Control: tags 1020586 + patch Control: tags 1020586 + pending Control: tags 1020587 + patch Control: tags 1020587 + pending
Dear maintainer, I've prepared an NMU for squid (versioned as 5.6-1.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. There is as well an associated merge request at https://salsa.debian.org/squid-team/squid/-/merge_requests/22 . That said I believe for unstable/bookworm it would be better to just updat to the new upstream version? Regards, Salvatore
diff -Nru squid-5.6/debian/changelog squid-5.6/debian/changelog --- squid-5.6/debian/changelog 2022-06-19 13:19:04.000000000 +0200 +++ squid-5.6/debian/changelog 2022-09-29 21:59:13.000000000 +0200 @@ -1,3 +1,13 @@ +squid (5.6-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Exposure of Sensitive Information in Cache Manager (CVE-2022-41317) + (Closes: #1020587) + * Buffer Over Read in SSPI and SMB Authentication (CVE-2022-41318) + (Closes: #1020586) + + -- Salvatore Bonaccorso <car...@debian.org> Thu, 29 Sep 2022 21:59:13 +0200 + squid (5.6-1) unstable; urgency=high * Urgency high due to security fixes diff -Nru squid-5.6/debian/patches/0007-SQUID-2022_1.patch squid-5.6/debian/patches/0007-SQUID-2022_1.patch --- squid-5.6/debian/patches/0007-SQUID-2022_1.patch 1970-01-01 01:00:00.000000000 +0100 +++ squid-5.6/debian/patches/0007-SQUID-2022_1.patch 2022-09-29 21:59:13.000000000 +0200 @@ -0,0 +1,19 @@ +commit 55151c545a8e0bd2cb69036da5794c9cb21018b2 +Author: Amos Jeffries <ya...@users.noreply.github.com> +Date: 2022-08-17 23:32:43 +0000 + + Fix typo in manager ACL (#1113) + +diff --git a/src/cf.data.pre b/src/cf.data.pre +index a0bdb2f83..118256437 100644 +--- a/src/cf.data.pre ++++ b/src/cf.data.pre +@@ -1036,7 +1036,7 @@ DEFAULT: ssl::certUntrusted ssl_error X509_V_ERR_INVALID_CA X509_V_ERR_SELF_SIGN + DEFAULT: ssl::certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT + ENDIF + DEFAULT: all src all +-DEFAULT: manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/ ++DEFAULT: manager url_regex -i ^cache_object:// +i ^[^:]+://[^/]+/squid-internal-mgr/ + DEFAULT: localhost src 127.0.0.1/32 ::1 + DEFAULT: to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1/128 ::/128 + DEFAULT: CONNECT method CONNECT diff -Nru squid-5.6/debian/patches/0008-SQUID-2022_2.patch squid-5.6/debian/patches/0008-SQUID-2022_2.patch --- squid-5.6/debian/patches/0008-SQUID-2022_2.patch 1970-01-01 01:00:00.000000000 +0100 +++ squid-5.6/debian/patches/0008-SQUID-2022_2.patch 2022-09-29 21:59:13.000000000 +0200 @@ -0,0 +1,38 @@ +commit 8eca72c14f94e8591b0d40bd6210ec68d1e54c46 +Author: Amos Jeffries <ya...@users.noreply.github.com> +Date: 2022-08-09 23:34:54 +0000 + + Bug 3193 pt2: NTLM decoder truncating strings (#1114) + + The initial bug fix overlooked large 'offset' causing integer + wrap to extract a too-short length string. + + Improve debugs and checks sequence to clarify cases and ensure + that all are handled correctly. + +diff --git a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc +index b3df6b18e..dac8a7ecb 100644 +--- a/lib/ntlmauth/ntlmauth.cc ++++ b/lib/ntlmauth/ntlmauth.cc +@@ -108,10 +108,19 @@ ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr + int32_t o = le32toh(str->offset); + // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o); + +- if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) { +- debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); ++ if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) { ++ debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); + return rv; + } ++ else if (o <= 0 || o > packet_size) { ++ debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); ++ return rv; ++ } ++ else if (l > packet_size - o) { ++ debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); ++ return rv; ++ } ++ + rv.str = (char *)packet + o; + rv.l = 0; + if ((flags & NTLM_NEGOTIATE_ASCII) == 0) { diff -Nru squid-5.6/debian/patches/series squid-5.6/debian/patches/series --- squid-5.6/debian/patches/series 2022-06-19 13:19:04.000000000 +0200 +++ squid-5.6/debian/patches/series 2022-09-29 21:59:13.000000000 +0200 @@ -3,3 +3,5 @@ 0003-installed-binary-for-debian-ci.patch 0005-Use-RuntimeDirectory-to-create-run-squid.patch 0006-Fix-build-against-OpenSSL-3-0.patch +0007-SQUID-2022_1.patch +0008-SQUID-2022_2.patch