packages/squid
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-50269

Browse Source
This commit is contained in:
xh 2023-12-15 16:03:07 +08:00
parent 2d9c667429
commit 79813e0a42
2 changed files with 94 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
backport-CVE-2023-50269.patch Normal file
View File

@ -0,0 +1,86 @@
From 45b6522eb80a6d12f75630fe1c132b52fc3f1624 Mon Sep 17 00:00:00 2001
From: Thomas Leroy <32497783+p4zuu@users.noreply.github.com>
Date: Tue, 28 Nov 2023 07:35:46 +0000
Subject: [PATCH] Limit the number of allowed X-Forwarded-For hops (#1589)
Squid will ignore all X-Forwarded-For elements listed after the first 64
addresses allowed by the follow_x_forwarded_for directive. A different
limit can be specified by defining a C++ SQUID_X_FORWARDED_FOR_HOP_MAX
macro, but that macro is not a supported Squid configuration interface
and may change or disappear at any time.
Squid will log a cache.log ERROR if the hop limit has been reached.
This change works around problematic ACLChecklist and/or slow ACLs
implementation that results in immediate nonBlockingCheck() callbacks.
Such callbacks have caused many bugs and development complications. In
clientFollowXForwardedForCheck() context, they lead to indirect
recursion that was bound only by the number of allowed XFF entries,
which could reach thousands and exhaust Squid process call stack.
This recursion bug was discovered and detailed by Joshua Rogers at
https://megamansec.github.io/Squid-Security-Audit/xff-stackoverflow.html
where it was filed as "X-Forwarded-For Stack Overflow".
Conflict: NA
Reference: https://github.com/squid-cache/squid/commit/45b6522eb80a6d12f75630fe1c132b52fc3f1624
---
src/ClientRequestContext.h | 7 ++++++-
src/client_side_request.cc | 17 +++++++++++++++--
2 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h
index 16c33bba4bc..0997f5d22b6 100644
--- a/src/ClientRequestContext.h
+++ b/src/ClientRequestContext.h
@@ -80,8 +80,13 @@ class ClientRequestContext : public RefCountable
#if USE_OPENSSL
bool sslBumpCheckDone = false;
#endif
- ErrorState *error = nullptr; ///< saved error page for centralized/delayed processing
+
bool readNextRequest = false; ///< whether Squid should read after error handling
+ ErrorState *error = nullptr; ///< saved error page for centralized/delayed processing
+
+#if FOLLOW_X_FORWARDED_FOR
+ size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far
+#endif
};
#endif /* SQUID_CLIENTREQUESTCONTEXT_H */
diff --git a/src/client_side_request.cc b/src/client_side_request.cc
index 5b5b5af8086..7f802d4219e 100644
--- a/src/client_side_request.cc
+++ b/src/client_side_request.cc
@@ -75,6 +75,11 @@
#endif
#if FOLLOW_X_FORWARDED_FOR
+
+#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX)
+#define SQUID_X_FORWARDED_FOR_HOP_MAX 64
+#endif
+
static void clientFollowXForwardedForCheck(Acl::Answer answer, void *data);
#endif /* FOLLOW_X_FORWARDED_FOR */
@@ -437,8 +442,16 @@ clientFollowXForwardedForCheck(Acl::Answer answer, void *data)
/* override the default src_addr tested if we have to go deeper than one level into XFF */
Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr;
}
- calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
- return;
+ if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) {
+ calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
+ return;
+ }
+ const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name;
+ debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses" <<
+ Debug::Extra << "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber <<
+ Debug::Extra << "last/accepted address: " << request->indirect_client_addr <<
+ Debug::Extra << "ignored trailing addresses: " << request->x_forwarded_for_iterator);
+ // fall through to resume clientAccessCheck() processing
}
}
--

9
squid.spec
View File

@ -2,7 +2,7 @@
Name: squid Name: squid
Version: 6.1 Version: 6.1
Release: 4 Release: 5
Summary: The Squid proxy caching server Summary: The Squid proxy caching server
Epoch: 7 Epoch: 7
License: GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain) License: GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain)
@ -29,6 +29,7 @@ Patch8: backport-CVE-2023-46848.patch
Patch9: backport-CVE-2023-46724.patch Patch9: backport-CVE-2023-46724.patch
Patch10: backport-CVE-2023-49285.patch Patch10: backport-CVE-2023-49285.patch
Patch11: backport-CVE-2023-49286.patch Patch11: backport-CVE-2023-49286.patch
Patch12: backport-CVE-2023-50269.patch
Requires: bash Requires: bash
Requires: httpd-filesystem Requires: httpd-filesystem
@ -251,6 +252,12 @@ fi
chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || : chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || :
%changelog %changelog
* Fri Dec 15 2023 xinghe <xinghe2@h-partners.com> - 7:6.1-5
- Type:cves
- ID:CVE-2023-50269
- SUG:NA
- DESC:fix CVE-2023-50269
* Tue Dec 05 2023 yanglu <yanglu72@h-partners.com> - 7:6.1-4 * Tue Dec 05 2023 yanglu <yanglu72@h-partners.com> - 7:6.1-4
- Type:cves - Type:cves
- ID:CVE-2023-49285 CVE-2023-49286 - ID:CVE-2023-49285 CVE-2023-49286