Bug 171022

Summary: [vuxml][patch] security/squidclamav: fix CVE-2012-3501 and CVE-2012-4667
Product: Ports & Packages Reporter: Eygene Ryabinkin <rea>
Component: Individual Port(s)Assignee: Eitan Adler <eadler>
Status: Closed FIXED    
Severity: Affects Only Me CC: llevier
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Eygene Ryabinkin freebsd_committer freebsd_triage 2012-08-25 13:20:01 UTC
Two vulnerabilities,
 - cross-site scripting,
     http://www.vuxml.org/freebsd/ce680f0a-eea6-11e1-8bd8-0022156e8794.html
 - denial of service,
     http://www.vuxml.org/freebsd/8defa0f9-ee8a-11e1-8bd8-0022156e8794.html
were fixed in SquidClamav 5.8.

Fix: 

The patch at
  http://codelabs.ru/fbsd/ports/squidclamav/fix-cve-2012-3501-and-4667.diff
contains backported fixes and compiles for me.  If you will use this
patch rather than upgrading to 5.8, VuXML entries should be changed to
have version "5.7_1" instead of "5.8" in the version range
specification.
How-To-Repeat: 
Look at the above pages and
  http://squidclamav.darold.net/news.html
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2012-08-25 13:20:15 UTC
Responsible Changed
From-To: freebsd-ports-bugs->eadler

eadler@ wants his PRs (via the GNATS Auto Assign Tool)
Comment 2 Edwin Groothuis freebsd_committer freebsd_triage 2012-08-25 13:20:18 UTC
Maintainer of security/squidclamav,

Please note that PR ports/171022 has just been submitted.

If it contains a patch for an upgrade, an enhancement or a bug fix
you agree on, reply to this email stating that you approve the patch
and a committer will take care of it.

The full text of the PR can be found at:
    http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/171022

-- 
Edwin Groothuis via the GNATS Auto Assign Tool
edwin@FreeBSD.org
Comment 3 Edwin Groothuis freebsd_committer freebsd_triage 2012-08-25 13:20:20 UTC
State Changed
From-To: open->feedback

Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Comment 4 dfilter service freebsd_committer freebsd_triage 2012-09-04 14:45:44 UTC
Author: rea
Date: Tue Sep  4 13:45:28 2012
New Revision: 303652
URL: http://svn.freebsd.org/changeset/ports/303652

Log:
  security/squidclamav: fix DoS and XSS vulnerabilities
  
  Apply upstream patches for CVE-2012-3501 and CVE-2012-4667.
  
  Security:	http://www.vuxml.org/freebsd/ce680f0a-eea6-11e1-8bd8-0022156e8794.html
  Security:	http://www.vuxml.org/freebsd/8defa0f9-ee8a-11e1-8bd8-0022156e8794.html
  PR:		171022
  QA page:	http://codelabs.ru/fbsd/ports/qa/security/squidclamav/5.7_1
  Approved by:	maintainer timeout (1 week)

Added:
  head/security/squidclamav/files/patch-cve-2012-3501   (contents, props changed)
  head/security/squidclamav/files/patch-cve-2012-4667   (contents, props changed)
Modified:
  head/security/squidclamav/Makefile
  head/security/vuxml/vuln.xml

Modified: head/security/squidclamav/Makefile
==============================================================================
--- head/security/squidclamav/Makefile	Tue Sep  4 11:54:30 2012	(r303651)
+++ head/security/squidclamav/Makefile	Tue Sep  4 13:45:28 2012	(r303652)
@@ -7,6 +7,7 @@
 
 PORTNAME=	squidclamav
 PORTVERSION=	5.7
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	SF
 

