From d3eef0b4716dac147f5f4d1bcdfc49021f698790 Mon Sep 17 00:00:00 2001
From: Thiruvadi Rajaraman <trajaraman@mvista.com>
Date: Mon, 5 Jun 2017 15:01:26 +0530
Subject: squid: CVE-2016-10002 fix

Source: https://github.com/squid-cache/
MR: 70135
Type: Security Fix
Disposition: Backport from squid-3.5.23
ChangeID: 2e0f83ac2c4c773dec769f388132cb888e0564d9
Description:

squid: Information disclosure in HTTP request processing

Due to incorrect HTTP conditional request handling Squid can deliver
responses containing private data to clients it should not have reached.

This problem allows a remote attacker to discover private and sensitive
information about another clients browsing session. Potentially including
credentials which allow access to further sensitive resources.

author: Garri Djavadyan <garryd@comnet.uz>
committer: Amos Jeffries <squid3@treenet.co.nz>
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../squid/files/CVE-2016-10002.patch               | 221 +++++++++++++++++++++
 .../recipes-daemons/squid/squid_3.5.20.bb          |   1 +
 2 files changed, 222 insertions(+)
 create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2016-10002.patch

diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-10002.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-10002.patch
new file mode 100644
index 0000000000..5d4bd85130
--- /dev/null
+++ b/meta-networking/recipes-daemons/squid/files/CVE-2016-10002.patch
@@ -0,0 +1,221 @@
+revno: 14109
+revision-id: squid3@treenet.co.nz-20161111060325-yh8chavvnzuvfh3h
+parent: squid3@treenet.co.nz-20161101112231-k77st4up2sekl5zx
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3379
+author: Garri Djavadyan <garryd@comnet.uz>, Amos Jeffries <squid3@treenet.co.nz>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Fri 2016-11-11 19:03:25 +1300
+message:
+  Bug 3379: Combination of If-Match and a Cache Hit result in TCP Connection Failure
+
+revno: 14126
+revision-id: squid3@treenet.co.nz-20161215103357-827wow3k1y3k9yql
+parent: squid3@treenet.co.nz-20161215093634-ykbs6tv8pdusz7cj
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4169
+author: Garri Djavadyan <garryd@comnet.uz>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Thu 2016-12-15 23:33:57 +1300
+message:
+  Bug 4169: HIT marked as MISS when If-None-Match does not match
+
+Upstream-status: Backport
+
+CVE: CVE-2016-10002
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: squid-3.5.20/src/LogTags.h
+===================================================================
+--- squid-3.5.20.orig/src/LogTags.h	2016-07-01 17:07:50.000000000 +0530
++++ squid-3.5.20/src/LogTags.h	2017-06-05 13:26:12.476954933 +0530
+@@ -27,6 +27,7 @@
+     LOG_TCP_REFRESH_MODIFIED,   // refresh from origin replaced existing entry
+     LOG_TCP_CLIENT_REFRESH_MISS,
+     LOG_TCP_IMS_HIT,
++    LOG_TCP_INM_HIT,
+     LOG_TCP_SWAPFAIL_MISS,
+     LOG_TCP_NEGATIVE_HIT,
+     LOG_TCP_MEM_HIT,
+@@ -53,6 +54,7 @@
+     return
+         (code == LOG_TCP_HIT) ||
+         (code == LOG_TCP_IMS_HIT) ||
++	(code == LOG_TCP_INM_HIT) ||
+         (code == LOG_TCP_REFRESH_FAIL_OLD) ||
+         (code == LOG_TCP_REFRESH_UNMODIFIED) ||
+         (code == LOG_TCP_NEGATIVE_HIT) ||
+Index: squid-3.5.20/src/client_side.cc
+===================================================================
+--- squid-3.5.20.orig/src/client_side.cc	2016-07-01 17:07:50.000000000 +0530
++++ squid-3.5.20/src/client_side.cc	2017-06-05 13:26:12.476954933 +0530
+@@ -415,6 +415,7 @@
+         statCounter.client_http.nearHitSvcTime.count(svc_time);
+         break;
+ 
++    case LOG_TCP_INM_HIT:
+     case LOG_TCP_IMS_HIT:
+         statCounter.client_http.nearMissSvcTime.count(svc_time);
+         break;
+Index: squid-3.5.20/src/client_side_reply.cc
+===================================================================
+--- squid-3.5.20.orig/src/client_side_reply.cc	2017-06-05 13:26:12.420954931 +0530
++++ squid-3.5.20/src/client_side_reply.cc	2017-06-05 13:33:40.688970895 +0530
+@@ -555,6 +555,7 @@
+         debugs(88, 5, "negative-HIT");
+         http->logType = LOG_TCP_NEGATIVE_HIT;
+         sendMoreData(result);
++	return;
+     } else if (blockedHit()) {
+         debugs(88, 5, "send_hit forces a MISS");
+         http->logType = LOG_TCP_MISS;
+@@ -606,15 +607,17 @@
+             http->logType = LOG_TCP_MISS;
+             processMiss();
+         }
++	return;
+     } else if (r->conditional()) {
+         debugs(88, 5, "conditional HIT");
+-        processConditional(result);
+-    } else {
+-        /*
+-         * plain ol' cache hit
+-         */
+-        debugs(88, 5, "plain old HIT");
++        if (processConditional(result))
++            return;
++    }
+ 
++    /*
++     * plain ol' cache hit
++     */
++    debugs(88, 5, "plain old HIT");
+ #if USE_DELAY_POOLS
+         if (e->store_status != STORE_OK)
+             http->logType = LOG_TCP_MISS;
+@@ -626,7 +629,6 @@
+                 http->logType = LOG_TCP_OFFLINE_HIT;
+ 
