[oe] [PATCH] squid: CVE-2016-4556

Catalin Enache catalin.enache at windriver.com
Tue May 31 07:50:14 UTC 2016 

Double free vulnerability in Esi.cc in Squid 3.x before 3.5.18
and 4.x before 4.0.10 allows remote servers to cause a denial
of service (crash) via a crafted Edge Side Includes (ESI) response.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4556

Signed-off-by: Catalin Enache <catalin.enache at windriver.com>
---
 .../squid/files/CVE-2016-4556.patch                | 96 ++++++++++++++++++++++
 .../recipes-daemons/squid/squid_3.5.7.bb           |  1 +
 2 files changed, 97 insertions(+)
 create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2016-4556.patch

diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2016-4556.patch b/meta-networking/recipes-daemons/squid/files/CVE-2016-4556.patch
new file mode 100644
index 0000000..e990c4a
--- /dev/null
+++ b/meta-networking/recipes-daemons/squid/files/CVE-2016-4556.patch
@@ -0,0 +1,96 @@
+From ee68ec6602f88ee588ac01d440b45af2a1ac2614 Mon Sep 17 00:00:00 2001
+From: Catalin Enache <catalin.enache at windriver.com>
+Date: Tue, 31 May 2016 09:17:40 +0300
+Subject: [PATCH] Fix SIGSEGV in ESIContext response handling
+
+HttpReply pointer was being unlocked without heving been locked.
+Resulting in a double-free. Make it use RefCount instead of
+manual locking to ensure locked/unlock is always symmetrical.
+
+Upstream-Status: Backport
+CVE: CVE-2016-4556
+
+Signed-off-by: Catalin Enache <catalin.enache at windriver.com>
+---
+ src/esi/Context.h |  3 ++-
+ src/esi/Esi.cc    | 14 +++++++-------
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/src/esi/Context.h b/src/esi/Context.h
+index 6d15bfe..9982d5c 100644
+--- a/src/esi/Context.h
++++ b/src/esi/Context.h
+@@ -13,6 +13,7 @@
+ #include "err_type.h"
+ #include "esi/Element.h"
+ #include "esi/Parser.h"
++#include "HttpReply.h"
+ #include "http/StatusCode.h"
+ 
+ class ESIVarState;
+@@ -91,7 +92,7 @@ public:
+     err_type errorpage; /* if we error what page to use */
+     Http::StatusCode errorstatus; /* if we error, what code to return */
+     char *errormessage; /* error to pass to error page */
+-    HttpReply *rep; /* buffered until we pass data downstream */
++    HttpReply::Pointer rep; /* buffered until we pass data downstream */
+     ESISegment::Pointer buffered; /* unprocessed data - for whatever reason */
+     ESISegment::Pointer incoming;
+     /* processed data we are waiting to send, or for
+diff --git a/src/esi/Esi.cc b/src/esi/Esi.cc
+index 768b139..338e90b 100644
+--- a/src/esi/Esi.cc
++++ b/src/esi/Esi.cc
+@@ -573,7 +573,7 @@ ESIContext::send ()
+ 
+ #endif
+ 
+-    if (!(rep || (outbound.getRaw() &&
++    if (!(rep != NULL || (outbound.getRaw() &&
+                   outbound->len && (outbound_offset <= outbound->len)))) {
+         debugs(86, 5, "ESIContext::send: Nothing to send.");
+         return 0;
+@@ -618,18 +618,18 @@ ESIContext::send ()
+     flags.clientwantsdata = 0;
+     debugs(86, 5, "ESIContext::send: this=" << this << " Client no longer wants data ");
+     /* Deal with re-entrancy */
+-    HttpReply *temprep = rep;
++    HttpReply::Pointer temprep = rep;
+     rep = NULL; /* freed downstream */
+ 
+-    if (temprep && varState)
+-        varState->buildVary (temprep);
++    if (temprep != NULL && varState)
++        varState->buildVary(temprep.getRaw());
+ 
+     {
+         StoreIOBuffer tempBuffer;
+         tempBuffer.length = len;
+         tempBuffer.offset = pos - len;
+         tempBuffer.data = next->readBuffer.data;
+-        clientStreamCallback (thisNode, http, temprep, tempBuffer);
++        clientStreamCallback (thisNode, http, temprep.getRaw(), tempBuffer);
+     }
+ 
+     if (len == 0)
+@@ -1259,7 +1259,7 @@ ESIContext::parse()
+         ++parserState.stackdepth;
+     }
+ 
+-    if (rep && !parserState.inited())
++    if (rep != NULL && !parserState.inited())
+         parserState.init(this);
+ 
+     /* we have data */
+@@ -1398,7 +1398,7 @@ ESIContext::freeResources ()
+ {
+     debugs(86, 5, HERE << "Freeing for this=" << this);
+ 
+-    HTTPMSGUNLOCK(rep);
++    rep = NULL; // refcounted
+ 
+     finishChildren ();
+ 
+-- 
+2.7.4
+
diff --git a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
index 6040171..83a0b45 100644
--- a/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
+++ b/meta-networking/recipes-daemons/squid/squid_3.5.7.bb
@@ -32,6 +32,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${MIN_VER}/${BPN}-${P
            file://CVE-2016-3947.patch \
            file://CVE-2016-4554.patch \
            file://CVE-2016-4555.patch \
+           file://CVE-2016-4556.patch \
 "
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \
-- 
2.7.4

More information about the Openembedded-devel mailing list