packages/squid
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-11945

Browse Source
This commit is contained in:
guoxiaoqi 2021-03-08 09:47:37 +08:00
parent c538ce2776
commit 85aac88a36
2 changed files with 71 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
CVE-2020-11945.patch Normal file
View File

@ -0,0 +1,63 @@
commit eeebf0f37a72a2de08348e85ae34b02c34e9a811
Author: desbma-s1n <62935004+desbma-s1n@users.noreply.github.com>
Date: 2020-04-02 11:16:45 +0000
Fix auth digest refcount integer overflow (#585)
This fixes a possible overflow of the nonce reference counter in the
digest authentication scheme, found by security researchers
@synacktiv.
It changes `references` to be an 64 bits unsigned integer. This makes
overflowing the counter impossible in practice.
diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
index fdef7df..9deb184 100644
--- a/src/auth/digest/Config.cc
+++ b/src/auth/digest/Config.cc
@@ -94,9 +94,6 @@ static void authenticateDigestNonceDelete(digest_nonce_h * nonce);
static void authenticateDigestNonceSetup(void);
static void authDigestNonceEncode(digest_nonce_h * nonce);
static void authDigestNonceLink(digest_nonce_h * nonce);
-#if NOT_USED
-static int authDigestNonceLinks(digest_nonce_h * nonce);
-#endif
static void authDigestNonceUserUnlink(digest_nonce_h * nonce);
static void
@@ -289,21 +286,10 @@ authDigestNonceLink(digest_nonce_h * nonce)
{
assert(nonce != NULL);
++nonce->references;
+ assert(nonce->references != 0); // no overflows
debugs(29, 9, "nonce '" << nonce << "' now at '" << nonce->references << "'.");
}
-#if NOT_USED
-static int
-authDigestNonceLinks(digest_nonce_h * nonce)
-{
- if (!nonce)
- return -1;
-
- return nonce->references;
-}
-
-#endif
-
void
authDigestNonceUnlink(digest_nonce_h * nonce)
{
diff --git a/src/auth/digest/Config.h b/src/auth/digest/Config.h
index 56ccaa9..7fb7673 100644
--- a/src/auth/digest/Config.h
+++ b/src/auth/digest/Config.h
@@ -42,7 +42,7 @@ struct _digest_nonce_h : public hash_link {
/* number of uses we've seen of this nonce */
unsigned long nc;
/* reference count */
- short references;
+ uint64_t references;
/* the auth_user this nonce has been tied to */
Auth::Digest::User *user;
/* has this nonce been invalidated ? */

9
squid.spec
View File

@ -2,7 +2,7 @@
Name: squid Name: squid
Version: 4.9 Version: 4.9
Release: 4 Release: 5
Summary: The Squid proxy caching server Summary: The Squid proxy caching server
Epoch: 7 Epoch: 7
License: GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain) License: GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain)
@ -27,6 +27,7 @@ Patch6: CVE-2020-8517.patch
Patch7: CVE-2020-8449_CVE-2020-8450.patch Patch7: CVE-2020-8449_CVE-2020-8450.patch
Patch8: squid-fix-detection-of-sys-sysctl.h-detection-511.patch Patch8: squid-fix-detection-of-sys-sysctl.h-detection-511.patch
Patch9: CVE-2019-12519.patch Patch9: CVE-2019-12519.patch
Patch10:CVE-2020-11945.patch
Buildroot: %{_tmppath}/squid-4.9-1-root-%(%{__id_u} -n) Buildroot: %{_tmppath}/squid-4.9-1-root-%(%{__id_u} -n)
Requires: bash >= 2.0 Requires: bash >= 2.0
@ -205,6 +206,12 @@ fi
chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || : chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || :
%changelog %changelog
* Mon Mar 8 2021 openEuler Buildteam <buildteam@openeuler.org> - 4.9-5
- Type:cves
- ID:CVE-2020-11945
- SUG:restart
- DESC:fix CVE-2020-11945
* Mon Jan 11 2021 openEuler Buildteam <buildteam@openeuler.org> - 4.9-4 * Mon Jan 11 2021 openEuler Buildteam <buildteam@openeuler.org> - 4.9-4
- Type:cves - Type:cves
- ID:CVE-2019-12519 - ID:CVE-2019-12519