From tmseck@netcologne.de  Mon Feb  1 20:09:00 2010
Return-Path: <tmseck@netcologne.de>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 08AB2106566B
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  1 Feb 2010 20:09:00 +0000 (UTC)
	(envelope-from tmseck@netcologne.de)
Received: from smtp6.netcologne.de (smtp6.netcologne.de [194.8.194.26])
	by mx1.freebsd.org (Postfix) with ESMTP id 8B5638FC1C
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  1 Feb 2010 20:08:59 +0000 (UTC)
Received: from wcfields.tmseck.homedns.org (xdsl-89-0-155-82.netcologne.de [89.0.155.82])
	by smtp6.netcologne.de (Postfix) with SMTP id C30982A0CC4
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  1 Feb 2010 21:08:57 +0100 (CET)
Received: (qmail 38568 invoked by uid 1001); 1 Feb 2010 20:08:57 -0000
Message-Id: <20100201200857.38567.qmail@wcfields.tmseck.homedns.org>
Date: 1 Feb 2010 20:08:57 -0000
From: Thomas-Martin Seck <tmseck@web.de>
Reply-To: Thomas-Martin Seck <tmseck@web.de>
To: FreeBSD-gnats-submit@freebsd.org
Cc: ports-security@freebsd.org
Subject: [Maintainer] [Security] www/squid: Advisory 2010:1 - Denial of Service vulnerability
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         143451
>Category:       ports
>Synopsis:       [Maintainer] [Security] www/squid: Advisory 2010:1 - Denial of Service vulnerability
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    delphij
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 01 20:10:03 UTC 2010
>Closed-Date:    Mon Feb 01 20:26:46 UTC 2010
>Last-Modified:  Mon Feb 01 20:26:46 UTC 2010
>Originator:     Thomas-Martin Seck
>Release:        FreeBSD 8.0-RELEASE amd64
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of February 1, 2010.

	
>Description:

Squid advisory 2010:1 notes that all versions of Squid are vulnerable to
a denial of service attack via untrusted DNS servers/resolvers.

Updated versions of www/squid30 and www/squid31 do not build, unfortunately.
I have informed the upstream maintainer and will update www/squid30 and
www/squid31 as soon as I have received and tested fixes for the build errors.

Added file:
files/patch-squid-advisory-2010:1

Proposed VuXML entry, note that these include the fixed 3.0.22 and
3.1.0.16 versions which are not yet available as ports. Feel free to
modify these entries to show that no fix is yet available in the Ports
Collection:
  
  <vuln vid="296ecb59-0f6b-11df-8bab-0019996bc1f7">
    <topic>squid -- Denial of Service vulnerability in DNS handling</topic>
    <affects>
       <package>
         <name>squid</name>
         <range><ge>2.7.1</ge><lt>2.7.7_3</lt></range>
         <range><ge>3.0.1</ge><lt>3.0.22</lt></range>
         <range><ge>3.1.0.1</ge><lt>3.1.0.16</lt></range>
       </package>
     </affects>
     <description>
       <body xmlns="http://www.w3.org/1999/xhtml">
         <p>Squid security advisory 2010:1 reports:</p>
         <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2010_1.txt">
           <p>Due to incorrect data validation Squid is vulnerable to a denial
  	   of service attack when processing specially crafted DNS packets.</p>
  	 <p>This problem allows any trusted client or external server who can
  	   determine the squid receiving port to perform a short-term denial
  	   of service attack on the Squid service.</p>
         </blockquote>
       </body>
     </description>
     <references>
       <url>http://www.squid-cache.org/Advisories/SQUID-2010_1.txt</url>
     </references>
     <dates>
       <discovery>2010-01-14</discovery>
     </dates>
  </vuln>
  
	
>How-To-Repeat:
	
>Fix:
Apply this patch:

Index: Makefile
===================================================================
--- Makefile	(.../www/squid)	(Revision 1744)
+++ Makefile	(.../local/squid)	(Revision 1744)
@@ -76,7 +76,7 @@
 
 PORTNAME=	squid
 PORTVERSION=	2.7.${SQUID_STABLE_VER}
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	www
 MASTER_SITES=	ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
 		ftp://mirrors.24-7-solutions.net/pub/squid/%SUBDIR%/ \
Index: files/patch-squid-advisory-2010:1
===================================================================
--- files/patch-squid-advisory-2010:1	(.../www/squid)	(Revision 0)
+++ files/patch-squid-advisory-2010:1	(.../local/squid)	(Revision 1744)
@@ -0,0 +1,38 @@
+FreeBSD-Patch for Squid-Advisory 2010:1, prepared by Thomas-Martin Seck,
+<tmseck@web.de>, 2010-02-01.
+
+Removed one directory level and the first hunk with CVS meta-information
+from the original patch. The original patch can be downloaded from:
+http://www.squid-cache.org/Versions/v2/HEAD/changesets/12597.patch
+
+---------------------
+PatchSet 12597 
+Date: 2010/01/15 11:40:30
+Author: amosjeffries
+Branch: HEAD
+Tag: (none) 
+Log:
+Handle DNS header-only packets as invalid.
+
+Members: 
+	lib/rfc1035.c:1.30->1.31 
+
+Index: lib/rfc1035.c
+===================================================================
+RCS file: /cvsroot/squid/squid/lib/rfc1035.c,v
+retrieving revision 1.30
+retrieving revision 1.31
+diff -u -r1.30 -r1.31
+--- lib/rfc1035.c	15 Jun 2008 03:49:55 -0000	1.30
++++ lib/rfc1035.c	15 Jan 2010 11:40:30 -0000	1.31
+@@ -286,7 +286,9 @@
+     size_t len;
+     assert(ns > 0);
+     do {
+-	assert((*off) < sz);
++	if ((*off) >= sz) {
++	    return 1;
++	}
+ 	c = *(buf + (*off));
+ 	if (c > 191) {
+ 	    /* blasted compression */
	


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->delphij 
Responsible-Changed-By: delphij 
Responsible-Changed-When: Mon Feb 1 20:11:54 UTC 2010 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=143451 
State-Changed-From-To: open->closed 
State-Changed-By: delphij 
State-Changed-When: Mon Feb 1 20:26:35 UTC 2010 
State-Changed-Why:  
Committed, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=143451 
>Unformatted:
