gentoo-mirror/gentoo
1
0
Fork 0
mirror of https://github.com/gentoo-mirror/gentoo.git synced 2025-12-21 21:17:37 -08:00
Code Issues Projects Releases Wiki Activity

net-proxy/squid: security fixes

Browse Source 
One is available from upstream; for the other, use Debian's backport.

Signed-off-by: Hank Leininger <hlein@korelogic.com>
Bug: https://bugs.gentoo.org/965708
Part-of: https://github.com/gentoo/gentoo/pull/44502
Closes: https://github.com/gentoo/gentoo/pull/44502
Signed-off-by: Sam James <sam@gentoo.org>
This commit is contained in:
Hank Leininger 2025-11-05 13:40:22 -07:00 committed by Sam James
parent 0aacd8f4d8
commit ddbd920e9c
No known key found for this signature in database
GPG Key ID: 738409F520DF9190
3 changed files with 625 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
net-proxy/squid/files/squid-6.14-cachemgr-dont_show_hostname.patch Normal file
View File

@ -0,0 +1,17 @@
https://github.com/squid-cache/squid/commit/d94dbed6c700faeded8c4175f2a8d0f71c15755b.patch
From d94dbed6c700faeded8c4175f2a8d0f71c15755b Mon Sep 17 00:00:00 2001
From: Amos Jeffries <amosjeffries@squid-cache.org>
Date: Wed, 5 Nov 2025 10:23:34 +1300
Subject: [PATCH] Do not show arbitrary hostname in cachemgr.cgi output
--- a/tools/cachemgr.cc
+++ b/tools/cachemgr.cc
@@ -819,7 +819,7 @@ process_request(cachemgr_request * req)
}
if (!check_target_acl(req->hostname, req->port)) {
- snprintf(buf, sizeof(buf), "target %s:%d not allowed in cachemgr.conf\n", req->hostname, req->port);
+ snprintf(buf, sizeof(buf), "target host not allowed in cachemgr.conf\n");
error_html(buf);
return 1;
}

187
net-proxy/squid/files/squid-6.14-proxy_auth_data.patch Normal file
View File

@ -0,0 +1,187 @@
https://sources.debian.org/patches/squid/6.13-2+deb13u1/CVE-2025-62168.patch/
From: Amos Jeffries <yadij@users.noreply.github.com>
Date: Sat, 11 Oct 2025 16:33:02 +1300
Subject: [PATCH] Bug 3390: Proxy auth data visible to scripts (#2249)
Original changes to redact credentials from error page %R code
expansion output was incomplete. It missed the parse failure
case where ErrorState::request_hdrs raw buffer contained
sensitive information.
Also missed was the %W case where full request message headers
were generated in a mailto link. This case is especially
problematic as it may be delivered over insecure SMTP even if
the error was secured with HTTPS.
After this change:
* The HttpRequest message packing code for error pages is de-duplicated
and elides authentication headers for both %R and %W code outputs.
* The %R code output includes the CRLF request message terminator.
* The email_err_data directive causing advanced details to be added to
%W mailto links is disabled by default.
Also redact credentials from generated TRACE responses.
