Attachment #44169 for bug #68448

View | Details | Raw Unified | Return to bug 68448
Collapse All | Expand All

Lines 48-50 Link Here

(-)distinfo (+2 lines)
48	SIZE (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 2011	48	SIZE (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 2011
49	MD5 (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 8b169a288a0491a760f4d04c4f5eab21	49	MD5 (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 8b169a288a0491a760f4d04c4f5eab21
50	SIZE (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 761	50	SIZE (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 761
		51	MD5 (squid2.5/squid-2.5.STABLE5-ntlm_auth_overflow.patch) = 30c7c5e2ba03655dbde9d3e65409baed
		52	SIZE (squid2.5/squid-2.5.STABLE5-ntlm_auth_overflow.patch) = 3198




!Simulate the autotools bootstrap of the follow-x-forwarded-for patchset.
!
!instead of running configure.in through autoconf as in the
!original follow-XFF patchset from devel.squid-cache.org.
!Beware that all line number informations in configure.log greater
!than 2972 are offset by at least -29 (correcting all line numbers would have
!bloated the patch by 92kB!)
--- include/autoconf.h.in.orig	Sat Jan 18 02:46:11 2003
+++ include/autoconf.h.in	Thu Jun 24 13:19:07 2004
@@ -291,6 +291,12 @@
 #define USE_IDENT 1
 
 /*
+ * Compile in support for following X-Forwarded-For headers?
+ * Enabled by default.
+ */
+#define FOLLOW_X_FORWARDED_FOR 1
+
+/*
  * If your system has statvfs(), and if it actually works!
  */
 #undef HAVE_STATVFS
--- configure.orig	Tue Mar  2 10:18:14 2004
+++ configure	Tue Mar  2 10:18:56 2004
@@ -222,6 +222,12 @@




This patch fixes a buffer overflow vulnerability in the NTLM auth
helper which was reported by iDefense on the 07th June 2004.
Original advisory:
<http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false>
CVE-ID: CAN-2004-0541
Patch and correction obtained from:
<http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch>
<http://www.squid-cache.org/bugs/show_bug.cgi?id=998>

--- helpers/ntlm_auth/SMB/libntlmssp.c.orig	Fri Nov 30 10:50:06 2001
+++ helpers/ntlm_auth/SMB/libntlmssp.c	Fri Jun 18 13:17:35 2004
@@ -161,7 +161,10 @@ make_challenge(char *domain, char *domai
 #define min(A,B) (A<B?A:B)
 
 int ntlm_errno;
-static char credentials[1024];	/* we can afford to waste */
+#define MAX_USERNAME_LEN 255
+#define MAX_DOMAIN_LEN 255
+#define MAX_PASSWD_LEN 31
+static char credentials[MAX_USERNAME_LEN+MAX_DOMAIN_LEN+2];	/* we can afford to waste */
 
 
 /* Fetches the user's credentials from the challenge.
@@ -197,7 +200,7 @@ char *
 ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
 {
     int rv;
-    char pass[25] /*, encrypted_pass[40] */;
+    char pass[MAX_PASSWD_LEN+1];
     char *domain = credentials;
     char *user;
     lstring tmp;
@@ -215,6 +218,11 @@ ntlm_check_auth(ntlm_authenticate * auth
 	ntlm_errno = NTLM_LOGON_ERROR;
 	return NULL;
     }
+    if (tmp.l > MAX_DOMAIN_LEN) {
+	debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN);
+	ntlm_errno = NTLM_LOGON_ERROR;
+	return NULL;
+    }
     memcpy(domain, tmp.str, tmp.l);
     user = domain + tmp.l;
     *user++ = '\0';
@@ -226,20 +234,30 @@ ntlm_check_auth(ntlm_authenticate * auth
 	ntlm_errno = NTLM_LOGON_ERROR;
 	return NULL;
     }
+    if (tmp.l > MAX_USERNAME_LEN) {
+	debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN);
+	ntlm_errno = NTLM_LOGON_ERROR;
+	return NULL;
+    }
     memcpy(user, tmp.str, tmp.l);
     *(user + tmp.l) = '\0';
 
