aboutsummaryrefslogtreecommitdiffstats
path: root/www/squid31
diff options
context:
space:
mode:
authorkrion <krion@FreeBSD.org>2004-06-29 00:56:04 +0800
committerkrion <krion@FreeBSD.org>2004-06-29 00:56:04 +0800
commit7e10041514b7746de3d7b9f14dcba8ea5277f1ca (patch)
treec3a9ff3de463c2bc7230e56936211c2017cfcb7e /www/squid31
parent05dfd76664d37f1811ead951be9c05d37a768125 (diff)
downloadfreebsd-ports-gnome-7e10041514b7746de3d7b9f14dcba8ea5277f1ca.tar.gz
freebsd-ports-gnome-7e10041514b7746de3d7b9f14dcba8ea5277f1ca.tar.zst
freebsd-ports-gnome-7e10041514b7746de3d7b9f14dcba8ea5277f1ca.zip
Fix the patch that simulates the autotools bootstrap for the
follow-xff-patchset (thanks to Michael Ranner for spotting the problem and testing the fix). While at it, wordsmith the comments in the patch. Use the official patch for the NTLM auth helper vulnerability, see <http://www.squid-cache.org/Versions/v2/2.5/bugs/> for details. Build install the SMB basic authentication helpers by default PR: ports/68448 Submitted by: maintainer
Diffstat (limited to 'www/squid31')
-rw-r--r--www/squid31/Makefile7
-rw-r--r--www/squid31/distinfo2
-rw-r--r--www/squid31/files/follow_xff-configure.patch23
-rw-r--r--www/squid31/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c78
4 files changed, 24 insertions, 86 deletions
diff --git a/www/squid31/Makefile b/www/squid31/Makefile
index c01bb810d8ea..a168b219b975 100644
--- a/www/squid31/Makefile
+++ b/www/squid31/Makefile
@@ -29,7 +29,7 @@
PORTNAME= squid
PORTVERSION= 2.5.5
-PORTREVISION= 11
+PORTREVISION= 12
CATEGORIES= www
MASTER_SITES= \
ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
@@ -65,7 +65,8 @@ PATCHFILES= squid-2.5.STABLE5-ntlm_assert.patch \
squid-2.5.STABLE5-dns_localhost.patch \
squid-2.5.STABLE5-msnt_auth_doc.patch \
squid-2.5.STABLE5-CONNECT_log_size.patch \
- squid-2.5.STABLE5-proxy_abuse.patch
+ squid-2.5.STABLE5-proxy_abuse.patch \
+ squid-2.5.STABLE5-ntlm_auth_overflow.patch
PATCH_DIST_STRIP= -p1
MAINTAINER= tmseck@netcologne.de
@@ -123,7 +124,7 @@ CONFIGURE_ARGS= --bindir=${PREFIX}/sbin --sysconfdir=${PREFIX}/etc/squid \
# Authentication methods and modules:
-basic_auth= NCSA PAM YP MSNT winbind
+basic_auth= NCSA PAM YP MSNT SMB winbind
external_acl= ip_user unix_group wbinfo_group winbind_group
MAN8+= pam_auth.8 squid_unix_group.8
.if defined(WITH_SQUID_LDAP_AUTH)
diff --git a/www/squid31/distinfo b/www/squid31/distinfo
index 98d0c1344ded..9f798808315e 100644
--- a/www/squid31/distinfo
+++ b/www/squid31/distinfo
@@ -48,3 +48,5 @@ MD5 (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 9bc3c39ca19ae2a4922d4a
SIZE (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 2011
MD5 (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 8b169a288a0491a760f4d04c4f5eab21
SIZE (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 761
+MD5 (squid2.5/squid-2.5.STABLE5-ntlm_auth_overflow.patch) = 30c7c5e2ba03655dbde9d3e65409baed
+SIZE (squid2.5/squid-2.5.STABLE5-ntlm_auth_overflow.patch) = 3198
diff --git a/www/squid31/files/follow_xff-configure.patch b/www/squid31/files/follow_xff-configure.patch
index a0920813868d..0cf30da6c147 100644
--- a/www/squid31/files/follow_xff-configure.patch
+++ b/www/squid31/files/follow_xff-configure.patch
@@ -1,10 +1,23 @@
-!Patch configure directly to enable testing for the
-!--enable-follow-x-forwarding-for configuration option
-!instead of running configure.in through autoconf as in the
-!original follow-XFF patchset from devel.squid-cache.org.