---------
Co-authored-by: Alex Rousskov <rousskov@measurement-factory.com>
origin: backport, https://github.com/squid-cache/squid/commit/0951a0681011dfca3d78c84fd7f1e19c78a4443f
bug: https://github.com/squid-cache/squid/security/advisories/GHSA-c8cc-phh7-xmxr
debian-bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118341
--- a/src/HttpRequest.cc
+++ b/src/HttpRequest.cc
@@ -341,7 +341,7 @@ HttpRequest::swapOut(StoreEntry * e)
/* packs request-line and headers, appends <crlf> terminator */
void
-HttpRequest::pack(Packable * p) const
+HttpRequest::pack(Packable * const p, const bool maskSensitiveInfo) const
{
assert(p);
/* pack request-line */
@@ -349,8 +349,8 @@ HttpRequest::pack(Packable * p) const
SQUIDSBUFPRINT(method.image()), SQUIDSBUFPRINT(url.path()),
http_ver.major, http_ver.minor);
/* headers */
- header.packInto(p);
- /* trailer */
+ header.packInto(p, maskSensitiveInfo);
+ /* indicate the end of the header section */
p->append("\r\n", 2);
}
--- a/src/HttpRequest.h
+++ b/src/HttpRequest.h
@@ -206,7 +206,7 @@ public:
void swapOut(StoreEntry * e);
- void pack(Packable * p) const;
+ void pack(Packable * p, bool maskSensitiveInfo = false) const;
static void httpRequestPack(void *obj, Packable *p);
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -8944,12 +8944,18 @@ NAME: email_err_data
COMMENT: on|off
TYPE: onoff
LOC: Config.onoff.emailErrData
-DEFAULT: on
+DEFAULT: off
DOC_START
If enabled, information about the occurred error will be
included in the mailto links of the ERR pages (if %W is set)
so that the email body contains the data.
Syntax is <A HREF="mailto:%w%W">%w</A>
+
+ SECURITY WARNING:
+ Request headers and other included facts may contain
+ sensitive information about transaction history, the
+ Squid instance, and its environment which would be
+ unavailable to error recipients otherwise.
DOC_END
NAME: deny_info
--- a/src/client_side_reply.cc
+++ b/src/client_side_reply.cc
@@ -94,7 +94,7 @@ clientReplyContext::clientReplyContext(ClientHttpRequest *clientContext) :
void
clientReplyContext::setReplyToError(
err_type err, Http::StatusCode status, char const *uri,
- const ConnStateData *conn, HttpRequest *failedrequest, const char *unparsedrequest,
+ const ConnStateData *conn, HttpRequest *failedrequest, const char *,
#if USE_AUTH
Auth::UserRequest::Pointer auth_user_request
#else
@@ -104,9 +104,6 @@ clientReplyContext::setReplyToError(
{
auto errstate = clientBuildError(err, status, uri, conn, failedrequest, http->al);
- if (unparsedrequest)
- errstate->request_hdrs = xstrdup(unparsedrequest);
-
#if USE_AUTH
errstate->auth_user_request = auth_user_request;
#endif
@@ -995,11 +992,14 @@ clientReplyContext::traceReply()
triggerInitialStoreRead();
http->storeEntry()->releaseRequest();
http->storeEntry()->buffer();
+ MemBuf content;
+ content.init();
+ http->request->pack(&content, true /* hide authorization data */);
const HttpReplyPointer rep(new HttpReply);
- rep->setHeaders(Http::scOkay, nullptr, "text/plain", http->request->prefixLen(), 0, squid_curtime);
+ rep->setHeaders(Http::scOkay, nullptr, "message/http", content.contentSize(), 0, squid_curtime);