 		
-		/* Authenticating against the NT response doesn't seem to work... */
+    /* Authenticating against the NT response doesn't seem to work... */
     tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->lmresponse);
     if (tmp.str == NULL || tmp.l == 0) {
 	fprintf(stderr, "No auth at all. Returning no-auth\n");
 	ntlm_errno = NTLM_LOGON_ERROR;
 	return NULL;
     }
-		
+    if (tmp.l > MAX_PASSWD_LEN) {
+	debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN);
+	ntlm_errno = NTLM_LOGON_ERROR;
+	return NULL;
+    }
+
     memcpy(pass, tmp.str, tmp.l);
-    pass[25] = '\0';
+    pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0';
 
 #if 1
 		debug ("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'"





PORTNAME=	squid
PORTVERSION=	2.5.5
PORTREVISION=	12
CATEGORIES=	www
MASTER_SITES=	\
		ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \

		squid-2.5.STABLE5-dns_localhost.patch \
		squid-2.5.STABLE5-msnt_auth_doc.patch \
		squid-2.5.STABLE5-CONNECT_log_size.patch \
		squid-2.5.STABLE5-proxy_abuse.patch \
		squid-2.5.STABLE5-ntlm_auth_overflow.patch
PATCH_DIST_STRIP=	-p1

MAINTAINER=	tmseck@netcologne.de


# Authentication methods and modules:

basic_auth=	NCSA PAM YP MSNT SMB winbind
external_acl=	ip_user unix_group wbinfo_group winbind_group
MAN8+=		pam_auth.8 squid_unix_group.8
.if defined(WITH_SQUID_LDAP_AUTH)

Return to bug 68448

Lines 1-10 Link Here

(-)files/follow_xff-configure.patch (-5 / +18 lines)
1	!Patch configure directly to enable testing for the	1	!Simulate the autotools bootstrap of the follow-x-forwarded-for patchset.
2	!--enable-follow-x-forwarding-for configuration option	2	!
3	!instead of running configure.in through autoconf as in the
4	!original follow-XFF patchset from devel.squid-cache.org.
5	!Beware that all line number informations in configure.log greater	3	!Beware that all line number informations in configure.log greater
6	!than 2972 are offset by -29 (correcting all line numbers would have	4	!than 2972 are offset by at least -29 (correcting all line numbers would have
7	!bloated the patch by 92kB!)	5	!bloated the patch by 92kB!)
		6	--- include/autoconf.h.in.orig Sat Jan 18 02:46:11 2003
		7	+++ include/autoconf.h.in Thu Jun 24 13:19:07 2004
		8	@@ -291,6 +291,12 @@
		9	#define USE_IDENT 1
		10
		11	/*
		12	+ * Compile in support for following X-Forwarded-For headers?
		13	+ * Enabled by default.
		14	+ */
		15	+#define FOLLOW_X_FORWARDED_FOR 1
		16	+
		17	+/*
		18	* If your system has statvfs(), and if it actually works!
		19	*/
		20	#undef HAVE_STATVFS
8	--- configure.orig Tue Mar 2 10:18:14 2004	21	--- configure.orig Tue Mar 2 10:18:14 2004
9	+++ configure Tue Mar 2 10:18:56 2004	22	+++ configure Tue Mar 2 10:18:56 2004
10	@@ -222,6 +222,12 @@	23	@@ -222,6 +222,12 @@

