Bug#988893: squid: CVE-2021-28651

2021-05-27 Thread Francisco Vilmar Cardoso Ruviaro 
Hello,

Please consider merging this fix:
https://salsa.debian.org/squid-team/squid/-/merge_requests/17

diff -Nru squid-4.13/debian/changelog squid-4.13/debian/changelog
--- squid-4.13/debian/changelog 2021-03-22 23:18:11.0 +
+++ squid-4.13/debian/changelog 2021-05-27 22:53:36.0 +
@@ -1,3 +1,11 @@
+squid (4.13-10) unstable; urgency=medium
+
+  * Team upload.
+  * Add debian/patches/0007-CVE-2021-28651.patch to fix a Denial
+of Service in URN processing. (Closes: #988893, CVE-2021-28651)
+
+ -- Francisco Vilmar Cardoso Ruviaro   Thu, 27 
May 2021 22:53:36 +
+
 squid (4.13-9) unstable; urgency=medium
 
   * Clarify on NEWS and scripts that we no longer remove logs on purge.
diff -Nru squid-4.13/debian/patches/0007-CVE-2021-28651.patch 
squid-4.13/debian/patches/0007-CVE-2021-28651.patch
--- squid-4.13/debian/patches/0007-CVE-2021-28651.patch 1970-01-01 
00:00:00.0 +
+++ squid-4.13/debian/patches/0007-CVE-2021-28651.patch 2021-05-27 
22:43:32.0 +
@@ -0,0 +1,23 @@
+Description: Fix CVE-2021-28651.
+ Due to a buffer-management bug, it allows
+ a denial of service in URN processing.
+ When resolving a request with the urn: scheme,
+ the parser leaks a small amount of memory.
+Author: Amos Jeffries 
+Origin: upstream, 
http://www.squid-cache.org/Versions/v4/changesets/squid-4-a975fd5aedc866629214aaaccb38376855351899.patch
+Bug: https://github.com/squid-cache/squid/pull/778
+Bug-Debian: https://bugs.debian.org/988893
+Forwarded: not-needed
+Reviewed-By: Francisco Vilmar Cardoso Ruviaro 
+Last-Update: 2021-05-27
+
+--- squid-4.13.orig/src/urn.cc
 squid-4.13/src/urn.cc
+@@ -412,6 +412,7 @@ urnParseReply(const char *inbuf, const H
+ }
+ 
+ debugs(52, 3, "urnParseReply: Found " << i << " URLs");
++xfree(buf);
+ return list;
+ }
+ 
diff -Nru squid-4.13/debian/patches/series squid-4.13/debian/patches/series
--- squid-4.13/debian/patches/series2021-03-22 23:18:11.0 +
+++ squid-4.13/debian/patches/series2021-05-27 22:13:37.0 +
@@ -4,3 +4,4 @@
 #0004-upstream-bug5041.patch
 0005-Use-RuntimeDirectory-to-create-run-squid.patch
 0006-SQUID-2020_11.patch
+0007-CVE-2021-28651.patch


Best regards,
-- 
Francisco Vilmar Cardoso Ruviaro 
4096R: 1B8C F656 EF3B 8447 2F48 F0E7 82FB F706 0B2F 7D00



OpenPGP_signature
Description: OpenPGP digital signature

Bug#988893: squid: CVE-2021-28651

2021-05-20 Thread Salvatore Bonaccorso 
Source: squid
Version: 4.13-9
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team 
Control: found -1 4.6-1+deb10u5
Control: found -1 4.6-1+deb10u5
Control: found -1 4.6-1

Hi,

The following vulnerability was published for squid.

CVE-2021-28651[0]:
| Denial of Service in URN processing

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-28651
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28651
[1] https://github.com/squid-cache/squid/security/advisories/GHSA-ch36-9jhx-phm4

Regards,
Salvatore