+ rep->body.set(SBuf(content.buf, content.size));
http->storeEntry()->replaceHttpReply(rep);
- http->request->swapOut(http->storeEntry());
- http->storeEntry()->complete();
+ http->storeEntry()->completeSuccessfully("traceReply() stored the entire response");
}
#define SENDING_BODY 0
--- a/src/errorpage.cc
+++ b/src/errorpage.cc
@@ -792,7 +792,6 @@ ErrorState::~ErrorState()
{
safe_free(redirect_url);
safe_free(url);
- safe_free(request_hdrs);
wordlistDestroy(&ftp.server_msg);
safe_free(ftp.request);
safe_free(ftp.reply);
@@ -850,7 +849,7 @@ ErrorState::Dump(MemBuf * mb)
SQUIDSBUFPRINT(request->url.path()),
AnyP::ProtocolType_str[request->http_ver.protocol],
request->http_ver.major, request->http_ver.minor);
- request->header.packInto(&str);
+ request->header.packInto(&str, true /* hide authorization data */);
}
str.append("\r\n", 2);
@@ -1112,18 +1111,10 @@ ErrorState::compileLegacyCode(Build &build)
p = "[no request]";
break;
}
- if (request) {
- mb.appendf(SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\n",
- SQUIDSBUFPRINT(request->method.image()),
- SQUIDSBUFPRINT(request->url.path()),
- AnyP::ProtocolType_str[request->http_ver.protocol],
- request->http_ver.major, request->http_ver.minor);
- request->header.packInto(&mb, true); //hide authorization data
- } else if (request_hdrs) {
- p = request_hdrs;
- } else {
+ else if (request)
+ request->pack(&mb, true /* hide authorization data */);
+ else
p = "[no request]";
- }
break;
case 's':
--- a/src/errorpage.h
+++ b/src/errorpage.h
@@ -194,7 +194,6 @@ public:
MemBuf *listing = nullptr;
} ftp;
- char *request_hdrs = nullptr;
char *err_msg = nullptr; /* Preformatted error message from the cache */
AccessLogEntryPointer ale; ///< transaction details (or nil)
--- a/src/tests/stub_HttpRequest.cc
+++ b/src/tests/stub_HttpRequest.cc
@@ -45,7 +45,7 @@ bool HttpRequest::expectingBody(const HttpRequestMethod &, int64_t &) const STUB
bool HttpRequest::bodyNibbled() const STUB_RETVAL(false)
int HttpRequest::prefixLen() const STUB_RETVAL(0)
void HttpRequest::swapOut(StoreEntry *) STUB
-void HttpRequest::pack(Packable *) const STUB
+void HttpRequest::pack(Packable *, bool) const STUB
void HttpRequest::httpRequestPack(void *, Packable *) STUB
HttpRequest * HttpRequest::FromUrl(const SBuf &, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr)
HttpRequest * HttpRequest::FromUrlXXX(const char *, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr)

421
net-proxy/squid/squid-6.14-r1.ebuild Normal file
View File

@ -0,0 +1,421 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/squid.gpg
inherit autotools flag-o-matic linux-info pam systemd toolchain-funcs verify-sig
DESCRIPTION="Full-featured web proxy cache"
HOMEPAGE="https://www.squid-cache.org/"
MY_PV_MAJOR=$(ver_cut 1)
MY_PV_MINOR=$(ver_cut 2)
# Upstream patch ID for the most recent bug-fixed update to the formal release.
#r=-20181117-r0022167
r=
if [[ -z ${r} ]]; then
SRC_URI="
https://github.com/squid-cache/squid/releases/download/SQUID_${MY_PV_MAJOR}_${MY_PV_MINOR}/${P}.tar.xz
