pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/www/squid6
Module Name: pkgsrc
Committed By: sborrill
Date: Wed Mar 25 11:47:47 UTC 2026
Modified Files:
pkgsrc/www/squid6: Makefile distinfo
Added Files:
pkgsrc/www/squid6/patches: patch-src_ICP.h patch-src_icp_v2.cc
patch-src_icp_v3.cc patch-src_tests_stub_icp.cc
Log Message:
squid6: security fixes
Backport fixes for:
SQUID-2026:1 Denial of Service in ICP Request handling (CVE-2026-33526)
SQUID-2026:2 Denial of Service in ICP Request handling (CVE-2026-32748)
SQUID-2026:3 Out of Bounds Read in ICP message handling (CVE-2026-33515)
To generate a diff of this commit:
cvs rdiff -u -r1.24 -r1.25 pkgsrc/www/squid6/Makefile
cvs rdiff -u -r1.13 -r1.14 pkgsrc/www/squid6/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/www/squid6/patches/patch-src_ICP.h \
pkgsrc/www/squid6/patches/patch-src_icp_v2.cc \
pkgsrc/www/squid6/patches/patch-src_icp_v3.cc \
pkgsrc/www/squid6/patches/patch-src_tests_stub_icp.cc
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/www/squid6/Makefile
diff -u pkgsrc/www/squid6/Makefile:1.24 pkgsrc/www/squid6/Makefile:1.25
--- pkgsrc/www/squid6/Makefile:1.24 Fri Feb 6 10:06:11 2026
+++ pkgsrc/www/squid6/Makefile Wed Mar 25 11:47:46 2026
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.24 2026/02/06 10:06:11 wiz Exp $
+# $NetBSD: Makefile,v 1.25 2026/03/25 11:47:46 sborrill Exp $
VERSION= 6.14
DISTNAME= squid-${VERSION}
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_GITHUB:=squid-cache/}squid/releases/download/SQUID_${VERSION:S/./_/g}/
EXTRACT_SUFX= .tar.xz
Index: pkgsrc/www/squid6/distinfo
diff -u pkgsrc/www/squid6/distinfo:1.13 pkgsrc/www/squid6/distinfo:1.14
--- pkgsrc/www/squid6/distinfo:1.13 Mon Jun 30 10:22:39 2025
+++ pkgsrc/www/squid6/distinfo Wed Mar 25 11:47:46 2026
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.13 2025/06/30 10:22:39 sborrill Exp $
+$NetBSD: distinfo,v 1.14 2026/03/25 11:47:46 sborrill Exp $
BLAKE2s (squid-6.14.tar.xz) = 34858dcb2dc07d17e0390cd28d70a040b6d403c2242574dc0a7dd693f792f7e6
SHA512 (squid-6.14.tar.xz) = 5905060ae8d70128516c26cf379ed5b434c02525efe0e17ac56d4e060af7542b4a7a41ac3eca5ba5a00867791aed18ed5ed0e247b18a376e1ae7bc13039782f5
@@ -6,8 +6,12 @@ Size (squid-6.14.tar.xz) = 2548456 bytes
SHA1 (patch-compat_compat.h) = 839381a5e1f46e7d9b822bbb53d82a53c996ddc0
SHA1 (patch-configure) = 66bf56c83876452ba12727d5d957619d75f4d1bc
SHA1 (patch-errors_Makefile.in) = e7ba371bb24e40eeb9dd10dc6fe12d208e681d72
+SHA1 (patch-src_ICP.h) = fdc3cf11c5cb893093755fd8fe583f6e25eaf424
SHA1 (patch-src_Makefile.in) = afc5aefd97c46d1ffab43e97aeaeade3a5a8c648
SHA1 (patch-src_acl_external_kerberos__ldap__group_support__resolv.cc) = 0ea41d55e32d689a16e012391a9eea67631daf3a
SHA1 (patch-src_comm_ModKqueue.cc) = d8c5d235f07a48731275101d60fcbf2e22f77b96
SHA1 (patch-src_esi_VarState.cc) = d9418e59cdc390b2d970195167a99bb7ed392c38
+SHA1 (patch-src_icp_v2.cc) = 82f70df052fe0e2c6f647d1360385f9d41bd3efb
+SHA1 (patch-src_icp_v3.cc) = d793eaba70c8a8681014310bf78a44db8cd38017