+!Simulate the autotools bootstrap of the follow-x-forwarded-for patchset.
+!
!Beware that all line number informations in configure.log greater
-!than 2972 are offset by -29 (correcting all line numbers would have
+!than 2972 are offset by at least -29 (correcting all line numbers would have
!bloated the patch by 92kB!)
+--- include/autoconf.h.in.orig Sat Jan 18 02:46:11 2003
++++ include/autoconf.h.in Thu Jun 24 13:19:07 2004
+@@ -291,6 +291,12 @@
+ #define USE_IDENT 1
+
+ /*
++ * Compile in support for following X-Forwarded-For headers?
++ * Enabled by default.
++ */
++#define FOLLOW_X_FORWARDED_FOR 1
++
++/*
+ * If your system has statvfs(), and if it actually works!
+ */
+ #undef HAVE_STATVFS
--- configure.orig Tue Mar 2 10:18:14 2004
+++ configure Tue Mar 2 10:18:56 2004
@@ -222,6 +222,12 @@
diff --git a/www/squid31/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c b/www/squid31/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c
deleted file mode 100644
index 54eeeb6bcdeb..000000000000
--- a/www/squid31/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c
+++ /dev/null
@@ -1,78 +0,0 @@
-This patch fixes a buffer overflow vulnerability in the NTLM auth
-helper which was reported by iDefense on the 07th June 2004.
-Original advisory:
-<http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false>
-CVE-ID: CAN-2004-0541
-Patch and correction obtained from:
-<http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch>
-<http://www.squid-cache.org/bugs/show_bug.cgi?id=998>
-
---- helpers/ntlm_auth/SMB/libntlmssp.c.orig Fri Nov 30 10:50:06 2001
-+++ helpers/ntlm_auth/SMB/libntlmssp.c Fri Jun 18 13:17:35 2004
-@@ -161,7 +161,10 @@ make_challenge(char *domain, char *domai
- #define min(A,B) (A<B?A:B)
-
- int ntlm_errno;
--static char credentials[1024]; /* we can afford to waste */
-+#define MAX_USERNAME_LEN 255
-+#define MAX_DOMAIN_LEN 255
-+#define MAX_PASSWD_LEN 31
-+static char credentials[MAX_USERNAME_LEN+MAX_DOMAIN_LEN+2]; /* we can afford to waste */
-
-
- /* Fetches the user's credentials from the challenge.
-@@ -197,7 +200,7 @@ char *
- ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
- {
- int rv;
-- char pass[25] /*, encrypted_pass[40] */;
-+ char pass[MAX_PASSWD_LEN+1];
- char *domain = credentials;
- char *user;
- lstring tmp;
-@@ -215,6 +218,11 @@ ntlm_check_auth(ntlm_authenticate * auth
- ntlm_errno = NTLM_LOGON_ERROR;
- return NULL;
- }
-+ if (tmp.l > MAX_DOMAIN_LEN) {
-+ debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN);
-+ ntlm_errno = NTLM_LOGON_ERROR;
-+ return NULL;
-+ }
- memcpy(domain, tmp.str, tmp.l);
- user = domain + tmp.l;
- *user++ = '\0';
-@@ -226,20 +234,30 @@ ntlm_check_auth(ntlm_authenticate * auth
- ntlm_errno = NTLM_LOGON_ERROR;
- return NULL;
- }
-+ if (tmp.l > MAX_USERNAME_LEN) {
-+ debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN);
-+ ntlm_errno = NTLM_LOGON_ERROR;
-+ return NULL;
-+ }
- memcpy(user, tmp.str, tmp.l);
- *(user + tmp.l) = '\0';
-
-
-- /* Authenticating against the NT response doesn't seem to work... */
-+ /* Authenticating against the NT response doesn't seem to work... */
- tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->lmresponse);
- if (tmp.str == NULL || tmp.l == 0) {
- fprintf(stderr, "No auth at all. Returning no-auth\n");
- ntlm_errno = NTLM_LOGON_ERROR;
- return NULL;
- }
--
-+ if (tmp.l > MAX_PASSWD_LEN) {
-+ debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN);
-+ ntlm_errno = NTLM_LOGON_ERROR;
-+ return NULL;
-+ }
-+
- memcpy(pass, tmp.str, tmp.l);
-- pass[25] = '\0';
-+ pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0';
-
- #if 1
- debug ("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'"