https://dev.gentoo.org/~juippis/distfiles/squid-6.9-memleak_fix.patch
verify-sig? ( https://github.com/squid-cache/squid/releases/download/SQUID_${MY_PV_MAJOR}_${MY_PV_MINOR}/${P}.tar.xz.asc )
"
else
SRC_URI="
http://static.squid-cache.org/Versions/v${MY_PV_MAJOR}/${P}${r}.tar.bz2
https://dev.gentoo.org/~juippis/distfiles/squid-6.9-memleak_fix.patch
"
S="${S}${r}"
fi
LICENSE="GPL-2+"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
IUSE="caps gnutls pam ldap samba sasl kerberos nis radius ssl snmp selinux logrotate test ecap"
IUSE+=" esi ssl-crtd mysql postgres sqlite systemd perl qos tproxy +htcp valgrind +wccp +wccpv2"
RESTRICT="!test? ( test )"
REQUIRED_USE="tproxy? ( caps ) qos? ( caps ) ssl-crtd? ( ssl )"
DEPEND="
acct-group/squid
acct-user/squid
dev-libs/libltdl
sys-libs/tdb
virtual/libcrypt:=
caps? ( >=sys-libs/libcap-2.16 )
ecap? ( net-libs/libecap:1 )
esi? (
dev-libs/expat
dev-libs/libxml2:=
)
ldap? ( net-nds/openldap:= )
gnutls? ( >=net-libs/gnutls-3.1.5:= )
logrotate? ( app-admin/logrotate )
nis? (
net-libs/libtirpc:=
net-libs/libnsl:=
)
kerberos? ( virtual/krb5 )
pam? ( sys-libs/pam )
qos? ( net-libs/libnetfilter_conntrack )
ssl? (
dev-libs/nettle:=
!gnutls? (
dev-libs/openssl:=
)
)
sasl? ( dev-libs/cyrus-sasl )
systemd? ( sys-apps/systemd:= )
"
RDEPEND="
${DEPEND}
mysql? ( dev-perl/DBD-mysql )
postgres? ( dev-perl/DBD-Pg )
perl? ( dev-lang/perl )
samba? ( net-fs/samba )
selinux? ( sec-policy/selinux-squid )
sqlite? ( dev-perl/DBD-SQLite )
"
DEPEND+=" valgrind? ( dev-debug/valgrind )"
BDEPEND="
dev-lang/perl
ecap? ( virtual/pkgconfig )
test? ( dev-util/cppunit )
verify-sig? ( sec-keys/openpgp-keys-squid )
"
PATCHES=(
"${FILESDIR}"/${PN}-6.2-gentoo.patch
"${FILESDIR}"/${PN}-4.17-use-system-libltdl.patch
"${DISTDIR}"/${PN}-6.9-memleak_fix.patch
"${FILESDIR}"/${PN}-6.12-ar.patch
"${FILESDIR}"/${PN}-6.14-proxy_auth_data.patch
"${FILESDIR}"/${PN}-6.14-cachemgr-dont_show_hostname.patch
)
pkg_pretend() {
if use tproxy; then
local CONFIG_CHECK="~NF_CONNTRACK ~NETFILTER_XT_MATCH_SOCKET ~NETFILTER_XT_TARGET_TPROXY"
linux-info_pkg_setup
fi
}
src_unpack() {
if use verify-sig ; then
# Needed for downloaded patch (which is unsigned, which is fine)
verify-sig_verify_detached "${DISTDIR}"/${P}.tar.xz{,.asc}
fi
default
}
src_prepare() {
default
# Fixup various paths
sed -i -e 's:/usr/local/squid/etc:/etc/squid:' \
INSTALL QUICKSTART \
scripts/fileno-to-pathname.pl \
scripts/check_cache.pl \
tools/cachemgr.cgi.8 \
tools/purge/conffile.hh \
tools/purge/purge.1 || die
sed -i -e 's:/usr/local/squid/sbin:/usr/sbin:' \
INSTALL QUICKSTART || die
sed -i -e 's:/usr/local/squid/var/cache:/var/cache/squid:' \
QUICKSTART || die
sed -i -e 's:/usr/local/squid/var/logs:/var/log/squid:' \
QUICKSTART \
src/log/access_log.cc || die
sed -i -e 's:/usr/local/squid/logs:/var/log/squid:' \
src/log/access_log.cc || die
sed -i -e 's:/usr/local/squid/libexec:/usr/libexec/squid:' \
src/acl/external/unix_group/ext_unix_group_acl.8 \
src/acl/external/session/ext_session_acl.8 || die
sed -i -e 's:/usr/local/squid/cache:/var/cache/squid:' \
scripts/check_cache.pl || die