+SHA1 (patch-src_tests_stub_icp.cc) = 6d1a6a48ce4537cbaea1c4d929d157d8338fe245
SHA1 (patch-tools_Makefile.in) = d098c0c9dc4af577f74e562d99f07ed98be5ae01
Added files:
Index: pkgsrc/www/squid6/patches/patch-src_ICP.h
diff -u /dev/null pkgsrc/www/squid6/patches/patch-src_ICP.h:1.1
--- /dev/null Wed Mar 25 11:47:47 2026
+++ pkgsrc/www/squid6/patches/patch-src_ICP.h Wed Mar 25 11:47:46 2026
@@ -0,0 +1,36 @@
+$NetBSD: patch-src_ICP.h,v 1.1 2026/03/25 11:47:46 sborrill Exp $
+
+Backport fixes for:
+SQUID-2026:2 Denial of Service in ICP Request handling (CVE-2026-32748)
+SQUID-2026:3 Out of Bounds Read in ICP message handling (CVE-2026-33515)
+
+https://github.com/squid-cache/squid/commit/703e07d25ca6fa11f52d20bf0bb879e22ab7481b
+https://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec912b165
+
+--- src/ICP.h.orig 2025-06-24 08:49:30.000000000 +0100
++++ src/ICP.h 2026-03-25 09:16:20.439240148 +0000
+@@ -89,11 +89,12 @@
+ extern Comm::ConnectionPointer icpOutgoingConn;
+ extern Ip::Address theIcpPublicHostID;
+
+-/// \ingroup ServerProtocolICPAPI
+-HttpRequest* icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from);
++/// A URI extracted from the given raw packet buffer.
++/// On errors, details the problem and returns nil.
++const char *icpGetUrl(const Ip::Address &from, const char *, const icp_common_t &);
+
+ /// \ingroup ServerProtocolICPAPI
+-bool icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request);
++HttpRequestPointer icpGetRequest(const char *url, int reqnum, int fd, const Ip::Address &from);
+
+ /// \ingroup ServerProtocolICPAPI
+ void icpCreateAndSend(icp_opcode, int flags, char const *url, int reqnum, int pad, int fd, const Ip::Address &from, AccessLogEntryPointer);
+@@ -102,7 +103,7 @@
+ icp_opcode icpGetCommonOpcode();
+
+ /// \ingroup ServerProtocolICPAPI
+-void icpDenyAccess(Ip::Address &from, char *url, int reqnum, int fd);
++void icpDenyAccess(const Ip::Address &from, const char *url, int reqnum, int fd);
+
+ /// \ingroup ServerProtocolICPAPI
+ PF icpHandleUdp;
Index: pkgsrc/www/squid6/patches/patch-src_icp_v2.cc
diff -u /dev/null pkgsrc/www/squid6/patches/patch-src_icp_v2.cc:1.1
--- /dev/null Wed Mar 25 11:47:47 2026
+++ pkgsrc/www/squid6/patches/patch-src_icp_v2.cc Wed Mar 25 11:47:46 2026
@@ -0,0 +1,173 @@
+$NetBSD: patch-src_icp_v2.cc,v 1.1 2026/03/25 11:47:46 sborrill Exp $
+
+Backport fixes for:
+SQUID-2026:1 Denial of Service in ICP Request handling (CVE-2026-33526)
+SQUID-2026:2 Denial of Service in ICP Request handling (CVE-2026-32748)
+SQUID-2026:3 Out of Bounds Read in ICP message handling (CVE-2026-33515)
+
+https://github.com/squid-cache/squid/commit/8a7d42f9d44befb8fcbbb619505587c8de6a1e91
+https://github.com/squid-cache/squid/commit/703e07d25ca6fa11f52d20bf0bb879e22ab7481b
+https://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec912b165
+
+--- src/icp_v2.cc.orig 2025-06-24 08:49:30.000000000 +0100
++++ src/icp_v2.cc 2026-03-25 09:23:17.804536734 +0000
+@@ -425,7 +425,7 @@
