Bug 226139

Summary: www/squid: Fixes security vulnerabilities (CVE-2018-1000024, CVE-2018-1000027)
Product: Ports & Packages Reporter: Yasuhiro Kimura <yasu>
Component: Individual Port(s)Assignee: Danilo G. Baio <dbaio>
Status: Closed FIXED    
Severity: Affects Many People CC: dbaio, timp87
Priority: --- Flags: dbaio: maintainer-feedback+
dbaio: merge-quarterly+
Version: Latest   
Hardware: Any   
OS: Any   
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226138
Attachments:
Description Flags
patch file
none
squid-3.5.27_3.patch timp87: maintainer-approval+

Description Yasuhiro Kimura freebsd_committer freebsd_triage 2018-02-23 12:04:13 UTC 
Created attachment 190916 [details]
patch file

* Add patch to fix DoS issue (CVE-2018-1000027).
* Bump PORTREVISION.

And bug #226138 adds entry for this issue to vuxml. So please commit it too.
Comment 1 Danilo G. Baio freebsd_committer freebsd_triage 2018-02-23 13:53:03 UTC 
Created attachment 190918 [details]
squid-3.5.27_3.patch

It includes the second patch as well
Comment 2 Yasuhiro Kimura freebsd_committer freebsd_triage 2018-02-23 14:08:32 UTC 
(In reply to Danilo G. Baio from comment #1)

There is following sentence in "Severity" section of http://www.squid-cache.org/Advisories/SQUID-2018_1.txt

>  This problem is limited to the Squid custom ESI parser.
> Squid built to use libxml2 or libexpat XML parsers do not have
> this problem.

And there is following setting in Makefiles of both www/squid and www/squid-devel:

> ESI_CFLAGS=                     -I${LOCALBASE}/include -I${LOCALBASE}/include/libxml2
> ESI_CONFIGURE_ENABLE=           esi
> ESI_LDFLAGS=                    -L${LOCALBASE}/lib
> ESI_LIB_DEPENDS=                libexpat.so:textproc/expat2 \
>                                 libxml2.so:textproc/libxml2

So I think CVE-2018-1000024 doesn't affect to FreeBSD squid ports.
Comment 3 Danilo G. Baio freebsd_committer freebsd_triage 2018-02-23 14:41:44 UTC 
(In reply to Yasuhiro KIMURA from comment #2)

The default esi_parser is the custom one.
So to not be vulnerable, you also need to change the config file to use libxml2 or expat explicitly.
Comment 4 Yasuhiro Kimura freebsd_committer freebsd_triage 2018-02-23 14:45:08 UTC 
(In reply to Danilo G. Baio from comment #3)

OK. I understood. Thank you for quick reply.
Comment 5 commit-hook freebsd_committer freebsd_triage 2018-02-23 20:35:57 UTC 
A commit references this bug:

Author: dbaio
Date: Fri Feb 23 20:35:13 UTC 2018
New revision: 462744
URL: https://svnweb.freebsd.org/changeset/ports/462744

Log:
  www/squid: Fixes security vulnerabilities

  Add patches to fix CVE's:
    CVE-2018-1000024
    CVE-2018-1000027

  PR:		226139
  Submitted by:	Yasuhiro KIMURA <yasu@utahime.org>
  Approved by:	timp87@gmail.com (maintainer)
  MFH:		2018Q1
  Security:	d5b6d151-1887-11e8-94f7-9c5c8e75236a

Changes:
  head/www/squid/Makefile
  head/www/squid/files/patch-src_client__side__request.cc
  head/www/squid/files/patch-src_esi_CustomParser.cc
Comment 6 commit-hook freebsd_committer freebsd_triage 2018-02-25 13:18:52 UTC 
A commit references this bug:

Author: dbaio
Date: Sun Feb 25 13:18:31 UTC 2018
New revision: 462952
URL: https://svnweb.freebsd.org/changeset/ports/462952

Log:
  MFH: r462146 r462744

  Use BROKEN_SSL

  Approved by:	portmgr (blanket)

  www/squid: Fixes security vulnerabilities

  Add patches to fix CVE's:
    CVE-2018-1000024
    CVE-2018-1000027

  PR:		226139
  Submitted by:	Yasuhiro KIMURA <yasu@utahime.org>
  Approved by:	timp87@gmail.com (maintainer)
  Security:	d5b6d151-1887-11e8-94f7-9c5c8e75236a

  Approved by:	ports-secteam (riggs)

Changes:
_U  branches/2018Q1/
  branches/2018Q1/www/squid/Makefile
  branches/2018Q1/www/squid/files/patch-src_client__side__request.cc
  branches/2018Q1/www/squid/files/patch-src_esi_CustomParser.cc
Comment 7 Danilo G. Baio freebsd_committer freebsd_triage 2018-02-25 13:21:05 UTC 
Committed, thanks!