Two vulnerabilities, - cross-site scripting, http://www.vuxml.org/freebsd/ce680f0a-eea6-11e1-8bd8-0022156e8794.html - denial of service, http://www.vuxml.org/freebsd/8defa0f9-ee8a-11e1-8bd8-0022156e8794.html were fixed in SquidClamav 5.8. Fix: The patch at http://codelabs.ru/fbsd/ports/squidclamav/fix-cve-2012-3501-and-4667.diff contains backported fixes and compiles for me. If you will use this patch rather than upgrading to 5.8, VuXML entries should be changed to have version "5.7_1" instead of "5.8" in the version range specification. How-To-Repeat: Look at the above pages and http://squidclamav.darold.net/news.html
Responsible Changed From-To: freebsd-ports-bugs->eadler eadler@ wants his PRs (via the GNATS Auto Assign Tool)
Maintainer of security/squidclamav, Please note that PR ports/171022 has just been submitted. If it contains a patch for an upgrade, an enhancement or a bug fix you agree on, reply to this email stating that you approve the patch and a committer will take care of it. The full text of the PR can be found at: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/171022 -- Edwin Groothuis via the GNATS Auto Assign Tool edwin@FreeBSD.org
State Changed From-To: open->feedback Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Author: rea Date: Tue Sep 4 13:45:28 2012 New Revision: 303652 URL: http://svn.freebsd.org/changeset/ports/303652 Log: security/squidclamav: fix DoS and XSS vulnerabilities Apply upstream patches for CVE-2012-3501 and CVE-2012-4667. Security: http://www.vuxml.org/freebsd/ce680f0a-eea6-11e1-8bd8-0022156e8794.html Security: http://www.vuxml.org/freebsd/8defa0f9-ee8a-11e1-8bd8-0022156e8794.html PR: 171022 QA page: http://codelabs.ru/fbsd/ports/qa/security/squidclamav/5.7_1 Approved by: maintainer timeout (1 week) Added: head/security/squidclamav/files/patch-cve-2012-3501 (contents, props changed) head/security/squidclamav/files/patch-cve-2012-4667 (contents, props changed) Modified: head/security/squidclamav/Makefile head/security/vuxml/vuln.xml Modified: head/security/squidclamav/Makefile ============================================================================== --- head/security/squidclamav/Makefile Tue Sep 4 11:54:30 2012 (r303651) +++ head/security/squidclamav/Makefile Tue Sep 4 13:45:28 2012 (r303652) @@ -7,6 +7,7 @@ PORTNAME= squidclamav PORTVERSION= 5.7 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= SF Added: head/security/squidclamav/files/patch-cve-2012-3501 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/squidclamav/files/patch-cve-2012-3501 Tue Sep 4 13:45:28 2012 (r303652) @@ -0,0 +1,71 @@ +Fix CVE-2012-3501, DoS when external URL checker is used + +This fix was integrated into 6.7 and 5.8. + +Obtained-from: https://github.com/darold/squidclamav/commit/80f74451f628264d1d9a1f1c0bbcebc932ba5e00.diff + +--- src/squidclamav.c.orig 2010-12-11 15:20:46.000000000 +0300 ++++ src/squidclamav.c 2012-08-25 15:55:51.708586983 +0400 +@@ -62,6 +62,7 @@ + static char * escape_quote (char *s); + void timeit (struct timeval start, char *level); + int dconnect (void); ++char * replace(const char *s, const char *old, const char *new); + void replace_chr(char string[], char *from, char *to); + void free_global (); /* routine to free global pointer */ + void freeBuff (struct IN_BUFF); +@@ -474,11 +475,15 @@ + /* chaining with SquidGuard - before bridge mode or not*/ + if ((bridge_mode == 0) && (squidguard != NULL)) { + if (usepipe == 1) { ++ char *rbuff = NULL; ++ /* escaping escaped character to prevent unescaping by squidguard */ ++ rbuff = replace(rbuff, "%", "%25"); + if (debug > 0) + logit(log_file, "DEBUG Sending request to chained program: %s\n", squidguard); + fprintf(sgfpw,"%s\n",sbuff); + fflush(sgfpw); + xfree(escaped); ++ xfree(rbuff); + escaped = NULL; + /* the chained redirector must return empty line if ok or the redirection url */ + chain_ret = (char *)malloc(sizeof(char)*MAX_URL); +@@ -1114,3 +1119,38 @@ + } + + ++/** ++ * Searches all occurrences of old into s ++ * and replaces