Bug#1020586: squid: diff for NMU version 5.6-1.1

Thu, 29 Sep 2022 13:42:18 -0700 

Control: tags 1020586 + patch
Control: tags 1020586 + pending
Control: tags 1020587 + patch
Control: tags 1020587 + pending


Dear maintainer,

I've prepared an NMU for squid (versioned as 5.6-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

There is as well an associated merge request at
https://salsa.debian.org/squid-team/squid/-/merge_requests/22 . That
said I believe for unstable/bookworm it would be better to just updat
to the new upstream version?

Regards,
Salvatore

diff -Nru squid-5.6/debian/changelog squid-5.6/debian/changelog
--- squid-5.6/debian/changelog	2022-06-19 13:19:04.000000000 +0200
+++ squid-5.6/debian/changelog	2022-09-29 21:59:13.000000000 +0200
@@ -1,3 +1,13 @@
+squid (5.6-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Exposure of Sensitive Information in Cache Manager (CVE-2022-41317)
+    (Closes: #1020587)
+  * Buffer Over Read in SSPI and SMB Authentication (CVE-2022-41318)
+    (Closes: #1020586)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Thu, 29 Sep 2022 21:59:13 +0200
+
 squid (5.6-1) unstable; urgency=high
 
   * Urgency high due to security fixes
diff -Nru squid-5.6/debian/patches/0007-SQUID-2022_1.patch squid-5.6/debian/patches/0007-SQUID-2022_1.patch
--- squid-5.6/debian/patches/0007-SQUID-2022_1.patch	1970-01-01 01:00:00.000000000 +0100
+++ squid-5.6/debian/patches/0007-SQUID-2022_1.patch	2022-09-29 21:59:13.000000000 +0200
@@ -0,0 +1,19 @@
+commit 55151c545a8e0bd2cb69036da5794c9cb21018b2
+Author: Amos Jeffries <ya...@users.noreply.github.com>
+Date:   2022-08-17 23:32:43 +0000
+
+    Fix typo in manager ACL (#1113)
+
+diff --git a/src/cf.data.pre b/src/cf.data.pre
+index a0bdb2f83..118256437 100644
+--- a/src/cf.data.pre
++++ b/src/cf.data.pre
+@@ -1036,7 +1036,7 @@ DEFAULT: ssl::certUntrusted ssl_error X509_V_ERR_INVALID_CA X509_V_ERR_SELF_SIGN
+ DEFAULT: ssl::certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
+ ENDIF
+ DEFAULT: all src all
+-DEFAULT: manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/
++DEFAULT: manager url_regex -i ^cache_object:// +i ^[^:]+://[^/]+/squid-internal-mgr/
+ DEFAULT: localhost src 127.0.0.1/32 ::1
+ DEFAULT: to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1/128 ::/128
+ DEFAULT: CONNECT method CONNECT
diff -Nru squid-5.6/debian/patches/0008-SQUID-2022_2.patch squid-5.6/debian/patches/0008-SQUID-2022_2.patch
--- squid-5.6/debian/patches/0008-SQUID-2022_2.patch	1970-01-01 01:00:00.000000000 +0100
+++ squid-5.6/debian/patches/0008-SQUID-2022_2.patch	2022-09-29 21:59:13.000000000 +0200
@@ -0,0 +1,38 @@
+commit 8eca72c14f94e8591b0d40bd6210ec68d1e54c46
+Author: Amos Jeffries <ya...@users.noreply.github.com>
+Date:   2022-08-09 23:34:54 +0000
+
+    Bug 3193 pt2: NTLM decoder truncating strings (#1114)
+    
+    The initial bug fix overlooked large 'offset' causing integer
+    wrap to extract a too-short length string.
+    
+    Improve debugs and checks sequence to clarify cases and ensure
+    that all are handled correctly.
+
+diff --git a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc
+index b3df6b18e..dac8a7ecb 100644
+--- a/lib/ntlmauth/ntlmauth.cc
++++ b/lib/ntlmauth/ntlmauth.cc
+@@ -108,10 +108,19 @@ ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr
+     int32_t o = le32toh(str->offset);
+     // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o);
+ 
+-    if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) {
+-        debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
++    if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) {
++        debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+         return rv;
+     }
++    else if (o <= 0 || o > packet_size) {
++        debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
++        return rv;
++    }
++    else if (l > packet_size - o) {
++        debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
++        return rv;
++    }
++
+     rv.str = (char *)packet + o;
+     rv.l = 0;
+     if ((flags & NTLM_NEGOTIATE_ASCII) == 0) {
diff -Nru squid-5.6/debian/patches/series squid-5.6/debian/patches/series
--- squid-5.6/debian/patches/series	2022-06-19 13:19:04.000000000 +0200
+++ squid-5.6/debian/patches/series	2022-09-29 21:59:13.000000000 +0200
@@ -3,3 +3,5 @@
 0003-installed-binary-for-debian-ci.patch
 0005-Use-RuntimeDirectory-to-create-run-squid.patch
 0006-Fix-build-against-OpenSSL-3-0.patch
+0007-SQUID-2022_1.patch
+0008-SQUID-2022_2.patch

Reply via email to