All of lore.kernel.org
 help / color / mirror / Atom feed
From: Otavio Salvador <otavio@ossystems.com.br>
To: Meta-OpenEmbedded Mailing listing
	<openembedded-devel@lists.openembedded.org>
Subject: [meta-oe backport krogoth PATCH 07/22] squid: CVE-2016-3947
Date: Fri,  6 May 2016 11:00:44 -0300	[thread overview]
Message-ID: <1462543259-7206-7-git-send-email-otavio@ossystems.com.br> (raw)
In-Reply-To: <1462543259-7206-1-git-send-email-otavio@ossystems.com.br>

From: Catalin Enache <catalin.enache@windriver.com>

Heap-based buffer overflow in the Icmp6::Recv function in
icmp/Icmp6.cc in the pinger in Squid before 3.5.16 and 4.x
before 4.0.8 allows remote servers to cause a denial of
service (performance degradation or transition failures)
or write sensitive information to log files via an ICMPv6
packet.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3947

Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
---

 .../squid/files/CVE-2016-3947.patch                | 48 ++++++++++++++++++++++
 .../recipes-daemons/squid/squid_3.5.7.bb           |  1 +
 2 files changed, 49 insertions(+)
 create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch

diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch
new file mode 100644
index 0000000..c83e6ab
--- /dev/null
+++ b/meta-networking/recipes-daemons/squid/files/CVE-2016-3947.patch
@@ -0,0 +1,48 @@
+From 0fe108ecb2bbdf684f159950eaa55d22f07c4008 Mon Sep 17 00:00:00 2001
+From: Catalin Enache <catalin.enache@windriver.com>
+Date: Wed, 20 Apr 2016 15:17:18 +0300
+Subject: [PATCH] pinger: Fix buffer overflow in Icmp6::Recv
+
+Upstream-Status: Backport
+CVE: CVE-2016-3947
+
+Author: Yuriy M. Kaminskiy <yumkam@gmail.com>
+Committer: Amos Jeffries <squid3@treenet.co.nz
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ src/icmp/Icmp6.cc | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/icmp/Icmp6.cc b/src/icmp/Icmp6.cc
+index 794a51a..ee84b80 100644
+--- a/src/icmp/Icmp6.cc
++++ b/src/icmp/Icmp6.cc
+@@ -256,7 +256,7 @@ Icmp6::Recv(void)
+     #define ip6_hops    // HOPS!!!  (can it be true??)
+ 
+         ip = (struct ip6_hdr *) pkt;
+-        pkt += sizeof(ip6_hdr);
++        NP: echo size needs to +sizeof(ip6_hdr);
+ 
+     debugs(42, DBG_CRITICAL, HERE << "ip6_nxt=" << ip->ip6_nxt <<
+             ", ip6_plen=" << ip->ip6_plen <<
+@@ -267,7 +267,6 @@ Icmp6::Recv(void)
+     */
+ 
+     icmp6header = (struct icmp6_hdr *) pkt;
+-    pkt += sizeof(icmp6_hdr);
+ 
+     if (icmp6header->icmp6_type != ICMP6_ECHO_REPLY) {
+ 
+@@ -292,7 +291,7 @@ Icmp6::Recv(void)
+         return;
+     }
+ 
+-    echo = (icmpEchoData *) pkt;
++    echo = (icmpEchoData *) (pkt + sizeof(icmp6_hdr));
+ 
+     preply.opcode = echo->opcode;
+ 
+-- 
+2.7.4
+
diff --git a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
index c3eabcd..750484a 100644
--- a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
+++ b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
@@ -19,6 +19,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${MIN_VER}/${BPN}-${P
            file://squid-use-serial-tests-config-needed-by-ptest.patch \
            file://run-ptest \
            file://volatiles.03_squid \
+           file://CVE-2016-3947.patch \
 "
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \
-- 
2.8.2



  parent reply	other threads:[~2016-05-06 14:01 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-06 14:00 [meta-oe backport krogoth PATCH 01/22] net-snmp: enable ipv6 support Otavio Salvador
2016-05-06 14:00 ` [meta-oe backport krogoth PATCH 02/22] dovecot: fix QA issue and remove from blacklist Otavio Salvador
2016-05-06 14:00 ` [meta-oe backport krogoth PATCH 03/22] proftpd: CVE-2016-3125 Otavio Salvador
2016-05-06 14:00 ` [meta-oe backport krogoth PATCH 04/22] openconnect: add missing dependencies Otavio Salvador
2016-05-06 14:00 ` [meta-oe backport krogoth PATCH 05/22] rp-pppoe: Fix rootfs creation errors Otavio Salvador
2016-05-06 14:00 ` [meta-oe backport krogoth PATCH 06/22] meta-networking: use bb.utils.contains() instead of base_contains() Otavio Salvador
2016-05-07 17:37   ` akuster808
2016-05-06 14:00 ` Otavio Salvador [this message]
2016-05-06 14:00 ` [meta-oe backport krogoth PATCH 08/22] ltrace: Error Fix for ARM Otavio Salvador
2016-05-06 14:16   ` Martin Jansa
2016-05-06 14:20     ` Otavio Salvador
2016-05-06 14:33       ` Martin Jansa
2016-05-06 15:52         ` akuster808
2016-05-06 14:00 ` [meta-oe backport krogoth PATCH 09/22] ltrace: Remove deprecated readdir_r() Otavio Salvador
2016-05-06 14:00 ` [meta-oe backport krogoth PATCH 10/22] fbida: use separate builddir Otavio Salvador
2016-05-06 14:00 ` [meta-oe backport krogoth PATCH 11/22] sblim-sfcb: add missing dependency on unzip-native Otavio Salvador
2016-05-06 14:00 ` [meta-oe backport krogoth PATCH 12/22] syslog-ng.inc: fix prerm script & class includes Otavio Salvador
2016-05-06 14:00 ` [meta-oe backport krogoth PATCH 13/22] sox: dep on ffmpeg, not libav Otavio Salvador
2016-05-06 14:00 ` [meta-oe backport krogoth PATCH 14/22] meta-xfce: add intltool-native to DEPENDS Otavio Salvador
2016-05-06 14:00 ` [meta-oe backport krogoth PATCH 15/22] xfce-polkit: fix warning not able to copy license Otavio Salvador
2016-05-06 14:00 ` [meta-oe backport krogoth PATCH 16/22] fluidsynth: set correct portaudio packageconfig dependency Otavio Salvador
2016-05-06 14:00 ` [meta-oe backport krogoth PATCH 17/22] glmark2: wl_surface should be destoryed after destroying wl_window Otavio Salvador
2016-05-06 14:00 ` [meta-oe backport krogoth PATCH 18/22] packagegroup-tools-bluetooth.bb: Selects the tools appropriate for the version of bluez being used Otavio Salvador
2016-05-06 14:00 ` [meta-oe backport krogoth PATCH 19/22] opencv: Fix metapkg dependencies for opencv-java and opencv-locales Otavio Salvador
2016-05-06 14:00 ` [meta-oe backport krogoth PATCH 20/22] python-pyparsing: modify build to correctly use setuptools rather than distutils Otavio Salvador
2016-05-06 14:00 ` [meta-oe backport krogoth PATCH 21/22] rrdtool: fix do_configure failure on some hosts Otavio Salvador
2016-05-06 14:00 ` [meta-oe backport krogoth PATCH 22/22] toybox: Remove out-of-date patch Otavio Salvador

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1462543259-7206-7-git-send-email-otavio@ossystems.com.br \
    --to=otavio@ossystems.com.br \
    --cc=openembedded-devel@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.