Added: head/security/squidclamav/files/patch-cve-2012-3501
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/squidclamav/files/patch-cve-2012-3501	Tue Sep  4 13:45:28 2012	(r303652)
@@ -0,0 +1,71 @@
+Fix CVE-2012-3501, DoS when external URL checker is used
+
+This fix was integrated into 6.7 and 5.8.
+
+Obtained-from: https://github.com/darold/squidclamav/commit/80f74451f628264d1d9a1f1c0bbcebc932ba5e00.diff
+
+--- src/squidclamav.c.orig	2010-12-11 15:20:46.000000000 +0300
++++ src/squidclamav.c	2012-08-25 15:55:51.708586983 +0400
+@@ -62,6 +62,7 @@
+ static char * escape_quote (char *s);
+ void timeit (struct timeval start, char *level);
+ int dconnect (void);
++char * replace(const char *s, const char *old, const char *new);
+ void replace_chr(char string[], char *from, char *to);
+ void free_global ();		/* routine to free global pointer */
+ void freeBuff (struct IN_BUFF);
+@@ -474,11 +475,15 @@
+       /* chaining with SquidGuard - before bridge mode or not*/
+       if ((bridge_mode == 0) && (squidguard != NULL)) {
+ 		if (usepipe == 1) {
++ 			char *rbuff = NULL;
++			/* escaping escaped character to prevent unescaping by squidguard */
++			rbuff = replace(rbuff, "%", "%25");
+ 			if (debug > 0)
+ 			    logit(log_file, "DEBUG Sending request to chained program: %s\n", squidguard);
+ 			fprintf(sgfpw,"%s\n",sbuff);
+ 			fflush(sgfpw);
+ 			xfree(escaped);
++			xfree(rbuff);
+ 			escaped = NULL;
+ 			/* the chained redirector must return empty line if ok or the redirection url */
+ 			chain_ret = (char *)malloc(sizeof(char)*MAX_URL);
+@@ -1114,3 +1119,38 @@
+ }
+ 
+ 
++/**
++ * Searches all occurrences of old into s
++ * and replaces with new
++ */
++char *
++replace(const char *s, const char *old, const char *new)
++{
++	char *ret;
++	int i, count = 0;
++	size_t newlen = strlen(new);
++	size_t oldlen = strlen(old);
++
++	for (i = 0; s[i] != '\0'; i++) {
++		if (strstr(&s[i], old) == &s[i]) {
++			count++;
++			i += oldlen - 1;
++		}
++	}
++	ret = malloc(i + 1 + count * (newlen - oldlen));
++	if (ret != NULL) {
++		i = 0;
++		while (*s) {
++			if (strstr(s, old) == s) {
++				strcpy(&ret[i], new);
++				i += newlen;
++				s += oldlen;
++			} else {
++				ret[i++] = *s++;
++			}
++		}
++		ret[i] = '\0';
++	}
++
++	return ret;
++}