# /var/run/squid to /run/squid
sed -i -e 's:$(localstatedir)::' \
src/ipc/Makefile.am || die
sed -i 's:/var/run/:/run/:g' tools/systemd/squid.service || die
sed -i -e 's:_LTDL_SETUP:LTDL_INIT([installable]):' \
libltdl/configure.ac || die
# https://bugs.gentoo.org/956509
AT_NO_RECURSIVE="yes" eautoreconf
}
src_configure() {
# Workaround for bug #921688
append-cxxflags -std=gnu++17
local myeconfargs=(
--cache-file="${S}"/config.cache
--datadir=/usr/share/squid
--libexecdir=/usr/libexec/squid
--localstatedir=/var
--sysconfdir=/etc/squid
--with-default-user=squid
--with-logdir=/var/log/squid
--with-pidfile=/run/squid.pid
--enable-build-info="Gentoo ${PF} (r: ${r:-NONE})"
--enable-log-daemon-helpers
--enable-url-rewrite-helpers
--enable-cache-digests
--enable-delay-pools
--enable-disk-io
--enable-eui
--enable-icmp
--enable-ipv6
--enable-follow-x-forwarded-for
--enable-removal-policies="lru,heap"
--disable-strict-error-checking
--disable-arch-native
--with-large-files
--with-build-environment=default
--with-tdb
--without-included-ltdl
--with-ltdl-include="${ESYSROOT}"/usr/include
--with-ltdl-lib="${ESYSROOT}"/usr/$(get_libdir)
$(use_with caps cap)
$(use_enable snmp)
$(use_with ssl openssl)
$(use_with ssl nettle)
$(use_with gnutls)
$(use_with ldap)
$(use_enable ssl-crtd)
$(use_with systemd)
$(use_with test cppunit)
$(use_enable ecap)
$(use_enable esi)
$(use_enable esi expat)
$(use_enable esi xml2)
$(use_enable htcp)
$(use_with valgrind valgrind-debug)
$(use_enable wccp)
$(use_enable wccpv2)
)
# Basic modules
local basic_modules=(
NCSA
POP3
getpwnam
$(usev samba 'SMB')
$(usev ldap 'SMB_LM LDAP')
$(usev pam 'PAM')
$(usev sasl 'SASL')
$(usev nis 'NIS')
$(usev radius 'RADIUS')
)
use nis && append-cppflags "-I${ESYSROOT}/usr/include/tirpc"
if use mysql || use postgres || use sqlite; then
basic_modules+=( DB )
fi
# Digests
local digest_modules=(
file
$(usev ldap 'LDAP eDirectory')
)
# Kerberos
local negotiate_modules=( none )
myeconfargs+=( --without-mit-krb5 --without-heimdal-krb5 )
if use kerberos; then
# We intentionally overwrite negotiate_modules here to lose
# the 'none'.
negotiate_modules=( kerberos wrapper )
if has_version app-crypt/heimdal; then
myeconfargs+=(
--without-mit-krb5
--with-heimdal-krb5
)
else
myeconfargs+=(
--with-mit-krb5
--without-heimdal-krb5
)
fi
fi
# NTLM modules
local ntlm_modules=( none )
if use samba ; then
# We intentionally overwrite ntlm_modules here to lose
# the 'none'.
ntlm_modules=( SMB_LM )
fi
# External helpers
local ext_helpers=(
file_userip
session
unix_group
delayer
time_quota
$(usev samba 'wbinfo_group')
$(usev ldap 'LDAP_group eDirectory_userip')
)
use ldap && use kerberos && ext_helpers+=( kerberos_ldap_group )
if use mysql || use postgres || use sqlite; then
ext_helpers+=( SQL_session )
fi
# Storage modules
local storeio_modules=(
aufs
diskd
rock
ufs
)
#
local transparent
if use kernel_linux; then
myeconfargs+=(
--enable-linux-netfilter
$(usev qos '--enable-zph-qos --with-netfilter-conntrack')
)
fi
tc-export_build_env BUILD_CXX
export BUILDCXX="${BUILD_CXX}"
export BUILDCXXFLAGS="${BUILD_CXXFLAGS}"
