diff --git a/squid-4.15-CVE-2025-62168.patch b/squid-4.15-CVE-2025-62168.patch new file mode 100644 index 0000000000000000000000000000000000000000..4b78eb40720f781a8bb5aac90a810d80ed4d83a9 --- /dev/null +++ b/squid-4.15-CVE-2025-62168.patch @@ -0,0 +1,179 @@ +diff --git a/src/HttpRequest.cc b/src/HttpRequest.cc +index 38b9307..e0278b7 100644 +--- a/src/HttpRequest.cc ++++ b/src/HttpRequest.cc +@@ -341,7 +341,7 @@ HttpRequest::swapOut(StoreEntry * e) + + /* packs request-line and headers, appends terminator */ + void +-HttpRequest::pack(Packable * p) const ++HttpRequest::pack(Packable * const p, const bool maskSensitiveInfo) const + { + assert(p); + /* pack request-line */ +@@ -349,8 +349,8 @@ HttpRequest::pack(Packable * p) const + SQUIDSBUFPRINT(method.image()), SQUIDSBUFPRINT(url.path()), + http_ver.major, http_ver.minor); + /* headers */ +- header.packInto(p); +- /* trailer */ ++ header.packInto(p, maskSensitiveInfo); ++ /* indicate the end of the header section */ + p->append("\r\n", 2); + } + +diff --git a/src/HttpRequest.h b/src/HttpRequest.h +index fe706ef..4329d53 100644 +--- a/src/HttpRequest.h ++++ b/src/HttpRequest.h +@@ -201,7 +201,7 @@ public: + + void swapOut(StoreEntry * e); + +- void pack(Packable * p) const; ++ void pack(Packable * p, bool maskSensitiveInfo = false) const; + + static void httpRequestPack(void *obj, Packable *p); + +diff --git a/src/cf.data.pre b/src/cf.data.pre +index d55b870..7b18b0e 100644 +--- a/src/cf.data.pre ++++ b/src/cf.data.pre +@@ -8319,12 +8319,18 @@ NAME: email_err_data + COMMENT: on|off + TYPE: onoff + LOC: Config.onoff.emailErrData +-DEFAULT: on ++DEFAULT: off + DOC_START + If enabled, information about the occurred error will be + included in the mailto links of the ERR pages (if %W is set) + so that the email body contains the data. + Syntax is %w ++ ++ SECURITY WARNING: ++ Request headers and other included facts may contain ++ sensitive information about transaction history, the ++ Squid instance, and its environment which would be ++ unavailable to error recipients otherwise. + DOC_END + + NAME: deny_info +diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc +index fea5ecb..c7dc756 100644 +--- a/src/client_side_reply.cc ++++ b/src/client_side_reply.cc +@@ -100,7 +100,7 @@ clientReplyContext::clientReplyContext(ClientHttpRequest *clientContext) : + void + clientReplyContext::setReplyToError( + err_type err, Http::StatusCode status, const HttpRequestMethod& method, char const *uri, +- Ip::Address &addr, HttpRequest * failedrequest, const char *unparsedrequest, ++ Ip::Address &addr, HttpRequest * failedrequest, const char *, + #if USE_AUTH + Auth::UserRequest::Pointer auth_user_request + #else +@@ -110,9 +110,6 @@ clientReplyContext::setReplyToError( + { + ErrorState *errstate = clientBuildError(err, status, uri, addr, failedrequest); + +- if (unparsedrequest) +- errstate->request_hdrs = xstrdup(unparsedrequest); +- + #if USE_AUTH + errstate->auth_user_request = auth_user_request; + #endif +@@ -1078,10 +1075,13 @@ clientReplyContext::traceReply() + triggerInitialStoreRead(); + http->storeEntry()->releaseRequest(); + http->storeEntry()->buffer(); ++ MemBuf *content = new MemBuf; ++ content->init(); ++ http->request->pack(content, true /* hide authorization data */); + HttpReply *rep = new HttpReply; +- rep->setHeaders(Http::scOkay, NULL, "text/plain", http->request->prefixLen(), 0, squid_curtime); ++ rep->setHeaders(Http::scOkay, NULL, "message/http", content->contentSize(), 0, squid_curtime); ++ rep->body.setMb(content); + http->storeEntry()->replaceHttpReply(rep); +- http->request->swapOut(http->storeEntry()); + http->storeEntry()->complete(); + } + +diff --git a/src/errorpage.cc b/src/errorpage.cc +index 72be100..c1f3b25 100644 +--- a/src/errorpage.cc ++++ b/src/errorpage.cc +@@ -575,7 +575,6 @@ ErrorState::ErrorState(err_type t, Http::StatusCode status, HttpRequest * req) : + redirect_url(NULL), + callback(NULL), + callback_data(NULL), +- request_hdrs(NULL), + err_msg(NULL), + #if USE_OPENSSL + detail(NULL), +@@ -678,7 +677,6 @@ ErrorState::~ErrorState() + HTTPMSGUNLOCK(request); + safe_free(redirect_url); + safe_free(url); +- safe_free(request_hdrs); + wordlistDestroy(&ftp.server_msg); + safe_free(ftp.request); + safe_free(ftp.reply); +@@ -737,12 +735,10 @@ ErrorState::Dump(MemBuf * mb) + /* - HTTP stuff */ + str.append("HTTP Request:\r\n", 15); + if (request) { +- str.appendf(SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\n", +- SQUIDSBUFPRINT(request->method.image()), +- SQUIDSBUFPRINT(request->url.path()), +- AnyP::ProtocolType_str[request->http_ver.protocol], +- request->http_ver.major, request->http_ver.minor); +- request->header.packInto(&str); ++ MemBuf r; ++ r.init(); ++ request->pack(&r, true /* hide authorization data */); ++ str.append(r.content(), r.contentSize()); + } + + str.append("\r\n", 2); +@@ -961,15 +957,8 @@ ErrorState::Convert(char token, bool building_deny_info_url, bool allowRecursion + p = "[no request]"; + break; + } +- if (request != NULL) { +- mb.appendf(SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\n", +- SQUIDSBUFPRINT(request->method.image()), +- SQUIDSBUFPRINT(request->url.path()), +- AnyP::ProtocolType_str[request->http_ver.protocol], +- request->http_ver.major, request->http_ver.minor); ++ else if (request) { + request->header.packInto(&mb, true); //hide authorization data +- } else if (request_hdrs) { +- p = request_hdrs; + } else { + p = "[no request]"; + } +diff --git a/src/errorpage.h b/src/errorpage.h +index 332e507..bf61b4d 100644 +--- a/src/errorpage.h ++++ b/src/errorpage.h +@@ -164,7 +164,6 @@ public: + MemBuf *listing; + } ftp; + +- char *request_hdrs; + char *err_msg; /* Preformatted error message from the cache */ + + #if USE_OPENSSL +diff --git a/src/tests/stub_HttpRequest.cc b/src/tests/stub_HttpRequest.cc +index cd18d51..495d786 100644 +--- a/src/tests/stub_HttpRequest.cc ++++ b/src/tests/stub_HttpRequest.cc +@@ -45,7 +45,7 @@ bool HttpRequest::expectingBody(const HttpRequestMethod &, int64_t &) const STUB + bool HttpRequest::bodyNibbled() const STUB_RETVAL(false) + int HttpRequest::prefixLen() const STUB_RETVAL(0) + void HttpRequest::swapOut(StoreEntry *) STUB +-void HttpRequest::pack(Packable *) const STUB ++void HttpRequest::pack(Packable *, bool) const STUB + void HttpRequest::httpRequestPack(void *, Packable *) STUB + HttpRequest * HttpRequest::FromUrl(const SBuf &, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr) + HttpRequest * HttpRequest::FromUrlXXX(const char *, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr) diff --git a/squid-4.15-fatal-read-data-from-mem.patch b/squid-4.15-fatal-read-data-from-mem.patch new file mode 100644 index 0000000000000000000000000000000000000000..401703bac1dd2337c92236d5e389a50aac240e39 --- /dev/null +++ b/squid-4.15-fatal-read-data-from-mem.patch @@ -0,0 +1,48 @@ +From 6c29ec591b1c777fc9a66f810f0ce5bc5076bc40 Mon Sep 17 00:00:00 2001 +From: Alex Rousskov +Date: Tue, 14 Nov 2023 18:40:37 +0000 +Subject: [PATCH] Bug 5317: FATAL attempt to read data from memory (#1579) + + FATAL: Squid has attempted to read data ... that is not present. + +Recent commit 122a6e3 attempted to