Added: head/security/squidclamav/files/patch-cve-2012-4667
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/squidclamav/files/patch-cve-2012-4667	Tue Sep  4 13:45:28 2012	(r303652)
@@ -0,0 +1,124 @@
+Fixes CVE-2012-4667, XSS in clwarn.cgi
+
+Integrated to 5.8 and 6.7.
+
+Obtained-from: https://github.com/darold/squidclamav/commit/5806d10a31183a0b0d18eccc3a3e04e536e2315b.diff
+
+diff --git a/cgi-bin/clwarn.cgi b/cgi-bin/clwarn.cgi
+index 9333bef..a43eca7 100755
+--- cgi-bin/clwarn.cgi
++++ cgi-bin/clwarn.cgi
+@@ -7,11 +7,11 @@ my $VERSION = '6.6';
+ 
+ my $cgi = new CGI;
+ 
+-my $url = $cgi->param('url') || '';
+-my $virus = $cgi->param('virus') || '';
+-my $source = $cgi->param('source') || '';
++my $url = CGI::escapeHTML($cgi->param('url')) || '';
++my $virus = CGI::escapeHTML($cgi->param('virus')) || '';
++my $source = CGI::escapeHTML($cgi->param('source')) || '';
+ $source =~ s/\/-//;
+-my $user = $cgi->param('user') || '';
++my $user = CGI::escapeHTML($cgi->param('user')) || '';
+ 
+ 
+ my $TITLE_VIRUS = "SquidClamAv $VERSION: Virus detection";
+diff --git a/cgi-bin/clwarn.cgi.de_DE b/cgi-bin/clwarn.cgi.de_DE
+index 700c3df..3f21180 100755
+--- cgi-bin/clwarn.cgi.de_DE
++++ cgi-bin/clwarn.cgi.de_DE
+@@ -7,11 +7,11 @@ my $VERSION = '6.6';
+ 
+ my $cgi = new CGI;
+ 
+-my $url = $cgi->param('url') || '';
+-my $virus = $cgi->param('virus') || '';
+-my $source = $cgi->param('source') || '';
++my $url = CGI::escapeHTML($cgi->param('url')) || '';
++my $virus = CGI::escapeHTML($cgi->param('virus')) || '';
++my $source = CGI::escapeHTML($cgi->param('source')) || '';
+ $source =~ s/\/-//;
+-my $user = $cgi->param('user') || '';
++my $user = CGI::escapeHTML($cgi->param('user')) || '';
+ 
+ my $TITLE_VIRUS = "Virus Alarm";
+ my $subtitle = 'enthält folgenden Virus';
+diff --git a/cgi-bin/clwarn.cgi.en_EN b/cgi-bin/clwarn.cgi.en_EN
+index d246e54..6e70e46 100755
+--- cgi-bin/clwarn.cgi.en_EN
++++ cgi-bin/clwarn.cgi.en_EN
+@@ -7,11 +7,11 @@ my $VERSION = '6.6';
+ 
+ my $cgi = new CGI;
+ 
+-my $url = $cgi->param('url') || '';
+-my $virus = $cgi->param('virus') || '';
+-my $source = $cgi->param('source') || '';
++my $url = CGI::escapeHTML($cgi->param('url')) || '';
++my $virus = CGI::escapeHTML($cgi->param('virus')) || '';
++my $source = CGI::escapeHTML($cgi->param('source')) || '';
+ $source =~ s/\/-//;
+-my $user = $cgi->param('user') || '';
++my $user = CGI::escapeHTML($cgi->param('user')) || '';
+ 
+ my $TITLE_VIRUS = "SquidClamAv $VERSION: Virus detection";
+ my $subtitle = 'contains the virus';
+diff --git a/cgi-bin/clwarn.cgi.fr_FR b/cgi-bin/clwarn.cgi.fr_FR
+index c0b3896..323fa30 100755
+--- cgi-bin/clwarn.cgi.fr_FR
++++ cgi-bin/clwarn.cgi.fr_FR
+@@ -7,11 +7,11 @@ my $VERSION = '6.6';
+ 
+ my $cgi = new CGI;
+ 
+-my $url = $cgi->param('url') || '';
+-my $virus = $cgi->param('virus') || '';
+-my $source = $cgi->param('source') || '';
++my $url = CGI::escapeHTML($cgi->param('url')) || '';
++my $virus = CGI::escapeHTML($cgi->param('virus')) || '';
++my $source = CGI::escapeHTML($cgi->param('source')) || '';
+ $source =~ s/\/-//;
+-my $user = $cgi->param('user') || '';
++my $user = CGI::escapeHTML($cgi->param('user')) || '';
+ 
+ my $TITLE_VIRUS = "SquidClamAv $VERSION: Virus detection";
+ my $subtitle = 'contient le virus';
+diff --git a/cgi-bin/clwarn.cgi.pt_BR b/cgi-bin/clwarn.cgi.pt_BR
+index 6bf12a0..1a6492a 100755
+--- cgi-bin/clwarn.cgi.pt_BR
++++ cgi-bin/clwarn.cgi.pt_BR
+@@ -7,8 +7,11 @@ my $VERSION = '6.6';
+ 
+ my $cgi = new CGI;
+ 
+-my $url = $cgi->param('url') || '';
+-my $virus = $cgi->param('virus') || '';
++my $url = CGI::escapeHTML($cgi->param('url')) || '';
++my $virus = CGI::escapeHTML($cgi->param('virus')) || '';
++my $source = CGI::escapeHTML($cgi->param('source')) || '';
++$source =~ s/\/-//;
++my $user = CGI::escapeHTML($cgi->param('user')) || '';
+ 
+ my $TITLE_VIRUS = "SquidClamAv $VERSION: Foi detectado um v&iacute;rus!";
+ my $subtitle = 'est&aacute; infectada pelo v&iacute;rus';
+diff --git a/cgi-bin/clwarn.cgi.ru_RU b/cgi-bin/clwarn.cgi.ru_RU
+index 21e4d94..1e82a0b 100755
+--- cgi-bin/clwarn.cgi.ru_RU
++++ cgi-bin/clwarn.cgi.ru_RU
+@@ -7,11 +7,11 @@ my $VERSION = '6.6';
+ 
+ my $cgi = new CGI;
+ 
+-my $url = $cgi->param('url') || '';
+-my $virus = $cgi->param('virus') || '';
+-my $source = $cgi->param('source') || '';
++my $url = CGI::escapeHTML($cgi->param('url')) || '';
++my $virus = CGI::escapeHTML($cgi->param('virus')) || '';
++my $source = CGI::escapeHTML($cgi->param('source')) || '';
+ $source =~ s/\/-//;
+-my $user = $cgi->param('user') || '';
++my $user = CGI::escapeHTML($cgi->param('user')) || '';
+ 
+ my $TITLE_VIRUS = "SquidClamAv $VERSION: ÐбнаÑÑжен виÑÑÑ!";
+ my $subtitle = 'ÑодеÑÐ¶Ð¸Ñ Ð²Ð¸ÑÑÑ';