+ }
+
+ void
+-icpDenyAccess(Ip::Address &from, char *url, int reqnum, int fd)
++icpDenyAccess(const Ip::Address &from, const char *url, const int reqnum, const int fd)
+ {
+ debugs(12, 2, "icpDenyAccess: Access Denied for " << from << " by " << AclMatchedName << ".");
+
+@@ -440,8 +440,9 @@
+ }
+ }
+
+-bool
+-icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request)
++/// icpGetRequest() helper that determines whether squid.conf allows the given ICP query
++static bool
++icpAccessAllowed(const Ip::Address &from, HttpRequest * icp_request)
+ {
+ /* absent any explicit rules, we deny all */
+ if (!Config.accessList.icp)
+@@ -453,44 +454,79 @@
+ return checklist.fastCheck().allowed();
+ }
+
+-HttpRequest *
+-icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from)
++const char *
++icpGetUrl(const Ip::Address &from, const char * const buf, const icp_common_t &header)
++{
++ const auto receivedPacketSize = static_cast<size_t>(header.length);
++ const auto payloadOffset = sizeof(header);
++
++ // Query payload contains a "Requester Host Address" followed by a URL.
++ // Payload of other ICP packets (with opcode that we recognize) is a URL.
++ const auto urlOffset = payloadOffset + ((header.opcode == ICP_QUERY) ? sizeof(uint32_t) : 0);
++
++ // A URL field cannot be empty because it includes a terminating NUL char.
++ // Ensure that the packet has at least one URL field byte.
++ if (urlOffset >= receivedPacketSize) {
++ debugs(12, 3, "too small packet from " << from << ": " << urlOffset << " >= " << receivedPacketSize);
++ return nullptr;
++ }
++
++ // All ICP packets (with opcode that we recognize) _end_ with a URL field.
++ // RFC 2186 requires all URLs to be "Null-Terminated".
++ if (buf[receivedPacketSize - 1] != '\0') {
++ debugs(12, 3, "unterminated URL or trailing garbage from " << from);
++ return nullptr;
++ }
++
++ const auto url = buf + urlOffset; // a possibly empty c-string
++ if (urlOffset + strlen(url) + 1 != receivedPacketSize) {
++ debugs(12, 3, "URL with an embedded NUL or trailing garbage from " << from);
++ return nullptr;
++ }
++
++ return url;
++}
++
++HttpRequest::Pointer
++icpGetRequest(const char * const url, const int reqnum, const int fd, const Ip::Address &from)
+ {
+ if (strpbrk(url, w_space)) {
+- url = rfc1738_escape(url);
+ icpCreateAndSend(ICP_ERR, 0, rfc1738_escape(url), reqnum, 0, fd, from, nullptr);
+ return nullptr;
+ }
+
+ const auto mx = MasterXaction::MakePortless<XactionInitiator::initIcp>();
+- auto *result = HttpRequest::FromUrlXXX(url, mx);
+- if (!result)
+- icpCreateAndSend(ICP_ERR, 0, url, reqnum, 0, fd, from, nullptr);
++ if (const HttpRequest::Pointer request = HttpRequest::FromUrlXXX(url, mx)) {
++ if (!icpAccessAllowed(from, request.getRaw())) {
++ icpDenyAccess(from, url, reqnum, fd);
++ return nullptr;
++ }
+
+- return result;
++ return request;
++ }
+
++ icpCreateAndSend(ICP_ERR, 0, url, reqnum, 0, fd, from, nullptr);
++ return nullptr;
+ }
+
+ static void
