Bug 226139 - www/squid: Fixes security vulnerabilities (CVE-2018-1000024, CVE-2018-1000027)
Summary: www/squid: Fixes security vulnerabilities (CVE-2018-1000024, CVE-2018-1000027)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Danilo G. Baio
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-23 12:04 UTC by Yasuhiro Kimura
Modified: 2018-02-25 13:21 UTC (History)
2 users (show)

See Also:
dbaio: maintainer-feedback+
dbaio: merge-quarterly+


Attachments
patch file (1.64 KB, patch)
2018-02-23 12:04 UTC, Yasuhiro Kimura
no flags Details | Diff
squid-3.5.27_3.patch (3.77 KB, patch)
2018-02-23 13:53 UTC, Danilo G. Baio
timp87: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Yasuhiro Kimura 2018-02-23 12:04:13 UTC
Created attachment 190916 [details]
patch file

* Add patch to fix DoS issue (CVE-2018-1000027).
* Bump PORTREVISION.

And bug #226138 adds entry for this issue to vuxml. So please commit it too.
Comment 1 Danilo G. Baio freebsd_committer 2018-02-23 13:53:03 UTC
Created attachment 190918 [details]
squid-3.5.27_3.patch

It includes the second patch as well
Comment 2 Yasuhiro Kimura 2018-02-23 14:08:32 UTC
(In reply to Danilo G. Baio from comment #1)

There is following sentence in "Severity" section of http://www.squid-cache.org/Advisories/SQUID-2018_1.txt

>  This problem is limited to the Squid custom ESI parser.
> Squid built to use libxml2 or libexpat XML parsers do not have
> this problem.

And there is following setting in Makefiles of both www/squid and www/squid-devel:

> ESI_CFLAGS=                     -I${LOCALBASE}/include -I${LOCALBASE}/include/libxml2
> ESI_CONFIGURE_ENABLE=           esi
> ESI_LDFLAGS=                    -L${LOCALBASE}/lib
> ESI_LIB_DEPENDS=                libexpat.so:textproc/expat2 \
>                                 libxml2.so:textproc/libxml2

So I think CVE-2018-1000024 doesn't affect to FreeBSD squid ports.
Comment 3 Danilo G. Baio freebsd_committer 2018-02-23 14:41:44 UTC
(In reply to Yasuhiro KIMURA from comment #2)

The default esi_parser is the custom one.
So to not be vulnerable, you also need to change the config file to use libxml2 or expat explicitly.
Comment 4 Yasuhiro Kimura 2018-02-23 14:45:08 UTC
(In reply to Danilo G. Baio from comment #3)

OK. I understood. Thank you for quick reply.
Comment 5 commit-hook freebsd_committer 2018-02-23 20:35:57 UTC
A commit references this bug:

Author: dbaio
Date: Fri Feb 23 20:35:13 UTC 2018
New revision: 462744
URL: https://svnweb.freebsd.org/changeset/ports/462744

Log:
  www/squid: Fixes security vulnerabilities

  Add patches to fix CVE's:
    CVE-2018-1000024
    CVE-2018-1000027

  PR:		226139
  Submitted by:	Yasuhiro KIMURA <yasu@utahime.org>
  Approved by:	timp87@gmail.com (maintainer)
  MFH:		2018Q1
  Security:	d5b6d151-1887-11e8-94f7-9c5c8e75236a

Changes:
  head/www/squid/Makefile
  head/www/squid/files/patch-src_client__side__request.cc
  head/www/squid/files/patch-src_esi_CustomParser.cc
Comment 6 commit-hook freebsd_committer 2018-02-25 13:18:52 UTC
A commit references this bug:

Author: dbaio
Date: Sun Feb 25 13:18:31 UTC 2018
New revision: 462952
URL: https://svnweb.freebsd.org/changeset/ports/462952

Log:
  MFH: r462146 r462744

  Use BROKEN_SSL

  Approved by:	portmgr (blanket)

  www/squid: Fixes security vulnerabilities

  Add patches to fix CVE's:
    CVE-2018-1000024
    CVE-2018-1000027

  PR:		226139
  Submitted by:	Yasuhiro KIMURA <yasu@utahime.org>
  Approved by:	timp87@gmail.com (maintainer)
  Security:	d5b6d151-1887-11e8-94f7-9c5c8e75236a

  Approved by:	ports-secteam (riggs)

Changes:
_U  branches/2018Q1/
  branches/2018Q1/www/squid/Makefile
  branches/2018Q1/www/squid/files/patch-src_client__side__request.cc
  branches/2018Q1/www/squid/files/patch-src_esi_CustomParser.cc
Comment 7 Danilo G. Baio freebsd_committer 2018-02-25 13:21:05 UTC
Committed, thanks!