deliver in-memory response body bytes +to a Store-reading client that requested (at least) response headers. +That optimization relied on the old canReadFromMemory() logic, but that +logic results in false positives when the checked read offset falls into +a gap between stored headers and the first body byte of a Content-Range. +In that case, a false positive leads to a readFromMemory() call and a +FATAL mem_hdr::copy() error. + +This workaround disables the above optimization without fixing +canReadFromMemory(). We believe that a readFromMemory() call that comes +right after response headers are delivered to the Store-reading client +will not suffer from the same problem because the client will supply the +read offset of the first body byte, eliminating the false positive. +--- + src/store_client.cc | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/store_client.cc b/src/store_client.cc +index a5f2440..b09f78a 100644 +--- a/src/store_client.cc ++++ b/src/store_client.cc +@@ -355,8 +355,9 @@ store_client::doCopy(StoreEntry *anEntry) + return; // failure + } + +- // send any immediately available body bytes even if we also sendHttpHeaders +- if (canReadFromMemory()) { ++ // Send any immediately available body bytes unless we sendHttpHeaders. ++ // TODO: Send those body bytes when we sendHttpHeaders as well. ++ if (!sendHttpHeaders && canReadFromMemory()) { + readFromMemory(); + noteNews(); // will sendHttpHeaders (if needed) as well + flags.store_copying = false; +@@ -442,6 +443,7 @@ store_client::canReadFromMemory() const + { + const auto &mem = entry->mem(); + const auto memReadOffset = nextHttpReadOffset(); ++ // XXX: This (lo <= offset < end) logic does not support Content-Range gaps. + return mem.inmem_lo <= memReadOffset && memReadOffset < mem.endOffset() && + parsingBuffer.first.spaceSize(); + } diff --git a/squid.spec b/squid.spec index 4ab91121d54bfa23fb38c9f153904cf22f6e1425..6986101b53ffcf64c96a0b3647cff578eb81694e 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ Name: squid Version: 4.15 -Release: 13%{?dist}.5 +Release: 13%{?dist}.6 Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -42,6 +42,8 @@ Patch209: squid-4.15-ftp-filename-extraction.patch Patch210: squid-4.15-halfclosed.patch # https://issues.redhat.com/browse/RHEL-66120 Patch211: squid-4.15-dns-obey-ttl-set-to-zero.patch +# https://issues.redhat.com/browse/RHEL-57030 +Patch212: squid-4.15-fatal-read-data-from-mem.patch # Security fixes # https://bugzilla.redhat.com/show_bug.cgi?id=1941506 @@ -76,6 +78,8 @@ Patch312: squid-4.15-CVE-2024-25111.patch Patch313: squid-4.15-ignore-wsp-after-chunk-size.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2260051 Patch314: squid-4.15-CVE-2024-23638.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2404736 +Patch315: squid-4.15-CVE-2025-62168.patch Requires: bash >= 2.0 Requires(pre): shadow-utils @@ -154,6 +158,10 @@ lookup program (dnsserver), a program for retrieving FTP data %patch312 -p1 -b .CVE-2024-25111 %patch313 -p1 -b .ignore-wsp-chunk-sz %patch314 -p1 -b .CVE-2024-23638 +%patch315 -p1 -b .CVE-2025-62168 + +# patch305 follow-up +%patch212 -p1 -b .fatal-read-data-from-mem # https://bugzilla.redhat.com/show_bug.cgi?id=1679526 # Patch in the vendor documentation and used different location for documentation @@ -370,8 +378,8 @@ fi %changelog -* Sat Feb 08 2025 ZHao Hang - 7:4.15-13.5 -- Bump spec for update +* Tue Oct 28 2025 ZHao Hang - 7:4.15-13.6 +- Fix CVE-2025-62168 * Fri Nov 22 2024 Luboš Uhliarik - 7:4.15-10.5 - Resolves: RHEL-66120 - squid caches DNS entries despite having TTL set to 0