+-doV2Query(int fd, Ip::Address &from, char *buf, icp_common_t header)
++doV2Query(const int fd, Ip::Address &from, const char * const buf, icp_common_t header)
+ {
+ int rtt = 0;
+ int src_rtt = 0;
+ uint32_t flags = 0;
+- /* We have a valid packet */
+- char *url = buf + sizeof(icp_common_t) + sizeof(uint32_t);
+- HttpRequest *icp_request = icpGetRequest(url, header.reqnum, fd, from);
+
+- if (!icp_request)
++ const auto url = icpGetUrl(from, buf, header);
++ if (!url) {
++ icpCreateAndSend(ICP_ERR, 0, "", header.reqnum, 0, fd, from, nullptr);
+ return;
++ }
+
+- HTTPMSGLOCK(icp_request);
++ const auto icp_request = icpGetRequest(url, header.reqnum, fd, from);
+
+- if (!icpAccessAllowed(from, icp_request)) {
+- icpDenyAccess(from, url, header.reqnum, fd);
+- HTTPMSGUNLOCK(icp_request);
++ if (!icp_request)
+ return;
+- }
++
+ #if USE_ICMP
+ if (header.flags & ICP_FLAG_SRC_RTT) {
+ rtt = netdbHostRtt(icp_request->url.host());
+@@ -503,7 +539,7 @@
+ #endif /* USE_ICMP */
+
+ /* The peer is allowed to use this cache */
+- ICP2State state(header, icp_request);
++ ICP2State state(header, icp_request.getRaw());
+ state.fd = fd;
+ state.from = from;
+ state.url = xstrdup(url);
+@@ -532,8 +568,6 @@
+ }
+
+ icpCreateAndSend(codeToSend, flags, url, header.reqnum, src_rtt, fd, from, state.al);
+-
+- HTTPMSGUNLOCK(icp_request);
+ }
+
+ void
+@@ -545,7 +579,10 @@
+ neighbors_do_private_keys = 0;
+ }
+
+- char *url = buf + sizeof(icp_common_t);
++
++ const auto url = icpGetUrl(from, buf, *this);
++ if (!url)
++ return;
+ debugs(12, 3, "icpHandleIcpV2: " << icp_opcode_str[opcode] << " from " << from << " for '" << url << "'");
+
+ const cache_key *key = icpGetCacheKey(url, (int) reqnum);
+@@ -680,7 +717,10 @@
+
+ icp_version = (int) buf[1]; /* cheat! */
+
+- if (icpOutgoingConn->local == from)
++ // XXX: The IP equality comparison below ignores port differences but
++ // should not. It also fails to detect loops when `local` is a wildcard
++ // address (e.g., [::]:3130) because `from` address is never a wildcard.
++ if (icpOutgoingConn && icpOutgoingConn->local == from)
+ // ignore ICP packets which loop back (multicast usually)
+ debugs(12, 4, "icpHandleUdp: Ignoring UDP packet sent by myself");
+ else if (icp_version == ICP_VERSION_2)
Index: pkgsrc/www/squid6/patches/patch-src_icp_v3.cc
diff -u /dev/null pkgsrc/www/squid6/patches/patch-src_icp_v3.cc:1.1
--- /dev/null Wed Mar 25 11:47:47 2026
+++ pkgsrc/www/squid6/patches/patch-src_icp_v3.cc Wed Mar 25 11:47:46 2026
@@ -0,0 +1,44 @@
+$NetBSD: patch-src_icp_v3.cc,v 1.1 2026/03/25 11:47:46 sborrill Exp $
+
+Backport fixes for:
+SQUID-2026:2 Denial of Service in ICP Request handling (CVE-2026-32748)
+SQUID-2026:3 Out of Bounds Read in ICP message handling (CVE-2026-33515)
+
+https://github.com/squid-cache/squid/commit/703e07d25ca6fa11f52d20bf0bb879e22ab7481b
+https://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec912b165
+
+--- src/icp_v3.cc.orig 2025-06-24 08:49:30.000000000 +0100
++++ src/icp_v3.cc 2026-03-25 09:25:04.012952882 +0000