with new ++ */ ++char * ++replace(const char *s, const char *old, const char *new) ++{ ++ char *ret; ++ int i, count = 0; ++ size_t newlen = strlen(new); ++ size_t oldlen = strlen(old); ++ ++ for (i = 0; s[i] != '\0'; i++) { ++ if (strstr(&s[i], old) == &s[i]) { ++ count++; ++ i += oldlen - 1; ++ } ++ } ++ ret = malloc(i + 1 + count * (newlen - oldlen)); ++ if (ret != NULL) { ++ i = 0; ++ while (*s) { ++ if (strstr(s, old) == s) { ++ strcpy(&ret[i], new); ++ i += newlen; ++ s += oldlen; ++ } else { ++ ret[i++] = *s++; ++ } ++ } ++ ret[i] = '\0'; ++ } ++ ++ return ret; ++} Added: head/security/squidclamav/files/patch-cve-2012-4667 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/squidclamav/files/patch-cve-2012-4667 Tue Sep 4 13:45:28 2012 (r303652) @@ -0,0 +1,124 @@ +Fixes CVE-2012-4667, XSS in clwarn.cgi + +Integrated to 5.8 and 6.7. + +Obtained-from: https://github.com/darold/squidclamav/commit/5806d10a31183a0b0d18eccc3a3e04e536e2315b.diff + +diff --git a/cgi-bin/clwarn.cgi b/cgi-bin/clwarn.cgi +index 9333bef..a43eca7 100755 +--- cgi-bin/clwarn.cgi ++++ cgi-bin/clwarn.cgi +@@ -7,11 +7,11 @@ my $VERSION = '6.6'; + + my $cgi = new CGI; + +-my $url = $cgi->param('url') || ''; +-my $virus = $cgi->param('virus') || ''; +-my $source = $cgi->param('source') || ''; ++my $url = CGI::escapeHTML($cgi->param('url')) || ''; ++my $virus = CGI::escapeHTML($cgi->param('virus')) || ''; ++my $source = CGI::escapeHTML($cgi->param('source')) || ''; + $source =~ s/\/-//; +-my $user = $cgi->param('user') || ''; ++my $user = CGI::escapeHTML($cgi->param('user')) || ''; + + + my $TITLE_VIRUS = "SquidClamAv $VERSION: Virus detection"; +diff --git a/cgi-bin/clwarn.cgi.de_DE b/cgi-bin/clwarn.cgi.de_DE +index 700c3df..3f21180 100755 +--- cgi-bin/clwarn.cgi.de_DE ++++ cgi-bin/clwarn.cgi.de_DE +@@ -7,11 +7,11 @@ my $VERSION = '6.6'; + + my $cgi = new CGI; + +-my $url = $cgi->param('url') || ''; +-my $virus = $cgi->param('virus') || ''; +-my $source = $cgi->param('source') || ''; ++my $url = CGI::escapeHTML($cgi->param('url')) || ''; ++my $virus = CGI::escapeHTML($cgi->param('virus')) || ''; ++my $source = CGI::escapeHTML($cgi->param('source')) || ''; + $source =~ s/\/-//; +-my $user = $cgi->param('user') || ''; ++my $user = CGI::escapeHTML($cgi->param('user')) || ''; + + my $TITLE_VIRUS = "Virus Alarm"; + my $subtitle = 'enthält folgenden Virus'; +diff --git a/cgi-bin/clwarn.cgi.en_EN b/cgi-bin/clwarn.cgi.en_EN +index d246e54..6e70e46 100755 +--- cgi-bin/clwarn.cgi.en_EN ++++ cgi-bin/clwarn.cgi.en_EN +@@ -7,11 +7,11 @@ my $VERSION = '6.6'; + + my $cgi = new CGI; + +-my $url = $cgi->param('url') || ''; +-my $virus = $cgi->param('virus') || ''; +-my $source = $cgi->param('source') || ''; ++my $url = CGI::escapeHTML($cgi->param('url')) || ''; ++my $virus = CGI::escapeHTML($cgi->param('virus')) || ''; ++my $source = CGI::escapeHTML($cgi->param('source')) || ''; + $source =~ s/\/-//; +-my $user = $cgi->param('user') || ''; ++my $user = CGI::escapeHTML($cgi->param('user')) || ''; + + my $TITLE_VIRUS = "SquidClamAv $VERSION: Virus detection"; + my $subtitle = 'contains the virus'; +diff --git a/cgi-bin/clwarn.cgi.fr_FR b/cgi-bin/clwarn.cgi.fr_FR +index c0b3896..323fa30 100755 +--- cgi-bin/clwarn.cgi.fr_FR ++++ cgi-bin/clwarn.cgi.fr_FR +@@ -7,11 +7,11 @@ my $VERSION = '6.6'; + + my $cgi = new CGI; + +-my $url = $cgi->param('url') || ''; +-my $virus = $cgi->param('virus') || ''; +-my $source = $cgi->param('source') || ''; ++my $url = CGI::escapeHTML($cgi->param('url')) || ''; ++my $virus = CGI::escapeHTML($cgi->param('virus')) || ''; ++my $source = CGI::escapeHTML($cgi->param('source')) || ''; + $source =~ s/\/-//; +-my $user = $cgi->param('user') || ''; ++my $user = CGI::escapeHTML($cgi->param('user')) || ''; + + my $TITLE_VIRUS = "SquidClamAv $VERSION: Virus detection"; + my $subtitle = 'contient le virus'; +diff --git a/cgi-bin/clwarn.cgi.pt_BR b/cgi-bin/clwarn.cgi.pt_BR +index 6bf12a0..1a6492a 100755 +--- cgi-bin/clwarn.cgi.pt_BR ++++ cgi-bin/clwarn.cgi.pt_BR +@@ -7,8 +7,11 @@ my $VERSION = '6.6'; + + my $cgi = new CGI; + +-my $url = $cgi->param('url') || ''; +-my $virus = $cgi->param('virus') || ''; ++my $url = CGI::escapeHTML($cgi->param('url')) || ''; ++my $virus = CGI::escapeHTML($cgi->param('virus')) || ''; ++my $source = CGI::escapeHTML($cgi->param('source')) || ''; ++$source =~ s/\/-//; ++my $user = CGI::escapeHTML($cgi->param('user')) || ''; + + my $TITLE_VIRUS = "SquidClamAv $VERSION: Foi detectado um vírus!"; + my $subtitle = 'está infectada pelo vírus'; +diff --git a/cgi-bin/clwarn.cgi.ru_RU b/cgi-bin/clwarn.cgi.ru_RU +index 21e4d94..1e82a0b 100755 +--- cgi-bin/clwarn.cgi.ru_RU ++++ cgi-bin/clwarn.cgi.ru_RU +@@ -7,11 +7,11 @@ my $VERSION = '6.6'; + + my $cgi = new CGI; + +-my $url = $cgi->param('url') || ''; +-my $virus = $cgi->param('virus') || ''; +-my $source = $cgi->param('source') || ''; ++my $url = CGI::escapeHTML($cgi->param('url')) || ''; ++my $virus = CGI::escapeHTML($cgi->param('virus')) || ''; ++my $source = CGI::escapeHTML($cgi->param('source')) || ''; + $source =~ s/\/-//; +-my $user = $cgi->param('user') || ''; ++my $user = CGI::escapeHTML($cgi->param('user')) || ''; + + my $TITLE_VIRUS = "SquidClamAv $VERSION: ÐбнаÑÑжен виÑÑÑ!"; + my $subtitle = 'ÑодеÑÐ¶Ð¸Ñ Ð²Ð¸ÑÑÑ'; Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Sep 4 11:54:30 2012 (r303651) +++ head/security/vuxml/vuln.xml Tue Sep 4 13:45:28 2012 (r303652) @@ -695,7 +695,7 @@ Note: Please add new entries to the beg <affects> <package> <name>squidclamav</name> - <range><lt>5.8</lt></range> + <range><lt>5.7_1</lt></range> <range><ge>6.0</ge><lt>6.7</lt></range> </package> </affects> @@ -722,6 +722,7 @@ Note: Please add new entries to the beg <dates> <discovery>2012-07-24</discovery> <entry>2012-08-25</entry> + <modified>2012-09-04</modified> </dates> </vuln> _______________________________________________ svn-ports-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-ports-all To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
State Changed From-To: feedback->closed Committed the fix.
Hi Edwin, Sorry for late answer, I am on vacation for 2 more weeks. From here, I can hardly check, my Android does not host FreeBSD ;-) I'll process once back. Thanks Brgrds At 14:20 25/08/2012, Edwin Groothuis wrote: >Maintainer of security/squidclamav, > >Please note that PR ports/171022 has just been submitted. > >If it contains a patch for an upgrade, an enhancement or a bug fix >you agree on, reply to this email stating that you approve the patch >and a committer will take care of it. > >The full text of the PR can be found at: > http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/171022 > >-- >Edwin Groothuis via the GNATS Auto Assign Tool >edwin@FreeBSD.org
---------- Forwarded message ---------- From: Laurent LEVIER <llevier@argosnet.com> Date: 10 September 2012 13:10 Subject: Re: ports/171022: [vuxml][patch] security/squidclamav: fix CVE-2012-3501 and CVE-2012-4667 To: eadler@freebsd.org The following reply was made to PR ports/171022; it has been noted by GNATS. From: Laurent LEVIER <llevier@argosnet.com> To: bug-followup@FreeBSD.org Cc: bug-followup@FreeBSD.org Subject: Re: ports/171022: [vuxml][patch] security/squidclamav: fix CVE-2012-3501 and CVE-2012-4667 Date: Mon, 10 Sep 2012 19:01:51 +0200 Hi Edwin, Sorry for late answer, I am on vacation for 2 more weeks. From here, I can hardly check, my Android does not host FreeBSD ;-) I'll process once back. Thanks Brgrds At 14:20 25/08/2012, Edwin Groothuis wrote: >Maintainer of security/squidclamav, > >Please note that PR ports/171022 has just been submitted. > >If it contains a patch for an upgrade, an enhancement or a bug fix >you agree on, reply to this email stating that you approve the patch >and a committer will take care of it. > >The full text of the PR can be found at: > http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/171022 > >-- >Edwin Groothuis via the GNATS Auto Assign Tool >edwin@FreeBSD.org -- Eitan Adler Source & Ports committer X11, Bugbusting teams