fix CVE-2023-50269
This commit is contained in:
xh
parent
2d9c667429
commit
79813e0a42
86
backport-CVE-2023-50269.patch
Normal file
86
backport-CVE-2023-50269.patch
Normal file
@ -0,0 +1,86 @@
|
||||
From 45b6522eb80a6d12f75630fe1c132b52fc3f1624 Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Leroy <32497783+p4zuu@users.noreply.github.com>
|
||||
Date: Tue, 28 Nov 2023 07:35:46 +0000
|
||||
Subject: [PATCH] Limit the number of allowed X-Forwarded-For hops (#1589)
|
||||
|
||||
Squid will ignore all X-Forwarded-For elements listed after the first 64
|
||||
addresses allowed by the follow_x_forwarded_for directive. A different
|
||||
limit can be specified by defining a C++ SQUID_X_FORWARDED_FOR_HOP_MAX
|
||||
macro, but that macro is not a supported Squid configuration interface
|
||||
and may change or disappear at any time.
|
||||
|
||||
Squid will log a cache.log ERROR if the hop limit has been reached.
|
||||
|
||||
This change works around problematic ACLChecklist and/or slow ACLs
|
||||
implementation that results in immediate nonBlockingCheck() callbacks.
|
||||
Such callbacks have caused many bugs and development complications. In
|
||||
clientFollowXForwardedForCheck() context, they lead to indirect
|
||||
recursion that was bound only by the number of allowed XFF entries,
|
||||
which could reach thousands and exhaust Squid process call stack.
|
||||
|
||||
This recursion bug was discovered and detailed by Joshua Rogers at
|
||||
https://megamansec.github.io/Squid-Security-Audit/xff-stackoverflow.html
|
||||
where it was filed as "X-Forwarded-For Stack Overflow".
|
||||
|
||||
Conflict: NA
|
||||
Reference: https://github.com/squid-cache/squid/commit/45b6522eb80a6d12f75630fe1c132b52fc3f1624
|
||||
---
|
||||
src/ClientRequestContext.h | 7 ++++++-
|
||||
src/client_side_request.cc | 17 +++++++++++++++--
|
||||
2 files changed, 21 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h
|
||||
index 16c33bba4bc..0997f5d22b6 100644
|
||||
--- a/src/ClientRequestContext.h
|
||||
+++ b/src/ClientRequestContext.h
|
||||
@@ -80,8 +80,13 @@ class ClientRequestContext : public RefCountable
|
||||
#if USE_OPENSSL
|
||||
bool sslBumpCheckDone = false;
|
||||
#endif
|
||||
- ErrorState *error = nullptr; ///< saved error page for centralized/delayed processing
|
||||
+
|
||||
bool readNextRequest = false; ///< whether Squid should read after error handling
|
||||
+ ErrorState *error = nullptr; ///< saved error page for centralized/delayed processing
|
||||
+
|
||||
+#if FOLLOW_X_FORWARDED_FOR
|
||||
+ size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far
|
||||
+#endif
|
||||
};
|
||||
|
||||
#endif /* SQUID_CLIENTREQUESTCONTEXT_H */
|
||||
diff --git a/src/client_side_request.cc b/src/client_side_request.cc
|
||||
index 5b5b5af8086..7f802d4219e 100644
|
||||
--- a/src/client_side_request.cc
|
||||
+++ b/src/client_side_request.cc
|
||||
@@ -75,6 +75,11 @@
|
||||
#endif
|
||||
|
||||
#if FOLLOW_X_FORWARDED_FOR
|
||||
+
|
||||
+#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX)
|
||||
+#define SQUID_X_FORWARDED_FOR_HOP_MAX 64
|
||||
+#endif
|
||||
+
|
||||
static void clientFollowXForwardedForCheck(Acl::Answer answer, void *data);
|
||||
#endif /* FOLLOW_X_FORWARDED_FOR */
|
||||
|
||||
@@ -437,8 +442,16 @@ clientFollowXForwardedForCheck(Acl::Answer answer, void *data)
|
||||
/* override the default src_addr tested if we have to go deeper than one level into XFF */
|
||||
Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr;
|
||||
}
|
||||
- calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
|
||||
- return;
|
||||
+ if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) {
|
||||
+ calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
|
||||
+ return;
|
||||
+ }
|
||||
+ const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name;
|
||||
+ debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses" <<
|
||||
+ Debug::Extra << "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber <<
|
||||
+ Debug::Extra << "last/accepted address: " << request->indirect_client_addr <<
|
||||
+ Debug::Extra << "ignored trailing addresses: " << request->x_forwarded_for_iterator);
|
||||
+ // fall through to resume clientAccessCheck() processing
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
Name: squid
|
||||
Version: 6.1
|
||||
Release: 4
|
||||
Release: 5
|
||||
Summary: The Squid proxy caching server
|
||||
Epoch: 7
|
||||
License: GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain)
|
||||
@ -29,6 +29,7 @@ Patch8: backport-CVE-2023-46848.patch
|
||||
Patch9: backport-CVE-2023-46724.patch
|
||||
Patch10: backport-CVE-2023-49285.patch
|
||||
Patch11: backport-CVE-2023-49286.patch
|
||||
Patch12: backport-CVE-2023-50269.patch
|
||||
|
||||
Requires: bash
|
||||
Requires: httpd-filesystem
|
||||
@ -251,6 +252,12 @@ fi
|
||||
chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || :
|
||||
|
||||
%changelog
|
||||
* Fri Dec 15 2023 xinghe <xinghe2@h-partners.com> - 7:6.1-5
|
||||
- Type:cves
|
||||
- ID:CVE-2023-50269
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2023-50269
|
||||
|
||||
* Tue Dec 05 2023 yanglu <yanglu72@h-partners.com> - 7:6.1-4
|
||||
- Type:cves
|
||||
- ID:CVE-2023-49285 CVE-2023-49286
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user