+@@ -32,23 +32,21 @@
+
+ /// \ingroup ServerProtocolICPInternal3
+ static void
+-doV3Query(int fd, Ip::Address &from, char *buf, icp_common_t header)
++doV3Query(int fd, Ip::Address &from, const char * const buf, icp_common_t header)
+ {
+- /* We have a valid packet */
+- char *url = buf + sizeof(icp_common_t) + sizeof(uint32_t);
+- HttpRequest *icp_request = icpGetRequest(url, header.reqnum, fd, from);
+-
+- if (!icp_request)
++ const auto url = icpGetUrl(from, buf, header);
++ if (!url) {
++ icpCreateAndSend(ICP_ERR, 0, "", header.reqnum, 0, fd, from, nullptr);
+ return;
++ }
+
+- if (!icpAccessAllowed(from, icp_request)) {
+- icpDenyAccess (from, url, header.reqnum, fd);
+- delete icp_request;
++ const auto icp_request = icpGetRequest(url, header.reqnum, fd, from);
++
++ if (!icp_request)
+ return;
+- }
+
+ /* The peer is allowed to use this cache */
+- ICP3State state(header, icp_request);
++ ICP3State state(header, icp_request.getRaw());
+ state.fd = fd;
+ state.from = from;
+ state.url = xstrdup(url);
Index: pkgsrc/www/squid6/patches/patch-src_tests_stub_icp.cc
diff -u /dev/null pkgsrc/www/squid6/patches/patch-src_tests_stub_icp.cc:1.1
--- /dev/null Wed Mar 25 11:47:47 2026
+++ pkgsrc/www/squid6/patches/patch-src_tests_stub_icp.cc Wed Mar 25 11:47:47 2026
@@ -0,0 +1,34 @@
+$NetBSD: patch-src_tests_stub_icp.cc,v 1.1 2026/03/25 11:47:47 sborrill Exp $
+
+Backport fixes for:
+SQUID-2026:2 Denial of Service in ICP Request handling (CVE-2026-32748)
+SQUID-2026:3 Out of Bounds Read in ICP message handling (CVE-2026-33515)
+
+https://github.com/squid-cache/squid/commit/703e07d25ca6fa11f52d20bf0bb879e22ab7481b
+https://github.com/squid-cache/squid/commit/8138e909d2058d4401e0ad49b583afaec912b165
+
+--- src/tests/stub_icp.cc.orig 2025-06-24 08:49:30.000000000 +0100
++++ src/tests/stub_icp.cc 2026-03-25 09:26:15.507715616 +0000
+@@ -9,6 +9,7 @@
+ #include "squid.h"
+ #include "AccessLogEntry.h"
+ #include "comm/Connection.h"
++#include "HttpRequest.h"
+ #include "ICP.h"
+
+ #define STUB_API "icp_*.cc"
+@@ -29,11 +30,11 @@
+ Comm::ConnectionPointer icpOutgoingConn;
+ Ip::Address theIcpPublicHostID;
+
+-HttpRequest* icpGetRequest(char *, int, int, Ip::Address &) STUB_RETVAL(nullptr)
+-bool icpAccessAllowed(Ip::Address &, HttpRequest *) STUB_RETVAL(false)
++const char *icpGetUrl(const Ip::Address &, const char *, const icp_common_t &) STUB_RETVAL(nullptr)
++HttpRequest::Pointer icpGetRequest(char *, int, int, Ip::Address &) STUB_RETVAL(nullptr)
+ void icpCreateAndSend(icp_opcode, int, char const *, int, int, int, const Ip::Address &, AccessLogEntryPointer) STUB
+ icp_opcode icpGetCommonOpcode() STUB_RETVAL(ICP_INVALID)
+-void icpDenyAccess(Ip::Address &, char *, int, int) STUB
++void icpDenyAccess(const Ip::Address &, const char *, int, int) STUB
+ void icpHandleIcpV3(int, Ip::Address &, char *, int) STUB
+ void icpConnectionShutdown(void) STUB
+ int icpSetCacheKey(const cache_key *) STUB_RETVAL(0)
Home |
Main Index |
Thread Index |
Old Index