Bug 76173

Summary: [Maintainer/Security] www/squid: fix two security issues
Product: Ports & Packages Reporter: Thomas-Martin Seck <tmseck>
Component: Individual Port(s)Assignee: Simon L. B. Nielsen <simon>
Status: Closed FIXED    
Severity: Affects Only Me CC: security-team
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Thomas-Martin Seck 2005-01-12 19:30:26 UTC 
- Integrate vendor patches as published on
  <http://www.squid-cache.org/Versions/v2/2.5/bugs/> for the following
  issues (security-team CC'ed):
  + prevent a possible denial of service attack via WCCP messages (squid bug
    #1190), classified as security issue by the vendor
  + fix a buffer overflow in the Gopher to HTML conversion routine (squid bug
    #1189), classified as security issue by the vendor
  + fix a null pointer access and plug memory leaks in the fake_auth NTLM
    helper (squid bug #1183) (this helper app is not installed by default by
    the port)
  + stop closing open filedescriptors beyond stdin, stdout and stderr on
    startup (squid bug #1177)

- unbreak the port on NO_NIS systems (thanks to "Alexander <freebsd AT
  nagilum.de>" for reporting this)

Proposed VuXML information for the two security issues, entry dates left to be
filled in:

<vuln vid=5fe7e27a-64cb-11d9-9e1e-c296ac722cb3>
	<topic>squid -- Denial Of Service With Forged WCCP Messages</topic>
	<affects>
		<package>
			<name>squid</squid>
			<range><lt>2.5.7_6</lt></range>
		</package>
	</affects>
	<description>
		<body xmlns="http://www.w3.org/1999/xhtml">
		<p>The squid patches page notes:</p>
		<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth">
		<p>WCCP_I_SEE_YOU messages contain a 'number of caches' field
		which should be between 1 and 32. Values outside that range may
		crash Squid if WCCP is enabled, and if an attacker can spoof
		UDP packets with the WCCP router's IP address.</p>
		</blockquote>
		<p>Note: the WCCP protocol is not enabled by default in squid's
		FreeBSD port.</p>
	</description>
	<references>
		<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth</url>
	</references>
	<dates>
		<discovery>2005-01-11</discovery>
		<entry>YYYY-MM-DD</entry>
	</dates>
</vuln>

<vuln vid=184ab9e0-64cd-11d9-9e1e-c296ac722cb3>
	<topic>squid -- Buffer Overflow Bug in gopherToHTML</topic>
	<affects>
		<package>
			<name>squid</squid>
			<range><lt>2.5.7_6</lt></range>
		</package>
	</affects>
	<description>
		<body xmlns="http://www.w3.org/1999/xhtml">
		<p>The squid patches page notes:</p>
		<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-gopher_html_parsing">
		<p>A malicious gopher server may return a response with very
		long lines that cause a buffer overflow in Squid.</p>
		<p>workaround: Since gopher is very obscure these days, do not
		allow Squid to any gopher servers. Use an ACL rule like:</p>
		<pre>
    acl Gopher proto gopher
    http_access deny Gopher
		</pre>
		</blockquote>
	</description>
	<references>
		<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-gopher_html_parsing</url>
	</references>
	<dates>
		<discovery>2005-01-11</discovery>
		<entry>YYYY-MM-DD</entry>
	</dates>
</vuln>

Fix: Apply this patch:
Comment 1 Simon L. B. Nielsen freebsd_committer freebsd_triage 2005-01-12 20:54:00 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->simon

I will take this one.
Comment 2 Simon L. B. Nielsen freebsd_committer freebsd_triage 2005-01-12 22:57:36 UTC 
State Changed
From-To: open->closed

Committed, thanks!