diff -Nru squid-4.4/debian/changelog squid-4.4/debian/changelog --- squid-4.4/debian/changelog 2019-07-11 17:07:14.000000000 +0000 +++ squid-4.4/debian/changelog 2019-07-16 15:43:17.000000000 +0000 @@ -1,3 +1,22 @@ +squid (4.4-1ubuntu2.2) disco-security; urgency=medium + + * SECURITY UPDATE: incorrect digest auth parameter parsing + - debian/patches/CVE-2019-12525.patch: check length in + src/auth/digest/Config.cc. + - CVE-2019-12525 + * SECURITY UPDATE: buffer overflow in basic auth decoding + - debian/patches/CVE-2019-12527.patch: switch to SBuf in + src/HttpHeader.cc, src/HttpHeader.h, src/cache_manager.cc, + src/clients/FtpGateway.cc. + - CVE-2019-12527 + * SECURITY UPDATE: basic auth uudecode length issue + - debian/patches/CVE-2019-12529.patch: replace uudecode with libnettle + base64 decoder in lib/Makefile.*, src/auth/basic/Config.cc, + include/uudecode.h, lib/uudecode.c. + - CVE-2019-12529 + + -- Marc Deslauriers Tue, 16 Jul 2019 11:43:17 -0400 + squid (4.4-1ubuntu2.1) disco-security; urgency=medium * SECURITY UPDATE: XSS issues in cachemgr.cgi diff -Nru squid-4.4/debian/patches/CVE-2019-12525.patch squid-4.4/debian/patches/CVE-2019-12525.patch --- squid-4.4/debian/patches/CVE-2019-12525.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-4.4/debian/patches/CVE-2019-12525.patch 2019-07-16 15:38:03.000000000 +0000 @@ -0,0 +1,32 @@ +From 409956536647b3a05ee1e367424a24ae6b8f13fd Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Sat, 8 Jun 2019 21:09:23 +0000 +Subject: [PATCH] Fix Digest auth parameter parsing (#415) + +Only remove quoting if the domain=, uri= or qop= parameter +value is surrounded by double-quotes. +--- + src/auth/digest/Config.cc | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc +index a8a07cd4db..b547bf83d3 100644 +--- a/src/auth/digest/Config.cc ++++ b/src/auth/digest/Config.cc +@@ -787,14 +787,14 @@ Auth::Digest::Config::decode(char const *proxy_auth, const char *aRequestRealm) + if (keyName == SBuf("domain",6) || keyName == SBuf("uri",3)) { + // domain is Special. Not a quoted-string, must not be de-quoted. But is wrapped in '"' + // BUG 3077: uri= can also be sent to us in a mangled (invalid!) form like domain +- if (*p == '"' && *(p + vlen -1) == '"') { ++ if (vlen > 1 && *p == '"' && *(p + vlen -1) == '"') { + value.limitInit(p+1, vlen-2); + } + } else if (keyName == SBuf("qop",3)) { + // qop is more special. + // On request this must not be quoted-string de-quoted. But is several values wrapped in '"' + // On response this is a single un-quoted token. +- if (*p == '"' && *(p + vlen -1) == '"') { ++ if (vlen > 1 && *p == '"' && *(p + vlen -1) == '"') { + value.limitInit(p+1, vlen-2); + } else { + value.limitInit(p, vlen); diff -Nru squid-4.4/debian/patches/CVE-2019-12527.patch squid-4.4/debian/patches/CVE-2019-12527.patch --- squid-4.4/debian/patches/CVE-2019-12527.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-4.4/debian/patches/CVE-2019-12527.patch 2019-07-16 15:38:08.000000000 +0000 @@ -0,0 +1,144 @@ +From 7f73e9c5d17664b882ed32590e6af310c247f320 Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Wed, 19 Jun 2019 05:58:36 +0000 +Subject: [PATCH] Update HttpHeader::getAuth to SBuf (#416) + +Replace the fixed-size buffer for decoding base64 tokens with an +SBuf to avoid decoder issues on large inputs. + +Update callers to SBuf API operations for more efficient memory +management. +--- + src/HttpHeader.cc | 25 ++++++++++++++----------- + src/HttpHeader.h | 2 +- + src/cache_manager.cc | 13 +++++++------ + src/clients/FtpGateway.cc | 2 +- + 4 files changed, 23 insertions(+), 19 deletions(-) + +diff --git a/src/HttpHeader.cc b/src/HttpHeader.cc +index 9f747f9958..dd320d5629 100644 +--- a/src/HttpHeader.cc ++++ b/src/HttpHeader.cc +@@ -1268,43 +1268,46 @@ HttpHeader::getContRange() const + return cr; + } + +-const char * +-HttpHeader::getAuth(Http::HdrType id, const char *auth_scheme) const ++SBuf ++HttpHeader::getAuthToken(Http::HdrType id, const char *auth_scheme) const + { + const char *field; + int l; + assert(auth_scheme); + field = getStr(id); + ++ static const SBuf nil; + if (!field) /* no authorization field */ +- return NULL; ++ return nil; + + l = strlen(auth_scheme); + + if (!l || strncasecmp(field, auth_scheme, l)) /* wrong scheme */ +- return NULL; ++ return nil; + + field += l; + + if (!xisspace(*field)) /* wrong scheme */ +- return NULL; ++ return nil; + + /* skip white space */ + for (; field && xisspace(*field); ++field); + + if (!*field) /* no authorization cookie */ +- return NULL; ++ return nil; + +- static char decodedAuthToken[8192]; ++ const auto fieldLen = strlen(field); ++ SBuf result; ++ char *decodedAuthToken = result.rawAppendStart(BASE64_DECODE_LENGTH(fieldLen)); + struct base64_decode_ctx ctx; + base64_decode_init(&ctx); + size_t decodedLen = 0; +- if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast(decodedAuthToken), strlen(field), field) || ++ if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast(decodedAuthToken), fieldLen, field) || + !base64_decode_final(&ctx)) { +- return NULL; ++ return nil; + } +- decodedAuthToken[decodedLen] = '\0'; +- return decodedAuthToken; ++ result.rawAppendFinish(decodedAuthToken, decodedLen); ++ return result; + } + + ETag +diff --git a/src/HttpHeader.h b/src/HttpHeader.h +index 64fd2781e4..35a941058c 100644 +--- a/src/HttpHeader.h ++++ b/src/HttpHeader.h +@@ -134,7 +134,7 @@ class HttpHeader + HttpHdrRange *getRange() const; + HttpHdrSc *getSc() const; + HttpHdrContRange *getContRange() const; +- const char *getAuth(Http::HdrType id, const char *auth_scheme) const; ++ SBuf getAuthToken(Http::HdrType id, const char *auth_scheme) const; + ETag getETag(Http::HdrType id) const; + TimeOrTag getTimeOrTag(Http::HdrType id) const; + int hasListMember(Http::HdrType id, const char *member, const char separator) const; +diff --git a/src/cache_manager.cc b/src/cache_manager.cc +index f88cd1c46b..3556a44618 100644 +--- a/src/cache_manager.cc ++++ b/src/cache_manager.cc +@@ -27,6 +27,7 @@ + #include "mgr/FunAction.h" + #include "mgr/QueryParams.h" + #include "protos.h" ++#include "sbuf/StringConvert.h" + #include "SquidConfig.h" + #include "SquidTime.h" + #include "Store.h" +@@ -243,20 +244,20 @@ CacheManager::ParseHeaders(const HttpRequest * request, Mgr::ActionParams ¶m + // TODO: use the authentication system decode to retrieve these details properly. + + /* base 64 _decoded_ user:passwd pair */ +- const char *basic_cookie = request->header.getAuth(Http::HdrType::AUTHORIZATION, "Basic"); ++ const auto basic_cookie(request->header.getAuthToken(Http::HdrType::AUTHORIZATION, "Basic")); + +- if (!basic_cookie) ++ if (basic_cookie.isEmpty()) + return; + +- const char *passwd_del; +- if (!