tc-export CC AR
# Should be able to drop this workaround with newer versions.
# https://bugs.squid-cache.org/show_bug.cgi?id=4224
tc-is-cross-compiler && export squid_cv_gnu_atomics=no
# Bug #719662
append-atomic-flags
print_options_without_comma() {
# IFS as ',' will cut off any trailing commas
(
IFS=','
options=( $(printf "%s," "${@}") )
echo "${options[*]}"
)
}
myeconfargs+=(
--enable-storeio=$(print_options_without_comma "${storeio_modules[@]}")
--enable-auth-basic=$(print_options_without_comma "${basic_modules[@]}")
--enable-auth-digest=$(print_options_without_comma "${digest_modules[@]}")
--enable-auth-ntlm=$(print_options_without_comma "${ntlm_modules[@]}")
--enable-auth-negotiate=$(print_options_without_comma "${negotiate_modules[@]}")
--enable-external-acl-helpers=$(print_options_without_comma "${ext_helpers[@]}")
)
econf "${myeconfargs[@]}"
}
src_test() {
default
# Suppress QA warning (bug #877729) for no tests executed
# for some subsuites. The layout is odd and there's a bunch
# of useless/stub directories which confuses it.
find "${S}" -iname test-suite.log -delete || die
}
src_install() {
default
systemd_dounit tools/systemd/squid.service
# Need suid root for looking into /etc/shadow
fowners root:squid /usr/libexec/squid/basic_ncsa_auth
fperms 4750 /usr/libexec/squid/basic_ncsa_auth
if use pam; then
fowners root:squid /usr/libexec/squid/basic_pam_auth
fperms 4750 /usr/libexec/squid/basic_pam_auth
fi
# Pinger needs suid as well
fowners root:squid /usr/libexec/squid/pinger
fperms 4750 /usr/libexec/squid/pinger
# These scripts depend on perl
if ! use perl; then
local perl_scripts=(
basic_pop3_auth ext_delayer_acl helper-mux
log_db_daemon security_fake_certverify
storeid_file_rewrite url_lfs_rewrite
)
local script
for script in "${perl_scripts[@]}"; do
rm "${ED}"/usr/libexec/squid/${script} || die
done
fi
# Cleanup
rm -r "${D}"/run "${D}"/var/cache || die
dodoc CONTRIBUTORS CREDITS ChangeLog INSTALL QUICKSTART README SPONSORS doc/*.txt
newdoc src/auth/negotiate/kerberos/README README.kerberos
newdoc src/auth/basic/RADIUS/README README.RADIUS
newdoc src/acl/external/kerberos_ldap_group/README README.kerberos_ldap_group
dodoc RELEASENOTES.html
if use pam; then
newpamd "${FILESDIR}"/squid.pam squid
fi
newconfd "${FILESDIR}"/squid.confd-r2 squid
newinitd "${FILESDIR}"/squid.initd-r7 squid
if use logrotate ; then
insinto /etc/logrotate.d
newins "${FILESDIR}"/squid.logrotate-r1 squid
else
exeinto /etc/cron.weekly
newexe "${FILESDIR}"/squid.cron-r1 squid.cron
fi
diropts -m0750 -o squid -g squid
keepdir /var/log/squid /etc/ssl/squid /var/lib/squid
# Hack for bug #834503 (see also bug #664940)
# Please keep this for a few years until it's no longer plausible
# someone is upgrading from < squid 5.7.
mv "${ED}"/usr/share/squid/errors{,.new} || die
}
pkg_preinst() {
# Remove file in EROOT that the directory collides with.
rm -rf "${EROOT}"/usr/share/squid/errors || die
# Following the collision protection check, reverse
# src_install's rename in ED.
mv "${ED}"/usr/share/squid/errors{.new,} || die
}
pkg_postinst() {
elog "A good starting point to debug Squid issues is to use 'squidclient mgr:' commands such as 'squidclient mgr:info'."
if [[ ${#r} -gt 0 ]]; then
elog "You are using a release with the official ${r} patch! Make sure you mention that, or send the output of 'squidclient mgr:info' when asking for support."
fi
}