Bug#988893: squid: CVE-2021-28651

Francisco Vilmar Cardoso Ruviaro Thu, 27 May 2021 16:45:16 -0700

Hello,

Please consider merging this fix:
https://salsa.debian.org/squid-team/squid/-/merge_requests/17


diff -Nru squid-4.13/debian/changelog squid-4.13/debian/changelog
--- squid-4.13/debian/changelog 2021-03-22 23:18:11.000000000 +0000
+++ squid-4.13/debian/changelog 2021-05-27 22:53:36.000000000 +0000
@@ -1,3 +1,11 @@
+squid (4.13-10) unstable; urgency=medium
+
+  * Team upload.
+  * Add debian/patches/0007-CVE-2021-28651.patch to fix a Denial
+    of Service in URN processing. (Closes: #988893, CVE-2021-28651)
+
+ -- Francisco Vilmar Cardoso Ruviaro <francisco.ruvi...@riseup.net>  Thu, 27 
May 2021 22:53:36 +0000
+
 squid (4.13-9) unstable; urgency=medium
 
   * Clarify on NEWS and scripts that we no longer remove logs on purge.
diff -Nru squid-4.13/debian/patches/0007-CVE-2021-28651.patch 
squid-4.13/debian/patches/0007-CVE-2021-28651.patch
--- squid-4.13/debian/patches/0007-CVE-2021-28651.patch 1970-01-01 
00:00:00.000000000 +0000
+++ squid-4.13/debian/patches/0007-CVE-2021-28651.patch 2021-05-27 
22:43:32.000000000 +0000
@@ -0,0 +1,23 @@
+Description: Fix CVE-2021-28651.
+ Due to a buffer-management bug, it allows
+ a denial of service in URN processing.
+ When resolving a request with the urn: scheme,
+ the parser leaks a small amount of memory.
+Author: Amos Jeffries <ya...@users.noreply.github.com>
+Origin: upstream, 
http://www.squid-cache.org/Versions/v4/changesets/squid-4-a975fd5aedc866629214aaaccb38376855351899.patch
+Bug: https://github.com/squid-cache/squid/pull/778
+Bug-Debian: https://bugs.debian.org/988893
+Forwarded: not-needed
+Reviewed-By: Francisco Vilmar Cardoso Ruviaro <francisco.ruvi...@riseup.net>
+Last-Update: 2021-05-27
+
+--- squid-4.13.orig/src/urn.cc
++++ squid-4.13/src/urn.cc
+@@ -412,6 +412,7 @@ urnParseReply(const char *inbuf, const H
+     }
+ 
+     debugs(52, 3, "urnParseReply: Found " << i << " URLs");
++    xfree(buf);
+     return list;
+ }
+ 
diff -Nru squid-4.13/debian/patches/series squid-4.13/debian/patches/series
--- squid-4.13/debian/patches/series    2021-03-22 23:18:11.000000000 +0000
+++ squid-4.13/debian/patches/series    2021-05-27 22:13:37.000000000 +0000
@@ -4,3 +4,4 @@
 #0004-upstream-bug5041.patch
 0005-Use-RuntimeDirectory-to-create-run-squid.patch
 0006-SQUID-2020_11.patch
+0007-CVE-2021-28651.patch


Best regards,
-- 
Francisco Vilmar Cardoso Ruviaro <francisco.ruvi...@riseup.net>
4096R: 1B8C F656 EF3B 8447 2F48 F0E7 82FB F706 0B2F 7D00

OpenPGP_signature
Description: OpenPGP digital signature

Bug#988893: squid: CVE-2021-28651

Reply via email to