From 79813e0a42bb5e56a6b380b50e7f73fb4c732adb Mon Sep 17 00:00:00 2001
From: xh <xinghe2@h-partners.com>
Date: Fri, 15 Dec 2023 16:03:07 +0800
Subject: [PATCH] fix CVE-2023-50269

---
 backport-CVE-2023-50269.patch | 86 +++++++++++++++++++++++++++++++++++
 squid.spec                    |  9 +++-
 2 files changed, 94 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2023-50269.patch

diff --git a/backport-CVE-2023-50269.patch b/backport-CVE-2023-50269.patch
new file mode 100644
index 0000000..9853182
--- /dev/null
+++ b/backport-CVE-2023-50269.patch
@@ -0,0 +1,86 @@
+From 45b6522eb80a6d12f75630fe1c132b52fc3f1624 Mon Sep 17 00:00:00 2001
+From: Thomas Leroy <32497783+p4zuu@users.noreply.github.com>
+Date: Tue, 28 Nov 2023 07:35:46 +0000
+Subject: [PATCH] Limit the number of allowed X-Forwarded-For hops (#1589)
+
+Squid will ignore all X-Forwarded-For elements listed after the first 64
+addresses allowed by the follow_x_forwarded_for directive. A different
+limit can be specified by defining a C++ SQUID_X_FORWARDED_FOR_HOP_MAX
+macro, but that macro is not a supported Squid configuration interface
+and may change or disappear at any time.
+
+Squid will log a cache.log ERROR if the hop limit has been reached.
+
+This change works around problematic ACLChecklist and/or slow ACLs
+implementation that results in immediate nonBlockingCheck() callbacks.
+Such callbacks have caused many bugs and development complications. In
+clientFollowXForwardedForCheck() context, they lead to indirect
+recursion that was bound only by the number of allowed XFF entries,
+which could reach thousands and exhaust Squid process call stack.
+
+This recursion bug was discovered and detailed by Joshua Rogers at
+https://megamansec.github.io/Squid-Security-Audit/xff-stackoverflow.html
+where it was filed as "X-Forwarded-For Stack Overflow".
+
+Conflict: NA
+Reference: https://github.com/squid-cache/squid/commit/45b6522eb80a6d12f75630fe1c132b52fc3f1624
+---
+ src/ClientRequestContext.h |  7 ++++++-
+ src/client_side_request.cc | 17 +++++++++++++++--
+ 2 files changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h
+index 16c33bba4bc..0997f5d22b6 100644
+--- a/src/ClientRequestContext.h
++++ b/src/ClientRequestContext.h
+@@ -80,8 +80,13 @@ class ClientRequestContext : public RefCountable
+ #if USE_OPENSSL
+     bool sslBumpCheckDone = false;
+ #endif
+-    ErrorState *error = nullptr; ///< saved error page for centralized/delayed processing
++
+     bool readNextRequest = false; ///< whether Squid should read after error handling
++    ErrorState *error = nullptr; ///< saved error page for centralized/delayed processing
++
++#if FOLLOW_X_FORWARDED_FOR
++    size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far
++#endif
+ };
+ 
+ #endif /* SQUID_CLIENTREQUESTCONTEXT_H */
+diff --git a/src/client_side_request.cc b/src/client_side_request.cc
+index 5b5b5af8086..7f802d4219e 100644
+--- a/src/client_side_request.cc
++++ b/src/client_side_request.cc
+@@ -75,6 +75,11 @@
+ #endif
+ 
+ #if FOLLOW_X_FORWARDED_FOR
++
++#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX)
++#define SQUID_X_FORWARDED_FOR_HOP_MAX 64
++#endif
++
+ static void clientFollowXForwardedForCheck(Acl::Answer answer, void *data);
+ #endif /* FOLLOW_X_FORWARDED_FOR */
+ 
+@@ -437,8 +442,16 @@ clientFollowXForwardedForCheck(Acl::Answer answer, void *data)
+                 /* override the default src_addr tested if we have to go deeper than one level into XFF */
+                 Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr;
+             }
+-            calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
+-            return;
++            if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) {
++                calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
++                return;
++            }
++            const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name;
++            debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses" <<
++                   Debug::Extra << "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber <<
++                   Debug::Extra << "last/accepted address: " << request->indirect_client_addr <<
++                   Debug::Extra << "ignored trailing addresses: " << request->x_forwarded_for_iterator);
++            // fall through to resume clientAccessCheck() processing
+         }
+     }
+ 
+--
diff --git a/squid.spec b/squid.spec
index 9111ab0..554c826 100644
--- a/squid.spec
+++ b/squid.spec
@@ -2,7 +2,7 @@
 
 Name:     squid
 Version:  6.1
-Release:  4
+Release:  5
 Summary:  The Squid proxy caching server
 Epoch:    7
 License:  GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain)
@@ -29,6 +29,7 @@ Patch8:   backport-CVE-2023-46848.patch
 Patch9:   backport-CVE-2023-46724.patch
 Patch10:  backport-CVE-2023-49285.patch
 Patch11:  backport-CVE-2023-49286.patch
+Patch12:  backport-CVE-2023-50269.patch
 
 Requires: bash
 Requires: httpd-filesystem
@@ -251,6 +252,12 @@ fi
     chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || :
 
 %changelog
+* Fri Dec 15 2023 xinghe <xinghe2@h-partners.com> - 7:6.1-5
+- Type:cves
+- ID:CVE-2023-50269
+- SUG:NA
+- DESC:fix CVE-2023-50269
+
 * Tue Dec 05 2023 yanglu <yanglu72@h-partners.com> - 7:6.1-4
 - Type:cves
 - ID:CVE-2023-49285 CVE-2023-49286