Files
Armin Kuster 5b2e937448 squid: serveral missing security fixes
SQUID-2015:2 - Does not affect Squid-3.4 and older versions are not vulnerable.
CVE-2015-5400
CVE-2015-3455
CVE-2014-7142
CVE-2014-7141
CVE-2014-6270

see http://www.squid-cache.org/Advisories/

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2016-02-08 14:13:39 +01:00

54 lines
2.0 KiB
Diff

Fix: CVE-2015-3455
------------------------------------------------------------
revno: 13222
revision-id: squid3@treenet.co.nz-20150501071651-songz1j26frb2ytz
parent: squid3@treenet.co.nz-20150501071104-vd21fu43lvmqoqwa
author: Amos Jeffries <amosjeffries@squid-cache.org>, Christos Tsantilas <chtsanti@users.sourceforge.net>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.4
timestamp: Fri 2015-05-01 00:16:51 -0700
message:
Fix X509 server certificate domain matching
The X509 certificate domain fields may contain non-ASCII encodings.
Ensure the domain match algorithm is only passed UTF-8 ASCII-compatible
strings.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20150501071651-songz1j26frb2ytz
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
# testament_sha1: e38694c3e222c506740510557d2a7a122786225c
# timestamp: 2015-05-01 07:17:25 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
# base_revision_id: squid3@treenet.co.nz-20150501071104-\
# vd21fu43lvmqoqwa
#
# Begin patch
Upstream-Status: Backport
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13222.patch
Signed-off-by: Armin Kuster <akuster@mvista.com>
=== modified file 'src/ssl/support.cc'
--- a/src/ssl/support.cc 2015-01-24 05:07:58 +0000
+++ b/src/ssl/support.cc 2015-05-01 07:16:51 +0000
@@ -209,7 +209,13 @@
if (cn_data->length > (int)sizeof(cn) - 1) {
return 1; //if does not fit our buffer just ignore
}
- memcpy(cn, cn_data->data, cn_data->length);
+ char *s = reinterpret_cast<char*>(cn_data->data);
+ char *d = cn;
+ for (int i = 0; i < cn_data->length; ++i, ++d, ++s) {
+ if (*s == '\0')
+ return 1; // always a domain mismatch. contains 0x00
+ *d = *s;
+ }
cn[cn_data->length] = '\0';
debugs(83, 4, "Verifying server domain " << server << " to certificate name/subjectAltName " << cn);
return matchDomainName(server, cn[0] == '*' ? cn + 1 : cn);