(passwd_del = strchr(basic_cookie, ':'))) { ++ const auto colonPos = basic_cookie.find(':'); ++ if (colonPos == SBuf::npos) { + debugs(16, DBG_IMPORTANT, "CacheManager::ParseHeaders: unknown basic_cookie format '" << basic_cookie << "'"); + return; + } + + /* found user:password pair, reset old values */ +- params.userName.limitInit(basic_cookie, passwd_del - basic_cookie); +- params.password = passwd_del + 1; ++ params.userName = SBufToString(basic_cookie.substr(0, colonPos)); ++ params.password = SBufToString(basic_cookie.substr(colonPos+1)); + + /* warning: this prints decoded password which maybe not be what you want to do @?@ @?@ */ + debugs(16, 9, "CacheManager::ParseHeaders: got user: '" << +diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc +index 9afe3781cd..140c441394 100644 +--- a/src/clients/FtpGateway.cc ++++ b/src/clients/FtpGateway.cc +@@ -1039,7 +1039,7 @@ Ftp::Gateway::checkAuth(const HttpHeader * req_hdr) + + #if HAVE_AUTH_MODULE_BASIC + /* Check HTTP Authorization: headers (better than defaults, but less than URL) */ +- const SBuf auth(req_hdr->getAuth(Http::HdrType::AUTHORIZATION, "Basic")); ++ const auto auth(req_hdr->getAuthToken(Http::HdrType::AUTHORIZATION, "Basic")); + if (!auth.isEmpty()) { + flags.authenticated = 1; + loginParser(auth, false); diff -Nru squid-4.4/debian/patches/CVE-2019-12529.patch squid-4.4/debian/patches/CVE-2019-12529.patch --- squid-4.4/debian/patches/CVE-2019-12529.patch 1970-01-01 00:00:00.000000000 +0000 +++ squid-4.4/debian/patches/CVE-2019-12529.patch 2019-07-16 15:43:17.000000000 +0000 @@ -0,0 +1,249 @@ +Backport of: + +From dd46b5417809647f561d8a5e0e74c3aacd235258 Mon Sep 17 00:00:00 2001 +From: Amos Jeffries +Date: Tue, 21 May 2019 21:31:31 +0000 +Subject: [PATCH] Replace uudecode with libnettle base64 decoder (#406) + +Since RFC 7235 updated the HTTP Authentication credentials token +to the token68 characterset it is possible that characters +uudecode cannot cope with are received. + +The Nettle decoder better handles characters which are valid but +not to be used for Basic auth token. +--- + include/uudecode.h | 21 ------------ + lib/Makefile.am | 3 +- + lib/uudecode.c | 73 ---------------------------------------- + src/auth/basic/Config.cc | 20 ++++++++--- + 4 files changed, 17 insertions(+), 100 deletions(-) + delete mode 100644 include/uudecode.h + delete mode 100644 lib/uudecode.c + +Index: squid-4.4/lib/Makefile.am +=================================================================== +--- squid-4.4.orig/lib/Makefile.am 2019-07-16 12:03:04.428684097 -0400 ++++ squid-4.4/lib/Makefile.am 2019-07-16 12:03:04.424684101 -0400 +@@ -61,8 +61,7 @@ libmiscencoding_la_SOURCES = \ + html_quote.c \ + md5.c \ + rfc1738.c \ +- rfc2617.c \ +- uudecode.c ++ rfc2617.c + + libmisccontainers_la_SOURCES = \ + hash.cc +Index: squid-4.4/src/auth/basic/Config.cc +=================================================================== +--- squid-4.4.orig/src/auth/basic/Config.cc 2019-07-16 12:03:04.428684097 -0400 ++++ squid-4.4/src/auth/basic/Config.cc 2019-07-16 12:03:04.424684101 -0400 +@@ -20,6 +20,7 @@ + #include "auth/CredentialsCache.h" + #include "auth/Gadgets.h" + #include "auth/State.h" ++#include "base64.h" + #include "cache_cf.h" + #include "charset.h" + #include "helper.h" +@@ -30,7 +31,6 @@ + #include "SquidTime.h" + #include "Store.h" + #include "util.h" +-#include "uudecode.h" + #include "wordlist.h" + + /* Basic Scheme */ +@@ -169,10 +169,17 @@ Auth::Basic::Config::decodeCleartext(con + // XXX: really? is the \n actually still there? does the header parse not drop it? + char *eek = xstrdup(proxy_auth); + strtok(eek, "\n"); +- char *cleartext = uudecode(eek); +- safe_free(eek); + +- if (cleartext) { ++ const size_t srcLen = strlen(eek); ++ char *cleartext = static_cast(xmalloc(BASE64_DECODE_LENGTH(srcLen)+1)); ++ ++ struct base64_decode_ctx ctx; ++ base64_decode_init(&ctx); ++ ++ size_t dstLen = 0; ++ if (base64_decode_update(&ctx, &dstLen, reinterpret_cast(cleartext), srcLen, eek) && base64_decode_final(&ctx)) { ++ cleartext[dstLen] = '\0'; ++ + /* + * Don't allow NL or CR in the credentials. + * Oezguer Kesim +@@ -183,7 +190,12 @@ Auth::Basic::Config::decodeCleartext(con + debugs(29, DBG_IMPORTANT, "WARNING: Bad characters in authorization header '" << httpAuthHeader << "'"); + safe_free(cleartext); + } ++ } else { ++ debugs(29, 2, "WARNING: Invalid Base64 character in authorization header '" << httpAuthHeader << "'"); ++ safe_free(cleartext); + } ++ ++ safe_free(eek); + return cleartext; + } + +Index: squid-4.4/include/uudecode.h +=================================================================== +--- squid-4.4.orig/include/uudecode.h 2019-07-16 12:03:04.428684097 -0400 ++++ /dev/null 1970-01-01 00:00:00.000000000 +0000 +@@ -1,21 +0,0 @@ +-/* +- * Copyright (C) 1996-2018 The Squid Software Foundation and contributors +- * +- * Squid software is distributed under GPLv2+ license and includes +- * contributions from numerous individuals and organizations. +- * Please see the COPYING and CONTRIBUTORS files for details. +- */ +- +-#ifndef _SQUID_UUDECODE_H +-#define _SQUID_UUDECODE_H +- +-#ifdef __cplusplus +-extern "C" +-#else +-extern +-#endif +- +-char *uudecode(const char *); +- +-#endif /* _SQUID_UUDECODE_H */ +- +Index: squid-4.4/lib/uudecode.c +=================================================================== +--- squid-4.4.orig/lib/uudecode.c 2019-07-16 12:03:04.428684097 -0400 ++++ /dev/null 1970-01-01 00:00:00.000000000 +0000 +@@ -1,73 +0,0 @@ +-/* +- * Copyright (C) 1996-2018 The Squid Software Foundation and contributors +- * +- * Squid software is distributed under GPLv2+ license and includes +- * contributions from numerous individuals and organizations. +- * Please see the COPYING and CONTRIBUTORS files for details. +- */ +- +-#include "squid.h" +-#include "uudecode.h" +- +-/* aaaack but it's fast and const should make it shared text page. */ +-const int pr2six[256] = { +- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, +- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 62, 64, 64, 64, 63, +- 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 64, 64, 64, 64, 64, 64, 64, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, +- 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 64, 64, 64, 64, 64, 64, 26, 27, +- 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, +- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, +- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, +- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, +- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, +- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, +- 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64 +-}; +- +-char * +-uudecode(const char *bufcoded) +-{ +- int nbytesdecoded; +- const unsigned char *bufin; +- char *bufplain; +- unsigned char *bufout; +- int nprbytes; +- +- /* Strip leading whitespace. */ +- +- while (*bufcoded == ' ' || *bufcoded == '\t') +- bufcoded++; +- +- /* Figure out how many characters are in the input buffer. +- * Allocate this many from the per-transaction pool for the result. +- */ +- bufin = (const unsigned char *) bufcoded; +- while (pr2six[*(bufin++)] <= 63); +- nprbytes = (const char *) bufin - bufcoded - 1; +- nbytesdecoded = ((nprbytes + 3) / 4) * 3; +- +- bufplain = xmalloc(nbytesdecoded + 1); +- bufout = (unsigned char *) bufplain; +- bufin = (const unsigned char *) bufcoded; +- +- while (nprbytes > 0) { +- *(bufout++) = +- (unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4); +- *(bufout++) = +- (unsigned char) (pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2); +- *(bufout++) = +- (unsigned char) (pr2six[bufin[2]] << 6 | pr2six[bufin[3]]); +- bufin += 4; +- nprbytes -= 4; +- } +- +- if (nprbytes & 03) { +- if (pr2six[bufin[-2]] > 63) +- nbytesdecoded -= 2; +- else +- nbytesdecoded -= 1; +- } +- bufplain[nbytesdecoded] = '\0'; +- return bufplain; +-} +- +Index: squid-4.4/lib/Makefile.in +=================================================================== +--- squid-4.4.orig/lib/Makefile.in 2018-10-27 21:50:06.000000000 -0400 ++++ squid-4.4/lib/Makefile.in 2019-07-16 12:03:48.588632154 -0400 +@@ -185,7 +185,7 @@ am__v_lt_0 = --silent + am__v_lt_1 = + libmiscencoding_la_LIBADD = + am_libmiscencoding_la_OBJECTS = base64.lo charset.lo html_quote.lo \ +- md5.lo rfc1738.lo rfc2617.lo uudecode.lo ++ md5.lo rfc1738.lo rfc2617.lo + libmiscencoding_la_OBJECTS = $(am_libmiscencoding_la_OBJECTS) + libmiscutil_la_LIBADD = + am_libmiscutil_la_OBJECTS = getfullhostname.lo heap.lo iso3307.lo \ +@@ -236,7 +236,6 @@ am__depfiles_remade = ./$(DEPDIR)/Splay. + ./$(DEPDIR)/radix.Plo ./$(DEPDIR)/rfc1123.Plo \ + ./$(DEPDIR)/rfc1738.Plo ./$(DEPDIR)/rfc2617.Plo \ + ./$(DEPDIR)/sspwin32.Plo ./$(DEPDIR)/stub_memaccount.Plo \ +- ./$(DEPDIR)/util.Plo ./$(DEPDIR)/uudecode.Plo \ + ./$(DEPDIR)/xusleep.Plo tests/$(DEPDIR)/testRFC1738.Po + am__mv = mv -f + COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ +@@ -836,8 +835,7 @@ libmiscencoding_la_SOURCES = \ + html_quote.c \ + md5.c \ + rfc1738.c \ +- rfc2617.c \ +- uudecode.c ++ rfc2617.c + + libmisccontainers_la_SOURCES = \ + hash.cc +@@ -970,7 +968,6 @@ distclean-compile: + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sspwin32.Plo@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stub_memaccount.Plo@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/util.Plo@am__quote@ # am--include-marker +-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/uudecode.Plo@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xusleep.Plo@am__quote@ # am--include-marker + @AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/testRFC1738.Po@am__quote@ # am--include-marker + +@@ -1419,7 +1416,6 @@ distclean: distclean-recursive + -rm -f ./$(DEPDIR)/sspwin32.Plo + -rm -f ./$(DEPDIR)/stub_memaccount.Plo + -rm -f ./$(DEPDIR)/util.Plo +- -rm -f ./$(DEPDIR)/uudecode.Plo + -rm -f ./$(DEPDIR)/xusleep.Plo + -rm -f tests/$(DEPDIR)/testRFC1738.Po + -rm -f Makefile +@@ -1486,7 +1482,6 @@ maintainer-clean: maintainer-clean-recur + -rm -f ./$(DEPDIR)/sspwin32.Plo + -rm -f ./$(DEPDIR)/stub_memaccount.Plo + -rm -f ./$(DEPDIR)/util.Plo +- -rm -f ./$(DEPDIR)/uudecode.Plo + -rm -f ./$(DEPDIR)/xusleep.Plo + -rm -f tests/$(DEPDIR)/testRFC1738.Po + -rm -f Makefile diff -Nru squid-4.4/debian/patches/series squid-4.4/debian/patches/series --- squid-4.4/debian/patches/series 2019-07-11 17:07:11.000000000 +0000 +++ squid-4.4/debian/patches/series 2019-07-16 15:38:13.000000000 +0000 @@ -6,3 +6,6 @@ fix-uninitialized-var.patch fix-rotate-assertion.patch CVE-2019-13345.patch +CVE-2019-12525.patch +CVE-2019-12527.patch +CVE-2019-12529.patch