diff --git a/CVE-2020-11945.patch b/CVE-2020-11945.patch new file mode 100644 index 0000000000000000000000000000000000000000..649b3fc5d2fb983e946c6f02277f1a331f9d6234 --- /dev/null +++ b/CVE-2020-11945.patch @@ -0,0 +1,63 @@ +commit eeebf0f37a72a2de08348e85ae34b02c34e9a811 +Author: desbma-s1n <62935004+desbma-s1n@users.noreply.github.com> +Date: 2020-04-02 11:16:45 +0000 + + Fix auth digest refcount integer overflow (#585) + + This fixes a possible overflow of the nonce reference counter in the + digest authentication scheme, found by security researchers + @synacktiv. + + It changes `references` to be an 64 bits unsigned integer. This makes + overflowing the counter impossible in practice. + +diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc +index fdef7df..9deb184 100644 +--- a/src/auth/digest/Config.cc ++++ b/src/auth/digest/Config.cc +@@ -94,9 +94,6 @@ static void authenticateDigestNonceDelete(digest_nonce_h * nonce); + static void authenticateDigestNonceSetup(void); + static void authDigestNonceEncode(digest_nonce_h * nonce); + static void authDigestNonceLink(digest_nonce_h * nonce); +-#if NOT_USED +-static int authDigestNonceLinks(digest_nonce_h * nonce); +-#endif + static void authDigestNonceUserUnlink(digest_nonce_h * nonce); + + static void +@@ -289,21 +286,10 @@ authDigestNonceLink(digest_nonce_h * nonce) + { + assert(nonce != NULL); + ++nonce->references; ++ assert(nonce->references != 0); // no overflows + debugs(29, 9, "nonce '" << nonce << "' now at '" << nonce->references << "'."); + } + +-#if NOT_USED +-static int +-authDigestNonceLinks(digest_nonce_h * nonce) +-{ +- if (!nonce) +- return -1; +- +- return nonce->references; +-} +- +-#endif +- + void + authDigestNonceUnlink(digest_nonce_h * nonce) + { +diff --git a/src/auth/digest/Config.h b/src/auth/digest/Config.h +index 56ccaa9..7fb7673 100644 +--- a/src/auth/digest/Config.h ++++ b/src/auth/digest/Config.h +@@ -42,7 +42,7 @@ struct _digest_nonce_h : public hash_link { + /* number of uses we've seen of this nonce */ + unsigned long nc; + /* reference count */ +- short references; ++ uint64_t references; + /* the auth_user this nonce has been tied to */ + Auth::Digest::User *user; + /* has this nonce been invalidated ? */ diff --git a/squid.spec b/squid.spec index 7d3e90d85cd48aead9d55f9c0ef63f0589e76160..2bde7c08a0074b2126b4aa2a606b7a009bbbbc4f 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 4.9 -Release: 4 +Release: 5 Summary: The Squid proxy caching server Epoch: 7 License: GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain) @@ -27,6 +27,7 @@ Patch6: CVE-2020-8517.patch Patch7: CVE-2020-8449_CVE-2020-8450.patch Patch8: squid-fix-detection-of-sys-sysctl.h-detection-511.patch Patch9: CVE-2019-12519.patch +Patch10:CVE-2020-11945.patch Buildroot: %{_tmppath}/squid-4.9-1-root-%(%{__id_u} -n) Requires: bash >= 2.0 @@ -205,6 +206,12 @@ fi chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || : %changelog +* Mon Mar 8 2021 openEuler Buildteam - 4.9-5 +- Type:cves +- ID:CVE-2020-11945 +- SUG:restart +- DESC:fix CVE-2020-11945 + * Mon Jan 11 2021 openEuler Buildteam - 4.9-4 - Type:cves - ID:CVE-2019-12519