Lines 1-78 Link Here

(-)files/patch-helpers-ntlm_auth-SMB-libntlmssp.c (-78 lines)
1	This patch fixes a buffer overflow vulnerability in the NTLM auth
2	helper which was reported by iDefense on the 07th June 2004.
3	Original advisory:
4	<http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false>
5	CVE-ID: CAN-2004-0541
6	Patch and correction obtained from:
7	<http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch>
8	<http://www.squid-cache.org/bugs/show_bug.cgi?id=998>
9
10	--- helpers/ntlm_auth/SMB/libntlmssp.c.orig Fri Nov 30 10:50:06 2001
11	+++ helpers/ntlm_auth/SMB/libntlmssp.c Fri Jun 18 13:17:35 2004
12	@@ -161,7 +161,10 @@ make_challenge(char domain, char domai
13	#define min(A,B) (A<B?A:B)
14
15	int ntlm_errno;
16	-static char credentials[1024]; /* we can afford to waste */
17	+#define MAX_USERNAME_LEN 255
18	+#define MAX_DOMAIN_LEN 255
19	+#define MAX_PASSWD_LEN 31
20	+static char credentials[MAX_USERNAME_LEN+MAX_DOMAIN_LEN+2]; /* we can afford to waste */
21
22
23	/* Fetches the user's credentials from the challenge.
24	@@ -197,7 +200,7 @@ char *
25	ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
26	{
27	int rv;
28	- char pass[25] /, encrypted_pass[40] /;
29	+ char pass[MAX_PASSWD_LEN+1];
30	char *domain = credentials;
31	char *user;
32	lstring tmp;
33	@@ -215,6 +218,11 @@ ntlm_check_auth(ntlm_authenticate * auth
34	ntlm_errno = NTLM_LOGON_ERROR;
35	return NULL;
36	}
37	+ if (tmp.l > MAX_DOMAIN_LEN) {
38	+ debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN);
39	+ ntlm_errno = NTLM_LOGON_ERROR;
40	+ return NULL;
41	+ }
42	memcpy(domain, tmp.str, tmp.l);
43	user = domain + tmp.l;
44	*user++ = '\0';
45	@@ -226,20 +234,30 @@ ntlm_check_auth(ntlm_authenticate * auth
46	ntlm_errno = NTLM_LOGON_ERROR;
47	return NULL;
48	}
49	+ if (tmp.l > MAX_USERNAME_LEN) {
50	+ debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN);
51	+ ntlm_errno = NTLM_LOGON_ERROR;
52	+ return NULL;
53	+ }
54	memcpy(user, tmp.str, tmp.l);
55	*(user + tmp.l) = '\0';
56
57
58	- /* Authenticating against the NT response doesn't seem to work... */
59	+ /* Authenticating against the NT response doesn't seem to work... */
60	tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->lmresponse);
61	if (tmp.str == NULL \|\| tmp.l == 0) {
62	fprintf(stderr, "No auth at all. Returning no-auth\n");
63	ntlm_errno = NTLM_LOGON_ERROR;
64	return NULL;
65	}
66	-
67	+ if (tmp.l > MAX_PASSWD_LEN) {
68	+ debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN);
69	+ ntlm_errno = NTLM_LOGON_ERROR;
70	+ return NULL;
71	+ }
72	+
73	memcpy(pass, tmp.str, tmp.l);
74	- pass[25] = '\0';
75	+ pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0';
76
77	#if 1
78	debug ("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'"

Lines 29-35 Link Here

(-)Makefile (-3 / +4 lines)
29		29
30	PORTNAME= squid	30	PORTNAME= squid
31	PORTVERSION= 2.5.5	31	PORTVERSION= 2.5.5
32	PORTREVISION= 11	32	PORTREVISION= 12
33	CATEGORIES= www	33	CATEGORIES= www
34	MASTER_SITES= \	34	MASTER_SITES= \
35	ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \	35	ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
Lines 65-71 Link Here
65	squid-2.5.STABLE5-dns_localhost.patch \	65	squid-2.5.STABLE5-dns_localhost.patch \
66	squid-2.5.STABLE5-msnt_auth_doc.patch \	66	squid-2.5.STABLE5-msnt_auth_doc.patch \
67	squid-2.5.STABLE5-CONNECT_log_size.patch \	67	squid-2.5.STABLE5-CONNECT_log_size.patch \
68	squid-2.5.STABLE5-proxy_abuse.patch	68	squid-2.5.STABLE5-proxy_abuse.patch \
		69	squid-2.5.STABLE5-ntlm_auth_overflow.patch
69	PATCH_DIST_STRIP= -p1	70	PATCH_DIST_STRIP= -p1
70		71
71	MAINTAINER= tmseck@netcologne.de	72	MAINTAINER= tmseck@netcologne.de
Lines 123-129 Link Here
123		124
124	# Authentication methods and modules:	125	# Authentication methods and modules:
125		126
126	basic_auth= NCSA PAM YP MSNT winbind	127	basic_auth= NCSA PAM YP MSNT SMB winbind
127	external_acl= ip_user unix_group wbinfo_group winbind_group	128	external_acl= ip_user unix_group wbinfo_group winbind_group
128	MAN8+= pam_auth.8 squid_unix_group.8	129	MAN8+= pam_auth.8 squid_unix_group.8
129	.if defined(WITH_SQUID_LDAP_AUTH)	130	.if defined(WITH_SQUID_LDAP_AUTH)