From 911e6019389cabbf4bc1d96cf8a083213abde9a4 Mon Sep 17 00:00:00 2001 From: Martin Nagy Date: Dec 06 2007 11:55:48 +0000 Subject: - Upstream patch to fix CVE-2007-6239 (#410181) --- diff --git a/squid-2.6.STABLE16-pack_header.patch b/squid-2.6.STABLE16-pack_header.patch new file mode 100644 index 0000000..660414f --- /dev/null +++ b/squid-2.6.STABLE16-pack_header.patch @@ -0,0 +1,129 @@ +--------------------- +PatchSet 11780 +Date: 2007/11/26 11:06:12 +Author: adrian +Branch: SQUID_2_6 +Tag: (none) +Log: +Author: adrian +Patchsets 11745, 11746, 11751 (HEAD): pack header entries after the array has been modified; implement arrayShrink(). + +Long summary + +Members: + include/Array.h:1.7->1.7.2.1 + lib/Array.c:1.8->1.8.2.1 + src/HttpHeader.c:1.91.2.2->1.91.2.3 + +Index: squid/include/Array.h +=================================================================== +RCS file: /cvsroot/squid/squid/include/Array.h,v +retrieving revision 1.7 +retrieving revision 1.7.2.1 +diff -u -r1.7 -r1.7.2.1 +--- squid/include/Array.h 23 Oct 2005 15:20:49 -0000 1.7 ++++ squid/include/Array.h 26 Nov 2007 11:06:12 -0000 1.7.2.1 +@@ -1,5 +1,5 @@ + /* +- * $Id: squid-2.6.STABLE16-pack_header.patch,v 1.1 2007/12/06 11:55:48 mnagy Exp $ ++ * $Id: squid-2.6.STABLE16-pack_header.patch,v 1.1 2007/12/06 11:55:48 mnagy Exp $ + * + * AUTHOR: Alex Rousskov + * +@@ -50,6 +50,8 @@ + extern void arrayAppend(Array * s, void *obj); + extern void arrayInsert(Array * s, void *obj, int position); + extern void arrayPreAppend(Array * s, int app_count); ++extern void arrayShrink(Array *a, int new_count); ++ + + + #endif /* SQUID_ARRAY_H */ +Index: squid/lib/Array.c +=================================================================== +RCS file: /cvsroot/squid/squid/lib/Array.c,v +retrieving revision 1.8 +retrieving revision 1.8.2.1 +diff -u -r1.8 -r1.8.2.1 +--- squid/lib/Array.c 23 Oct 2005 15:20:49 -0000 1.8 ++++ squid/lib/Array.c 26 Nov 2007 11:06:12 -0000 1.8.2.1 +@@ -1,5 +1,5 @@ + /* +- * $Id: squid-2.6.STABLE16-pack_header.patch,v 1.1 2007/12/06 11:55:48 mnagy Exp $ ++ * $Id: squid-2.6.STABLE16-pack_header.patch,v 1.1 2007/12/06 11:55:48 mnagy Exp $ + * + * AUTHOR: Alex Rousskov + * +@@ -138,3 +138,11 @@ + /* reset, just in case */ + memset(a->items + a->count, 0, (a->capacity - a->count) * sizeof(void *)); + } ++ ++void ++arrayShrink(Array *a, int new_count) ++{ ++ assert(new_count < a->capacity); ++ assert(new_count >= 0); ++ a->count = new_count; ++} +Index: squid/src/HttpHeader.c +=================================================================== +RCS file: /cvsroot/squid/squid/src/HttpHeader.c,v +retrieving revision 1.91.2.2 +retrieving revision 1.91.2.3 +diff -u -r1.91.2.2 -r1.91.2.3 +--- squid/src/HttpHeader.c 26 Feb 2007 22:41:46 -0000 1.91.2.2 ++++ squid/src/HttpHeader.c 26 Nov 2007 11:06:13 -0000 1.91.2.3 +@@ -1,6 +1,6 @@ + + /* +- * $Id: squid-2.6.STABLE16-pack_header.patch,v 1.1 2007/12/06 11:55:48 mnagy Exp $ ++ * $Id: squid-2.6.STABLE16-pack_header.patch,v 1.1 2007/12/06 11:55:48 mnagy Exp $ + * + * DEBUG: section 55 HTTP Header + * AUTHOR: Alex Rousskov +@@ -380,12 +380,34 @@ + } + } + ++static void ++httpHeaderRepack(HttpHeader * hdr) ++{ ++ HttpHeaderPos dp = HttpHeaderInitPos; ++ HttpHeaderPos pos = HttpHeaderInitPos; ++ ++ /* XXX breaks layering for now! ie, getting grubby fingers in without httpHeaderEntryGet() */ ++ dp = 0; ++ pos = 0; ++ while (dp < hdr->entries.count) { ++ for (; dp < hdr->entries.count && hdr->entries.items[dp] == NULL; dp++); ++ assert(dp < hdr->entries.count); ++ hdr->entries.items[pos] = hdr->entries.items[dp]; ++ if (dp != pos) ++ hdr->entries.items[dp] = NULL; ++ pos++; ++ dp++; ++ } ++ arrayShrink(&hdr->entries, pos); ++} ++ + /* use fresh entries to replace old ones */ + void + httpHeaderUpdate(HttpHeader * old, const HttpHeader * fresh, const HttpHeaderMask * denied_mask) + { + const HttpHeaderEntry *e; + HttpHeaderPos pos = HttpHeaderInitPos; ++ + assert(old && fresh); + assert(old != fresh); + debug(55, 7) ("updating hdr: %p <- %p\n", old, fresh); +@@ -400,6 +422,9 @@ + httpHeaderDelByName(old, strBuf(e->name)); + httpHeaderAddEntry(old, httpHeaderEntryClone(e)); + } ++ ++ /* And now, repack the array to "fill in the holes" */ ++ httpHeaderRepack(old); + } + + /* just handy in parsing: resets and returns false */ diff --git a/squid.spec b/squid.spec index 65c8cf9..c8aa2da 100644 --- a/squid.spec +++ b/squid.spec @@ -5,7 +5,7 @@ Summary: The Squid proxy caching server Name: squid Version: 2.6.STABLE16 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 7 License: GPL Group: System Environment/Daemons @@ -20,6 +20,7 @@ Source98: perl-requires-squid.sh ## Source99: filter-requires-squid.sh # Upstream patches +Patch1: squid-2.6.STABLE16-pack_header.patch # External patches @@ -56,6 +57,7 @@ lookup program (dnsserver), a program for retrieving FTP data %prep %setup -q +%patch1 -p1 -b .pack_header %patch201 -p1 -b .config %patch202 -p1 -b .location %patch203 -p1 -b .build @@ -326,6 +328,9 @@ fi chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || : %changelog +* Thu Dec 06 2007 Martin Nagy - 7:2.6.STABLE16-1 +- Upstream patch to fix CVE-2007-6239 (#410181) + * Fri Sep 7 2007 Martin Bacovsky - 7:2.6.STABLE16-1 - upgrade to latest upstream 2.6.STABLE14