From 7166a2daecfbb4528fa410670adcc7f241715bd5 Mon Sep 17 00:00:00 2001 From: Catalin Enache Date: Mon, 23 May 2016 15:49:34 +0300 Subject: squid: CVE-2016-4553 client_side.cc in Squid before 3.5.18 and 4.x before 4.0.10 does not properly ignore the Host header when absolute-URI is provided, which allows remote attackers to conduct cache-poisoning attacks via an HTTP request. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4553 Backported upstream patch: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch Signed-off-by: Catalin Enache Signed-off-by: Martin Jansa Signed-off-by: Joe MacDonald (cherry picked from commit d46c89ae44c811b64b117613072698601e483b32) Signed-off-by: Armin Kuster --- .../squid/files/CVE-2016-4553.patch | 51 ++++++++++++++++++++++ .../recipes-daemons/squid/squid_3.5.7.bb | 1 + 2 files changed, 52 insertions(+) create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch new file mode 100644 index 0000000000..497ace444b --- /dev/null +++ b/meta-networking/recipes-daemons/squid/files/CVE-2016-4553.patch @@ -0,0 +1,51 @@ +From 41ccaa04bb445f52bdb671ef6fbf994634b6efbe Mon Sep 17 00:00:00 2001 +From: Catalin Enache +Date: Mon, 23 May 2016 12:47:39 +0300 +Subject: [PATCH] Bug 4501: HTTP/1.1: normalize Host header + +Upstream-Status: Backport +CVE: CVE-2016-4553 + +When absolute-URI is provided Host header should be ignored. However some +code still uses Host directly so normalize it using the URL authority +value before doing any further request processing. + +For now preserve the case where Host is completely absent. That matters +to the CVE-2009-0801 protection. + +This also has the desirable side effect of removing multiple or duplicate +Host header entries, and invalid port values. + +Signed-off-by: Catalin Enache +--- + src/client_side.cc | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/src/client_side.cc b/src/client_side.cc +index 8c41c21..36a27de 100644 +--- a/src/client_side.cc ++++ b/src/client_side.cc +@@ -2652,6 +2652,20 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c + clientProcessRequestFinished(conn, request); + return; + } ++ ++ // when absolute-URI is provided Host header should be ignored. However ++ // some code still uses Host directly so normalize it. ++ // For now preserve the case where Host is completely absent. That matters. ++ if (request->header.has(HDR_HOST)) { ++ const char *host = request->header.getStr(HDR_HOST); ++ SBuf authority(request->GetHost()); ++ if (request->port != urlDefaultPort(request->url.getScheme())) ++ authority.appendf(":%d", request->port); ++ debugs(33, 5, "URL domain " << authority << " overrides header Host: " << host); ++ // URL authority overrides Host header ++ request->header.delById(HDR_HOST); ++ request->header.putStr(HDR_HOST, authority.c_str()); ++ } + } + + // Some blobs below are still HTTP-specific, but we would have to rewrite +-- +2.7.4 + diff --git a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb index e35aad7cf2..93f69c1a1e 100644 --- a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb +++ b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb @@ -20,6 +20,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${MIN_VER}/${BPN}-${P file://run-ptest \ file://volatiles.03_squid \ file://CVE-2016-3947.patch \ + file://CVE-2016-4553.patch \ " LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \ -- cgit 1.2.3-korg