Bug 226139 - www/squid: Fixes security vulnerabilities (CVE-2018-1000024, CVE-2018-1000027)
Summary: www/squid: Fixes security vulnerabilities (CVE-2018-1000024, CVE-2018-1000027)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Danilo G. Baio
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-23 12:04 UTC by Yasuhiro Kimura
Modified: 2018-02-25 13:21 UTC (History)
2 users (show)

See Also:
dbaio: maintainer-feedback+
dbaio: merge-quarterly+

Attachments
patch file (1.64 KB, patch)
2018-02-23 12:04 UTC, Yasuhiro Kimura 		no flags Details | Diff
squid-3.5.27_3.patch (3.77 KB, patch)
2018-02-23 13:53 UTC, Danilo G. Baio 		timp87: maintainer-approval+
Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Yasuhiro Kimura freebsd_committer freebsd_triage 2018-02-23 12:04:13 UTC 
Created attachment 190916 [details]
patch file

* Add patch to fix DoS issue (CVE-2018-1000027).
* Bump PORTREVISION.

And bug #226138 adds entry for this issue to vuxml. So please commit it too.
Comment 1 Danilo G. Baio freebsd_committer freebsd_triage 2018-02-23 13:53:03 UTC 
Created attachment 190918 [details]
squid-3.5.27_3.patch

It includes the second patch as well
Comment 2 Yasuhiro Kimura freebsd_committer freebsd_triage 2018-02-23 14:08:32 UTC 
(In reply to Danilo G. Baio from comment #1)

There is following sentence in "Severity" section of http://www.squid-cache.org/Advisories/SQUID-2018_1.txt

>  This problem is limited to the Squid custom ESI parser.
> Squid built to use libxml2 or libexpat XML parsers do not have
> this problem.

And there is following setting in Makefiles of both www/squid and www/squid-devel:

> ESI_CFLAGS=                     -I${LOCALBASE}/include -I${LOCALBASE}/include/libxml2
> ESI_CONFIGURE_ENABLE=           esi
> ESI_LDFLAGS=                    -L${LOCALBASE}/lib
> ESI_LIB_DEPENDS=                libexpat.so:textproc/expat2 \
>                                 libxml2.so:textproc/libxml2

So I think CVE-2018-1000024 doesn't affect to FreeBSD squid ports.
Comment 3 Danilo G. Baio freebsd_committer freebsd_triage 2018-02-23 14:41:44 UTC 
(In reply to Yasuhiro KIMURA from comment #2)

The default esi_parser is the custom one.
So to not be vulnerable, you also need to change the config file to use libxml2 or expat explicitly.
Comment 4 Yasuhiro Kimura freebsd_committer freebsd_triage 2018-02-23 14:45:08 UTC 
(In reply to Danilo G. Baio from comment #3)

OK. I understood. Thank you for quick reply.
Comment 5 commit-hook freebsd_committer freebsd_triage 2018-02-23 20:35:57 UTC 
A commit references this bug:

Author: dbaio
Date: Fri Feb 23 20:35:13 UTC 2018
New revision: 462744
URL: https://svnweb.freebsd.org/changeset/ports/462744

Log:
  www/squid: Fixes security vulnerabilities

  Add patches to fix CVE's:
    CVE-2018-1000024
    CVE-2018-1000027

  PR:		226139
  Submitted by:	Yasuhiro KIMURA <yasu@utahime.org>
  Approved by:	timp87@gmail.com (maintainer)
  MFH:		2018Q1
  Security:	d5b6d151-1887-11e8-94f7-9c5c8e75236a

Changes:
  head/www/squid/Makefile
  head/www/squid/files/patch-src_client__side__request.cc
  head/www/squid/files/patch-src_esi_CustomParser.cc
Comment 6 commit-hook freebsd_committer freebsd_triage 2018-02-25 13:18:52 UTC 
A commit references this bug:

Author: dbaio
Date: Sun Feb 25 13:18:31 UTC 2018
New revision: 462952
URL: https://svnweb.freebsd.org/changeset/ports/462952

Log:
  MFH: r462146 r462744

  Use BROKEN_SSL

  Approved by:	portmgr (blanket)

  www/squid: Fixes security vulnerabilities

  Add patches to fix CVE's:
    CVE-2018-1000024
    CVE-2018-1000027

  PR:		226139
  Submitted by:	Yasuhiro KIMURA <yasu@utahime.org>
  Approved by:	timp87@gmail.com (maintainer)
  Security:	d5b6d151-1887-11e8-94f7-9c5c8e75236a

  Approved by:	ports-secteam (riggs)

Changes:
_U  branches/2018Q1/
  branches/2018Q1/www/squid/Makefile
  branches/2018Q1/www/squid/files/patch-src_client__side__request.cc
  branches/2018Q1/www/squid/files/patch-src_esi_CustomParser.cc
Comment 7 Danilo G. Baio freebsd_committer freebsd_triage 2018-02-25 13:21:05 UTC 
Committed, thanks!