+         sendMoreData(result);
+-    }
+ }
+ 
+ /**
+@@ -720,17 +722,16 @@
+ }
+ 
+ /// process conditional request from client
+-void
++bool
+ clientReplyContext::processConditional(StoreIOBuffer &result)
+ {
+     StoreEntry *const e = http->storeEntry();
+ 
+     if (e->getReply()->sline.status() != Http::scOkay) {
+-        debugs(88, 4, "clientReplyContext::processConditional: Reply code " <<
+-               e->getReply()->sline.status() << " != 200");
++        debugs(88, 4, "Reply code " << e->getReply()->sline.status() << " != 200");
+         http->logType = LOG_TCP_MISS;
+         processMiss();
+-        return;
++        return true;
+     }
+ 
+     HttpRequest &r = *http->request;
+@@ -738,51 +739,39 @@
+     if (r.header.has(HDR_IF_MATCH) && !e->hasIfMatchEtag(r)) {
+         // RFC 2616: reply with 412 Precondition Failed if If-Match did not match
+         sendPreconditionFailedError();
+-        return;
++        return true;
+     }
+ 
+-    bool matchedIfNoneMatch = false;
+     if (r.header.has(HDR_IF_NONE_MATCH)) {
+-        if (!e->hasIfNoneMatchEtag(r)) {
+-            // RFC 2616: ignore IMS if If-None-Match did not match
+-            r.flags.ims = false;
+-            r.ims = -1;
+-            r.imslen = 0;
+-            r.header.delById(HDR_IF_MODIFIED_SINCE);
+-            http->logType = LOG_TCP_MISS;
+-            sendMoreData(result);
+-            return;
+-        }
++        // RFC 7232: If-None-Match recipient MUST ignore IMS
++        r.flags.ims = false;
++        r.ims = -1;
++        r.imslen = 0;
++        r.header.delById(HDR_IF_MODIFIED_SINCE);
+ 
+-        if (!r.flags.ims) {
+-            // RFC 2616: if If-None-Match matched and there is no IMS,
+-            // reply with 304 Not Modified or 412 Precondition Failed
++	if (e->hasIfNoneMatchEtag(r)) {
+             sendNotModifiedOrPreconditionFailedError();
+-            return;
++            return true;
+         }
+ 
+-        // otherwise check IMS below to decide if we reply with 304 or 412
+-        matchedIfNoneMatch = true;
++        // None-Match is true (no ETag matched); treat as an unconditional hit
++        return false;
+     }
+ 
+     if (r.flags.ims) {
+         // handle If-Modified-Since requests from the client
+-        if (e->modifiedSince(&r)) {
+-            http->logType = LOG_TCP_IMS_HIT;
+-            sendMoreData(result);
+-            return;
+-        }
++        if (e->modifiedSince(&r)) {
++            // Modified-Since is true; treat as an unconditional hit
++            return false;
+ 
+-        if (matchedIfNoneMatch) {
+-            // If-None-Match matched, reply with 304 Not Modified or
+-            // 412 Precondition Failed
+-            sendNotModifiedOrPreconditionFailedError();
+-            return;
++        } else {
++            // otherwise reply with 304 Not Modified
++            sendNotModified();
+         }
+-
+-        // otherwise reply with 304 Not Modified
+-        sendNotModified();
++        return true;
+     }
++
++    return false;
+ }
+ 
+ /// whether squid.conf send_hit prevents us from serving this hit
+@@ -1928,7 +1917,12 @@
+     StoreEntry *e = http->storeEntry();
+     const time_t timestamp = e->timestamp;
+     HttpReply *const temprep = e->getReply()->make304();
+-    http->logType = LOG_TCP_IMS_HIT;
++    // log as TCP_INM_HIT if code 304 generated for
++    // If-None-Match request
++    if (!http->request->flags.ims)
++        http->logType = LOG_TCP_INM_HIT;
++    else
++        http->logType = LOG_TCP_IMS_HIT;
+     removeClientStoreReference(&sc, http);
+     createStoreEntry(http->request->method, RequestFlags());
+     e = http->storeEntry();
+Index: squid-3.5.20/src/client_side_reply.h
+===================================================================
+--- squid-3.5.20.orig/src/client_side_reply.h	2016-07-01 17:07:50.000000000 +0530
++++ squid-3.5.20/src/client_side_reply.h	2017-06-05 13:26:12.476954933 +0530
+@@ -114,7 +114,7 @@
+     bool alwaysAllowResponse(Http::StatusCode sline) const;
+     int checkTransferDone();
+     void processOnlyIfCachedMiss();
+-    void processConditional(StoreIOBuffer &result);
++    bool processConditional(StoreIOBuffer &result);
+     void cacheHit(StoreIOBuffer result);
+     void handleIMSReply(StoreIOBuffer result);
+     void sendMoreData(StoreIOBuffer result);
diff --git a/meta-networking/recipes-daemons/squid/squid_3.5.20.bb b/meta-networking/recipes-daemons/squid/squid_3.5.20.bb
index 4b806a91a9..aa244b3f5b 100644
--- a/meta-networking/recipes-daemons/squid/squid_3.5.20.bb
+++ b/meta-networking/recipes-daemons/squid/squid_3.5.20.bb
@@ -22,6 +22,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${MIN_VER}/${BPN}-${P
            file://set_sysroot_patch.patch \
            file://squid-don-t-do-squid-conf-tests-at-build-time.patch \
 	   file://CVE-2016-10003.patch \
+	   file://CVE-2016-10002.patch \
 "
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \
-- 
cgit 1.2.3-korg