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Tue Sep  4 11:54:30 2012	(r303651)
+++ head/security/vuxml/vuln.xml	Tue Sep  4 13:45:28 2012	(r303652)
@@ -695,7 +695,7 @@ Note:  Please add new entries to the beg
     <affects>
       <package>
         <name>squidclamav</name>
-        <range><lt>5.8</lt></range>
+        <range><lt>5.7_1</lt></range>
         <range><ge>6.0</ge><lt>6.7</lt></range>
       </package>
     </affects>
@@ -722,6 +722,7 @@ Note:  Please add new entries to the beg
     <dates>
       <discovery>2012-07-24</discovery>
       <entry>2012-08-25</entry>
+      <modified>2012-09-04</modified>
     </dates>
   </vuln>
 
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
Comment 5 Eygene Ryabinkin freebsd_committer freebsd_triage 2012-09-04 15:26:35 UTC
State Changed
From-To: feedback->closed

Committed the fix.
Comment 6 llevier 2012-09-10 18:01:51 UTC
Hi Edwin,

Sorry for late answer, I am on vacation for 2 more weeks.
 From here, I can hardly check, my Android does not host FreeBSD ;-)

I'll process once back.

Thanks

Brgrds

At 14:20 25/08/2012, Edwin Groothuis wrote:
>Maintainer of security/squidclamav,
>
>Please note that PR ports/171022 has just been submitted.
>
>If it contains a patch for an upgrade, an enhancement or a bug fix
>you agree on, reply to this email stating that you approve the patch
>and a committer will take care of it.
>
>The full text of the PR can be found at:
>     http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/171022
>
>--
>Edwin Groothuis via the GNATS Auto Assign Tool
>edwin@FreeBSD.org
Comment 7 Eitan Adler freebsd_committer freebsd_triage 2012-09-10 18:14:28 UTC
---------- Forwarded message ----------
From: Laurent LEVIER <llevier@argosnet.com>
Date: 10 September 2012 13:10
Subject: Re: ports/171022: [vuxml][patch] security/squidclamav: fix
CVE-2012-3501 and CVE-2012-4667
To: eadler@freebsd.org


The following reply was made to PR ports/171022; it has been noted by GNATS.

From: Laurent LEVIER <llevier@argosnet.com>
To: bug-followup@FreeBSD.org
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/171022: [vuxml][patch] security/squidclamav: fix
  CVE-2012-3501 and CVE-2012-4667
Date: Mon, 10 Sep 2012 19:01:51 +0200

 Hi Edwin,

 Sorry for late answer, I am on vacation for 2 more weeks.
  From here, I can hardly check, my Android does not host FreeBSD ;-)

 I'll process once back.

 Thanks

 Brgrds

 At 14:20 25/08/2012, Edwin Groothuis wrote:
 >Maintainer of security/squidclamav,
 >
 >Please note that PR ports/171022 has just been submitted.
 >
 >If it contains a patch for an upgrade, an enhancement or a bug fix
 >you agree on, reply to this email stating that you approve the patch
 >and a committer will take care of it.
 >
 >The full text of the PR can be found at:
 >     http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/171022
 >
 >--
 >Edwin Groothuis via the GNATS Auto Assign Tool
 >edwin@FreeBSD.org




-- 
Eitan Adler
Source & Ports committer
X11, Bugbusting teams