Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 916334 (CVE-2023-46724, CVE-2023-46846, CVE-2023-46847, CVE-2023-46848, CVE-2023-5824, SQUID-2023:1, SQUID-2023:2, SQUID-2023:3, SQUID-2023:4, SQUID-2023:5, SQUID-2023:7, SQUID-2023:8, SQUID-2023:9)

Summary: <net-proxy/squid-6.5: multiple vulnerabilities
Product: Gentoo Security Reporter: Christian Schmidt <gentoo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: bugzillas, hlein, jstein, proxy-maint, sam
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/33546
https://github.com/gentoo/gentoo/pull/34106
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 914255, 919054    
Bug Blocks:    

Description Christian Schmidt 2023-10-27 12:09:03 UTC
The bugs have been published, partially without CVEs, at https://joshua.hu/squid-security-audit-35-0days-45-exploits. Squid 6.4 fixes several potential RCE, see also https://github.com/squid-cache/squid/security/advisories

Reproducible: Always
Comment 1 Christian Schmidt 2023-10-27 12:13:02 UTC
Also, since the homepage is currently in a weird state: http://static.squid-cache.org/Versions/v6/
Comment 2 Hank Leininger 2023-10-27 19:52:56 UTC
Thanks for this and the PR.

AFAIK only a subset of the vulns are fixed by this, so even once 6.4 lands we'll still have multiple vulnerabilities. But fewer, so that's an improvement...
Comment 3 Hank Leininger 2023-10-28 22:19:59 UTC
As a p-m I can't merge this, but I've been testing locally and I'm +1 on it
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-05 17:56:45 UTC
CVE-2023-46846 (https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh):

SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems.

CVE-2023-46847 (https://github.com/squid-cache/squid/security/advisories/GHSA-phqj-m8gv-cq4g):

Squid is vulnerable to a Denial of Service,  where a remote attacker can perform buffer overflow attack by writing up to 2 MB of arbitrary data to heap memory when Squid is configured to accept HTTP Digest Authentication.

CVE-2023-46848 (https://github.com/squid-cache/squid/security/advisories/GHSA-2g3c-pg7q-g59w):

Squid is vulnerable to Denial of Service,  where a remote attacker can perform DoS by sending ftp:// URLs in HTTP Request messages or constructing ftp:// URLs from FTP Native input.

CVE-2023-5824 (https://github.com/squid-cache/squid/security/advisories/GHSA-543m-w2m2-g255):

Squid is vulnerable to Denial of Service attack against HTTP and HTTPS clients due to an Improper Handling of Structural Elements bug.

Looks like all except CVE-2023-5824 are fixed in 6.4. CVE-2023-5824 is
fixed in 6.5. Looks like patches are available for the 5.0 branch too,
which we might want to add if 6.x isn't ready for stabilization yet.

I'm a bit surprised to see that the worst severity here (of the CVEs
fixed in 6.4-6.5) seems to be denial of service, while the CVSS scores
might have indicated otherwise. Setting this bug's severity
accordingly as those are what we're tracking here.
Comment 5 Jarkko Suominen 2023-11-17 08:02:31 UTC
https://github.com/squid-cache/squid/security/advisories/GHSA-73m6-jm96-c6r3
CVE-2023-46724 

Due to an Improper Validation of Specified Index bug Squid is vulnerable to a denial of Service attack against SSL Certificate validation.

This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain.

This attack is limited to HTTPS and SSL-Bump.

Affected versions
3.3.0.1 - 5.9 and  6.0 - 6.3

This vulnerability has been patched in 6.4 but there are patches for other versions as well:
Squid 5: http://www.squid-cache.org/Versions/v5/SQUID-2023_4.patch
Squid 6: http://www.squid-cache.org/Versions/v6/SQUID-2023_4.patch
Comment 6 Jarkko Suominen 2023-11-17 08:02:56 UTC
*** Bug 917474 has been marked as a duplicate of this bug. ***
Comment 7 Larry the Git Cow gentoo-dev 2023-11-17 15:08:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3b6385397f2b9875e0d37383cbe10b1a2c8a289c

commit 3b6385397f2b9875e0d37383cbe10b1a2c8a289c
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-11-17 15:06:53 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-11-17 15:07:23 +0000

    net-proxy/squid: add 6.5
    
    Bug: https://bugs.gentoo.org/914255
    Bug: https://bugs.gentoo.org/916334
    Signed-off-by: Sam James <sam@gentoo.org>

 net-proxy/squid/Manifest         |   1 +
 net-proxy/squid/squid-6.5.ebuild | 386 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 387 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5e33355221588cc51b736cc575ac400e9374341

commit c5e33355221588cc51b736cc575ac400e9374341
Author:     Christian Schmidt <gentoo@digadd.de>
AuthorDate: 2023-10-27 14:03:13 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-11-17 15:07:23 +0000

    net-proxy/squid: add 6.4
    
    Updated source download URL to a working one.
    
    Bug: https://bugs.gentoo.org/916334
    Closes: https://bugs.gentoo.org/914255
    Closes: https://github.com/gentoo/gentoo/pull/33546
    Signed-off-by: Christian Schmidt <gentoo@digadd.de>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-proxy/squid/Manifest         |   1 +
 net-proxy/squid/squid-6.4.ebuild | 383 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 384 insertions(+)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-12-03 21:08:56 UTC
SQUID-2023:4: Denial of Service in SSL Certificate validation

Fixed in 6.4.

SQUID-2023:7: Denial of Service in HTTP Message Processing

Fixed in 6.5.

SQUID-2023:8: Denial of Service in Helper Process management

Fixed in 6.5.

SQUID-2023:9: Denial of Service in HTTP Collapsed Forwarding

Fixed in 6.0.1.
Comment 9 Larry the Git Cow gentoo-dev 2023-12-07 06:21:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2a2b11bf740e489bd7f00271bc26c1d1bdba27de

commit 2a2b11bf740e489bd7f00271bc26c1d1bdba27de
Author:     Hank Leininger <hlein@korelogic.com>
AuthorDate: 2023-12-03 17:39:07 +0000
Commit:     Arthur Zamarin <arthurzam@gentoo.org>
CommitDate: 2023-12-07 06:20:54 +0000

    net-proxy/squid: drop 5.7-r1, 5.8, 5.9, 6.2, 6.4
    
    Signed-off-by: Hank Leininger <hlein@korelogic.com>
    Bug: https://bugs.gentoo.org/917615
    Bug: https://bugs.gentoo.org/916334
    Closes: https://github.com/gentoo/gentoo/pull/34106
    Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>

 net-proxy/squid/Manifest                     |   5 -
 net-proxy/squid/files/squid-5.3-gentoo.patch |  87 ------
 net-proxy/squid/files/squid.initd-r5         | 125 ---------
 net-proxy/squid/squid-5.7-r1.ebuild          | 380 --------------------------
 net-proxy/squid/squid-5.8.ebuild             | 382 --------------------------
 net-proxy/squid/squid-5.9.ebuild             | 382 --------------------------
 net-proxy/squid/squid-6.2.ebuild             | 383 --------------------------
 net-proxy/squid/squid-6.4.ebuild             | 386 ---------------------------
 8 files changed, 2130 deletions(-)
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-02-06 23:09:15 UTC
It's worth us GLSAing this one, I think.