From 1473313a38b02f36ac917bb89db54c8f6be3df5e Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Tue, 4 Sep 2012 16:08:17 +0400 Subject: [PATCH] security/squidclamav: fix DoS and XSS Apply upstream patches for CVE-2012-3501 and CVE-2012-4667. Security: http://www.vuxml.org/freebsd/ce680f0a-eea6-11e1-8bd8-0022156e8794.html Security: http://www.vuxml.org/freebsd/8defa0f9-ee8a-11e1-8bd8-0022156e8794.html PR: 171022 QA page: http://codelabs.ru/fbsd/ports/qa/security/squidclamav/5.7_1 Signed-off-by: Eygene Ryabinkin --- security/squidclamav/Makefile | 1 + security/squidclamav/files/patch-cve-2012-3501 | 71 ++++++++++++++ security/squidclamav/files/patch-cve-2012-4667 | 124 +++++++++++++++++++++++++ 3 files changed, 196 insertions(+) create mode 100644 security/squidclamav/files/patch-cve-2012-3501 create mode 100644 security/squidclamav/files/patch-cve-2012-4667 diff --git a/security/squidclamav/Makefile b/security/squidclamav/Makefile index 72e94e5..856570a 100644 --- a/security/squidclamav/Makefile +++ b/security/squidclamav/Makefile @@ -7,6 +7,7 @@ PORTNAME= squidclamav PORTVERSION= 5.7 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= SF diff --git a/security/squidclamav/files/patch-cve-2012-3501 b/security/squidclamav/files/patch-cve-2012-3501 new file mode 100644 index 0000000..240d839 --- /dev/null +++ b/security/squidclamav/files/patch-cve-2012-3501 @@ -0,0 +1,71 @@ +Fix CVE-2012-3501, DoS when external URL checker is used + +This fix was integrated into 6.7 and 5.8. + +Obtained-from: https://github.com/darold/squidclamav/commit/80f74451f628264d1d9a1f1c0bbcebc932ba5e00.diff + +--- src/squidclamav.c.orig 2010-12-11 15:20:46.000000000 +0300 ++++ src/squidclamav.c 2012-08-25 15:55:51.708586983 +0400 +@@ -62,6 +62,7 @@ + static char * escape_quote (char *s); + void timeit (struct timeval start, char *level); + int dconnect (void); ++char * replace(const char *s, const char *old, const char *new); + void replace_chr(char string[], char *from, char *to); + void free_global (); /* routine to free global pointer */ + void freeBuff (struct IN_BUFF); +@@ -474,11 +475,15 @@ + /* chaining with SquidGuard - before bridge mode or not*/ + if ((bridge_mode == 0) && (squidguard != NULL)) { + if (usepipe == 1) { ++ char *rbuff = NULL; ++ /* escaping escaped character to prevent unescaping by squidguard */ ++ rbuff = replace(rbuff, "%", "%25"); + if (debug > 0) + logit(log_file, "DEBUG Sending request to chained program: %s\n", squidguard); + fprintf(sgfpw,"%s\n",sbuff); + fflush(sgfpw); + xfree(escaped); ++ xfree(rbuff); + escaped = NULL; + /* the chained redirector must return empty line if ok or the redirection url */ + chain_ret = (char *)malloc(sizeof(char)*MAX_URL); +@@ -1114,3 +1119,38 @@ + } + + ++/** ++ * Searches all occurrences of old into s ++ * and replaces with new ++ */ ++char * ++replace(const char *s, const char *old, const char *new) ++{ ++ char *ret; ++ int i, count = 0; ++ size_t newlen = strlen(new); ++ size_t oldlen = strlen(old); ++ ++ for (i = 0; s[i] != '\0'; i++) { ++ if (strstr(&s[i], old) == &s[i]) { ++ count++; ++ i += oldlen - 1; ++ } ++ } ++ ret = malloc(i + 1 + count * (newlen - oldlen)); ++ if (ret != NULL) { ++ i = 0; ++ while (*s) { ++ if (strstr(s, old) == s) { ++ strcpy(&ret[i], new); ++ i += newlen; ++ s += oldlen; ++ } else { ++ ret[i++] = *s++; ++ } ++ } ++ ret[i] = '\0'; ++ } ++ ++ return ret; ++} diff --git a/security/squidclamav/files/patch-cve-2012-4667 b/security/squidclamav/files/patch-cve-2012-4667 new file mode 100644 index 0000000..aa0bc6a --- /dev/null +++ b/security/squidclamav/files/patch-cve-2012-4667 @@ -0,0 +1,124 @@ +Fixes CVE-2012-4667, XSS in clwarn.cgi + +Integrated to 5.8 and 6.7. + +Obtained-from: https://github.com/darold/squidclamav/commit/5806d10a31183a0b0d18eccc3a3e04e536e2315b.diff + +diff --git a/cgi-bin/clwarn.cgi b/cgi-bin/clwarn.cgi +index 9333bef..a43eca7 100755 +--- cgi-bin/clwarn.cgi ++++ cgi-bin/clwarn.cgi +@@ -7,11 +7,11 @@ my $VERSION = '6.6'; + + my $cgi = new CGI; + +-my $url = $cgi->param('url') || ''; +-my $virus = $cgi->param('virus') || ''; +-my $source = $cgi->param('source') || ''; ++my $url = CGI::escapeHTML($cgi->param('url')) || ''; ++my $virus = CGI::escapeHTML($cgi->param('virus')) || ''; ++my $source = CGI::escapeHTML($cgi->param('source')) || ''; + $source =~ s/\/-//; +-my $user = $cgi->param('user') || ''; ++my $user = CGI::escapeHTML($cgi->param('user')) || ''; + + + my $TITLE_VIRUS = "SquidClamAv $VERSION: Virus detection"; +diff --git a/cgi-bin/clwarn.cgi.de_DE b/cgi-bin/clwarn.cgi.de_DE +index 700c3df..3f21180 100755 +--- cgi-bin/clwarn.cgi.de_DE ++++ cgi-bin/clwarn.cgi.de_DE +@@ -7,11 +7,11 @@ my $VERSION = '6.6'; + + my $cgi = new CGI; + +-my $url = $cgi->param('url') || ''; +-my $virus = $cgi->param('virus') || ''; +-my $source = $cgi->param('source') || ''; ++my $url = CGI::escapeHTML($cgi->param('url')) || ''; ++my $virus = CGI::escapeHTML($cgi->param('virus')) || ''; ++my $source = CGI::escapeHTML($cgi->param('source')) || ''; + $source =~ s/\/-//; +-my $user = $cgi->param('user') || ''; ++my $user = CGI::escapeHTML($cgi->param('user')) || ''; + + my $TITLE_VIRUS = "Virus Alarm"; + my $subtitle = 'enthlt folgenden Virus'; +diff --git a/cgi-bin/clwarn.cgi.en_EN b/cgi-bin/clwarn.cgi.en_EN +index d246e54..6e70e46 100755 +--- cgi-bin/clwarn.cgi.en_EN ++++ cgi-bin/clwarn.cgi.en_EN +@@ -7,11 +7,11 @@ my $VERSION = '6.6'; + + my $cgi = new CGI; + +-my $url = $cgi->param('url') || ''; +-my $virus = $cgi->param('virus') || ''; +-my $source = $cgi->param('source') || ''; ++my $url = CGI::escapeHTML($cgi->param('url')) || ''; ++my $virus = CGI::escapeHTML($cgi->param('virus')) || ''; ++my $source = CGI::escapeHTML($cgi->param('source')) || ''; + $source =~ s/\/-//; +-my $user = $cgi->param('user') || ''; ++my $user = CGI::escapeHTML($cgi->param('user')) || ''; + + my $TITLE_VIRUS = "SquidClamAv $VERSION: Virus detection"; + my $subtitle = 'contains the virus'; +diff --git a/cgi-bin/clwarn.cgi.fr_FR b/cgi-bin/clwarn.cgi.fr_FR +index c0b3896..323fa30 100755 +--- cgi-bin/clwarn.cgi.fr_FR ++++ cgi-bin/clwarn.cgi.fr_FR +@@ -7,11 +7,11 @@ my $VERSION = '6.6'; + + my $cgi = new CGI; + +-my $url = $cgi->param('url') || ''; +-my $virus = $cgi->param('virus') || ''; +-my $source = $cgi->param('source') || ''; ++my $url = CGI::escapeHTML($cgi->param('url')) || ''; ++my $virus = CGI::escapeHTML($cgi->param('virus')) || ''; ++my $source = CGI::escapeHTML($cgi->param('source')) || ''; + $source =~ s/\/-//; +-my $user = $cgi->param('user') || ''; ++my $user = CGI::escapeHTML($cgi->param('user')) || ''; + + my $TITLE_VIRUS = "SquidClamAv $VERSION: Virus detection"; + my $subtitle = 'contient le virus'; +diff --git a/cgi-bin/clwarn.cgi.pt_BR b/cgi-bin/clwarn.cgi.pt_BR +index 6bf12a0..1a6492a 100755 +--- cgi-bin/clwarn.cgi.pt_BR ++++ cgi-bin/clwarn.cgi.pt_BR +@@ -7,8 +7,11 @@ my $VERSION = '6.6'; + + my $cgi = new CGI; + +-my $url = $cgi->param('url') || ''; +-my $virus = $cgi->param('virus') || ''; ++my $url = CGI::escapeHTML($cgi->param('url')) || ''; ++my $virus = CGI::escapeHTML($cgi->param('virus')) || ''; ++my $source = CGI::escapeHTML($cgi->param('source')) || ''; ++$source =~ s/\/-//; ++my $user = CGI::escapeHTML($cgi->param('user')) || ''; + + my $TITLE_VIRUS = "SquidClamAv $VERSION: Foi detectado um vírus!"; + my $subtitle = 'está infectada pelo vírus'; +diff --git a/cgi-bin/clwarn.cgi.ru_RU b/cgi-bin/clwarn.cgi.ru_RU +index 21e4d94..1e82a0b 100755 +--- cgi-bin/clwarn.cgi.ru_RU ++++ cgi-bin/clwarn.cgi.ru_RU +@@ -7,11 +7,11 @@ my $VERSION = '6.6'; + + my $cgi = new CGI; + +-my $url = $cgi->param('url') || ''; +-my $virus = $cgi->param('virus') || ''; +-my $source = $cgi->param('source') || ''; ++my $url = CGI::escapeHTML($cgi->param('url')) || ''; ++my $virus = CGI::escapeHTML($cgi->param('virus')) || ''; ++my $source = CGI::escapeHTML($cgi->param('source')) || ''; + $source =~ s/\/-//; +-my $user = $cgi->param('user') || ''; ++my $user = CGI::escapeHTML($cgi->param('user')) || ''; + + my $TITLE_VIRUS = "SquidClamAv $VERSION: Обнаружен вирус!"; + my $subtitle = 'содержит вирус'; -- 1.7.11.3