From 4811e9b8dc9d154d6e69b09e723565fc13e97c16 Mon Sep 17 00:00:00 2001 From: guoxiaoqi Date: Mon, 8 Mar 2021 09:47:37 +0800 Subject: [PATCH] fix CVE-2020-11945 (cherry picked from commit 85aac88a36b3fbbf7dbc8feba199a0ec494cf80e) --- CVE-2020-11945.patch | 63 ++++++++++++++++++++++++++++++++++++++++++++ squid.spec | 16 ++++++++--- 2 files changed, 75 insertions(+), 4 deletions(-) create mode 100644 CVE-2020-11945.patch diff --git a/CVE-2020-11945.patch b/CVE-2020-11945.patch new file mode 100644 index 0000000..649b3fc --- /dev/null +++ b/CVE-2020-11945.patch @@ -0,0 +1,63 @@ +commit eeebf0f37a72a2de08348e85ae34b02c34e9a811 +Author: desbma-s1n <62935004+desbma-s1n@users.noreply.github.com> +Date: 2020-04-02 11:16:45 +0000 + + Fix auth digest refcount integer overflow (#585) + + This fixes a possible overflow of the nonce reference counter in the + digest authentication scheme, found by security researchers + @synacktiv. + + It changes `references` to be an 64 bits unsigned integer. This makes + overflowing the counter impossible in practice. + +diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc +index fdef7df..9deb184 100644 +--- a/src/auth/digest/Config.cc ++++ b/src/auth/digest/Config.cc +@@ -94,9 +94,6 @@ static void authenticateDigestNonceDelete(digest_nonce_h * nonce); + static void authenticateDigestNonceSetup(void); + static void authDigestNonceEncode(digest_nonce_h * nonce); + static void authDigestNonceLink(digest_nonce_h * nonce); +-#if NOT_USED +-static int authDigestNonceLinks(digest_nonce_h * nonce); +-#endif + static void authDigestNonceUserUnlink(digest_nonce_h * nonce); + + static void +@@ -289,21 +286,10 @@ authDigestNonceLink(digest_nonce_h * nonce) + { + assert(nonce != NULL); + ++nonce->references; ++ assert(nonce->references != 0); // no overflows + debugs(29, 9, "nonce '" << nonce << "' now at '" << nonce->references << "'."); + } + +-#if NOT_USED +-static int +-authDigestNonceLinks(digest_nonce_h * nonce) +-{ +- if (!nonce) +- return -1; +- +- return nonce->references; +-} +- +-#endif +- + void + authDigestNonceUnlink(digest_nonce_h * nonce) + { +diff --git a/src/auth/digest/Config.h b/src/auth/digest/Config.h +index 56ccaa9..7fb7673 100644 +--- a/src/auth/digest/Config.h ++++ b/src/auth/digest/Config.h +@@ -42,7 +42,7 @@ struct _digest_nonce_h : public hash_link { + /* number of uses we've seen of this nonce */ + unsigned long nc; + /* reference count */ +- short references; ++ uint64_t references; + /* the auth_user this nonce has been tied to */ + Auth::Digest::User *user; + /* has this nonce been invalidated ? */ diff --git a/squid.spec b/squid.spec index e137e89..9a0d241 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 4.9 -Release: 3 +Release: 5 Summary: The Squid proxy caching server Epoch: 7 License: GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain) @@ -25,7 +25,9 @@ Patch4: squid-4.0.21-large-acl.patch Patch5: CVE-2019-12528.patch Patch6: CVE-2020-8517.patch Patch7: CVE-2020-8449_CVE-2020-8450.patch -Patch8: backport-CVE-2019-12519.patch +Patch8: squid-fix-detection-of-sys-sysctl.h-detection-511.patch +Patch9: CVE-2019-12519.patch +Patch10:CVE-2020-11945.patch Buildroot: %{_tmppath}/squid-4.9-1-root-%(%{__id_u} -n) Requires: bash >= 2.0 @@ -204,8 +206,14 @@ fi chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || : %changelog -* Sat Jan 09 2021 xihaochen - 4.9-3 -- Type:CVE +* Mon Mar 8 2021 openEuler Buildteam - 4.9-5 +- Type:cves +- ID:CVE-2020-11945 +- SUG:restart +- DESC:fix CVE-2020-11945 + +* Mon Jan 11 2021 openEuler Buildteam - 4.9-4 +- Type:cves - ID:CVE-2019-12519 - SUG:restart - DESC:fix CVE-2019-12519 -- Gitee