_requires %{SOURCE8} Name: squid -Version: 6.6 -Release: 3 +Version: 6.12 +Release: 1 Summary: The Squid proxy caching server Epoch: 7 License: GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain) @@ -22,8 +22,6 @@ Patch1: squid-3.1.0.9-location.patch Patch2: squid-3.0.STABLE1-perlpath.patch Patch3: backport-squid-6.1-symlink-lang-err.patch Patch4: backport-squid-crash-half-closed.patch -Patch5: backport-CVE-2024-25111.patch -Patch6: backport-CVE-2024-37894.patch Requires: bash Requires: httpd-filesystem @@ -246,6 +244,12 @@ fi chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || : %changelog +* Thu Oct 17 2024 liweigang - 7:6.12-1 +- Type: requirements +- ID: NA +- SUG: NA +- DESC: upgrade to 6.12 + * Wed Jun 26 2024 yinyongkang - 7:6.6-3 - Type:cves - ID:CVE-2024-37894