diff options
-rw-r--r-- | www/squid/Makefile | 6 | ||||
-rw-r--r-- | www/squid/distinfo | 4 | ||||
-rw-r--r-- | www/squid/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c | 87 | ||||
-rw-r--r-- | www/squid25/Makefile | 6 | ||||
-rw-r--r-- | www/squid25/distinfo | 4 | ||||
-rw-r--r-- | www/squid25/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c | 87 | ||||
-rw-r--r-- | www/squid26/Makefile | 6 | ||||
-rw-r--r-- | www/squid26/distinfo | 4 | ||||
-rw-r--r-- | www/squid26/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c | 87 | ||||
-rw-r--r-- | www/squid27/Makefile | 6 | ||||
-rw-r--r-- | www/squid27/distinfo | 4 | ||||
-rw-r--r-- | www/squid27/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c | 87 | ||||
-rw-r--r-- | www/squid30/Makefile | 6 | ||||
-rw-r--r-- | www/squid30/distinfo | 4 | ||||
-rw-r--r-- | www/squid30/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c | 87 | ||||
-rw-r--r-- | www/squid31/Makefile | 6 | ||||
-rw-r--r-- | www/squid31/distinfo | 4 | ||||
-rw-r--r-- | www/squid31/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c | 87 |
18 files changed, 570 insertions, 12 deletions
diff --git a/www/squid/Makefile b/www/squid/Makefile index bc8d8fbba548..8bc9b0833d32 100644 --- a/www/squid/Makefile +++ b/www/squid/Makefile @@ -29,7 +29,7 @@ PORTNAME= squid PORTVERSION= 2.5.5 -PORTREVISION= 8 +PORTREVISION= 9 CATEGORIES= www MASTER_SITES= \ ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \ @@ -63,7 +63,9 @@ PATCHFILES= squid-2.5.STABLE5-ntlm_assert.patch \ squid-2.5.STABLE5-debug_client_ip.patch \ squid-2.5.STABLE5-ftp_html_doctype.patch \ squid-2.5.STABLE5-dns_localhost.patch \ - squid-2.5.STABLE5-msnt_auth_doc.patch + squid-2.5.STABLE5-msnt_auth_doc.patch \ + squid-2.5.STABLE5-CONNECT_log_size.patch \ + squid-2.5.STABLE5-proxy_abuse.patch PATCH_DIST_STRIP= -p1 MAINTAINER= tmseck@netcologne.de diff --git a/www/squid/distinfo b/www/squid/distinfo index db5de42b4fb4..98d0c1344ded 100644 --- a/www/squid/distinfo +++ b/www/squid/distinfo @@ -44,3 +44,7 @@ MD5 (squid2.5/squid-2.5.STABLE5-dns_localhost.patch) = cee1c1417185696f5ab9c94fb SIZE (squid2.5/squid-2.5.STABLE5-dns_localhost.patch) = 1408 MD5 (squid2.5/squid-2.5.STABLE5-msnt_auth_doc.patch) = 6031dda00c8e963e7f9ca17b369006bd SIZE (squid2.5/squid-2.5.STABLE5-msnt_auth_doc.patch) = 16644 +MD5 (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 9bc3c39ca19ae2a4922d4a0e11bb4238 +SIZE (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 2011 +MD5 (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 8b169a288a0491a760f4d04c4f5eab21 +SIZE (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 761 diff --git a/www/squid/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c b/www/squid/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c new file mode 100644 index 000000000000..c837e41da5d3 --- /dev/null +++ b/www/squid/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c @@ -0,0 +1,87 @@ +This patch fixes a buffer overflow vulnerability in the NTLM auth +helper which was reported by Stefan Esser on the 07th June 2004. +Original advisory: +<http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false> +CVE-ID: CAN-2004-0541 +Patch obtained from: +<http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch> +The patch was slightly modified by the me (tmseck@netcologne.de) to make +it apply cleanly to the FreeBSD port. + +Index: libntlmssp.c +=================================================================== +RCS file: /server/cvs-server/squid/squid/helpers/ntlm_auth/SMB/libntlmssp.c,v +retrieving revision 1.7 +diff -u -3 -p -u -r1.7 libntlmssp.c +--- helpers/ntlm_auth/SMB/libntlmssp.c 30 Nov 2001 09:50:28 -0000 1.7 ++++ helpers/ntlm_auth/SMB/libntlmssp.c 20 May 2004 22:31:33 -0000 +@@ -161,7 +161,10 @@ make_challenge(char *domain, char *domai + #define min(A,B) (A<B?A:B) + + int ntlm_errno; +-static char credentials[1024]; /* we can afford to waste */ ++#define MAX_USERNAME_LEN 255 ++#define MAX_DOMAIN_LEN 255 ++#define MAX_PASSWD_LEN 31 ++static char credentials[MAX_USERNAME_LEN+MAX_DOMAIN_LEN+2]; /* we can afford to waste */ + + + /* Fetches the user's credentials from the challenge. +@@ -197,7 +200,7 @@ char * + ntlm_check_auth(ntlm_authenticate * auth, int auth_length) + { + int rv; +- char pass[25] /*, encrypted_pass[40] */; ++ char pass[MAX_PASSWD_LEN+1]; + char *domain = credentials; + char *user; + lstring tmp; +@@ -215,8 +218,13 @@ ntlm_check_auth(ntlm_authenticate * auth + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } ++ if (tmp.l > MAX_DOMAIN_LEN) { ++ debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } + memcpy(domain, tmp.str, tmp.l); +- user = domain + tmp.l; ++ user = domain + tmp.l + 1; + *user++ = '\0'; + + /* debug("fetching user name\n"); */ +@@ -226,20 +234,30 @@ ntlm_check_auth(ntlm_authenticate * auth + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } ++ if (tmp.l > MAX_USERNAME_LEN) { ++ debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } + memcpy(user, tmp.str, tmp.l); + *(user + tmp.l) = '\0'; + + +- /* Authenticating against the NT response doesn't seem to work... */ ++ /* Authenticating against the NT response doesn't seem to work... */ + tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->lmresponse); + if (tmp.str == NULL || tmp.l == 0) { + fprintf(stderr, "No auth at all. Returning no-auth\n"); + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } +- ++ if (tmp.l > MAX_PASSWD_LEN) { ++ debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } ++ + memcpy(pass, tmp.str, tmp.l); +- pass[25] = '\0'; ++ pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0'; + + #if 1 + debug ("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'" diff --git a/www/squid25/Makefile b/www/squid25/Makefile index bc8d8fbba548..8bc9b0833d32 100644 --- a/www/squid25/Makefile +++ b/www/squid25/Makefile @@ -29,7 +29,7 @@ PORTNAME= squid PORTVERSION= 2.5.5 -PORTREVISION= 8 +PORTREVISION= 9 CATEGORIES= www MASTER_SITES= \ ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \ @@ -63,7 +63,9 @@ PATCHFILES= squid-2.5.STABLE5-ntlm_assert.patch \ squid-2.5.STABLE5-debug_client_ip.patch \ squid-2.5.STABLE5-ftp_html_doctype.patch \ squid-2.5.STABLE5-dns_localhost.patch \ - squid-2.5.STABLE5-msnt_auth_doc.patch + squid-2.5.STABLE5-msnt_auth_doc.patch \ + squid-2.5.STABLE5-CONNECT_log_size.patch \ + squid-2.5.STABLE5-proxy_abuse.patch PATCH_DIST_STRIP= -p1 MAINTAINER= tmseck@netcologne.de diff --git a/www/squid25/distinfo b/www/squid25/distinfo index db5de42b4fb4..98d0c1344ded 100644 --- a/www/squid25/distinfo +++ b/www/squid25/distinfo @@ -44,3 +44,7 @@ MD5 (squid2.5/squid-2.5.STABLE5-dns_localhost.patch) = cee1c1417185696f5ab9c94fb SIZE (squid2.5/squid-2.5.STABLE5-dns_localhost.patch) = 1408 MD5 (squid2.5/squid-2.5.STABLE5-msnt_auth_doc.patch) = 6031dda00c8e963e7f9ca17b369006bd SIZE (squid2.5/squid-2.5.STABLE5-msnt_auth_doc.patch) = 16644 +MD5 (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 9bc3c39ca19ae2a4922d4a0e11bb4238 +SIZE (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 2011 +MD5 (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 8b169a288a0491a760f4d04c4f5eab21 +SIZE (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 761 diff --git a/www/squid25/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c b/www/squid25/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c new file mode 100644 index 000000000000..c837e41da5d3 --- /dev/null +++ b/www/squid25/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c @@ -0,0 +1,87 @@ +This patch fixes a buffer overflow vulnerability in the NTLM auth +helper which was reported by Stefan Esser on the 07th June 2004. +Original advisory: +<http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false> +CVE-ID: CAN-2004-0541 +Patch obtained from: +<http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch> +The patch was slightly modified by the me (tmseck@netcologne.de) to make +it apply cleanly to the FreeBSD port. + +Index: libntlmssp.c +=================================================================== +RCS file: /server/cvs-server/squid/squid/helpers/ntlm_auth/SMB/libntlmssp.c,v +retrieving revision 1.7 +diff -u -3 -p -u -r1.7 libntlmssp.c +--- helpers/ntlm_auth/SMB/libntlmssp.c 30 Nov 2001 09:50:28 -0000 1.7 ++++ helpers/ntlm_auth/SMB/libntlmssp.c 20 May 2004 22:31:33 -0000 +@@ -161,7 +161,10 @@ make_challenge(char *domain, char *domai + #define min(A,B) (A<B?A:B) + + int ntlm_errno; +-static char credentials[1024]; /* we can afford to waste */ ++#define MAX_USERNAME_LEN 255 ++#define MAX_DOMAIN_LEN 255 ++#define MAX_PASSWD_LEN 31 ++static char credentials[MAX_USERNAME_LEN+MAX_DOMAIN_LEN+2]; /* we can afford to waste */ + + + /* Fetches the user's credentials from the challenge. +@@ -197,7 +200,7 @@ char * + ntlm_check_auth(ntlm_authenticate * auth, int auth_length) + { + int rv; +- char pass[25] /*, encrypted_pass[40] */; ++ char pass[MAX_PASSWD_LEN+1]; + char *domain = credentials; + char *user; + lstring tmp; +@@ -215,8 +218,13 @@ ntlm_check_auth(ntlm_authenticate * auth + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } ++ if (tmp.l > MAX_DOMAIN_LEN) { ++ debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } + memcpy(domain, tmp.str, tmp.l); +- user = domain + tmp.l; ++ user = domain + tmp.l + 1; + *user++ = '\0'; + + /* debug("fetching user name\n"); */ +@@ -226,20 +234,30 @@ ntlm_check_auth(ntlm_authenticate * auth + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } ++ if (tmp.l > MAX_USERNAME_LEN) { ++ debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } + memcpy(user, tmp.str, tmp.l); + *(user + tmp.l) = '\0'; + + +- /* Authenticating against the NT response doesn't seem to work... */ ++ /* Authenticating against the NT response doesn't seem to work... */ + tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->lmresponse); + if (tmp.str == NULL || tmp.l == 0) { + fprintf(stderr, "No auth at all. Returning no-auth\n"); + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } +- ++ if (tmp.l > MAX_PASSWD_LEN) { ++ debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } ++ + memcpy(pass, tmp.str, tmp.l); +- pass[25] = '\0'; ++ pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0'; + + #if 1 + debug ("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'" diff --git a/www/squid26/Makefile b/www/squid26/Makefile index bc8d8fbba548..8bc9b0833d32 100644 --- a/www/squid26/Makefile +++ b/www/squid26/Makefile @@ -29,7 +29,7 @@ PORTNAME= squid PORTVERSION= 2.5.5 -PORTREVISION= 8 +PORTREVISION= 9 CATEGORIES= www MASTER_SITES= \ ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \ @@ -63,7 +63,9 @@ PATCHFILES= squid-2.5.STABLE5-ntlm_assert.patch \ squid-2.5.STABLE5-debug_client_ip.patch \ squid-2.5.STABLE5-ftp_html_doctype.patch \ squid-2.5.STABLE5-dns_localhost.patch \ - squid-2.5.STABLE5-msnt_auth_doc.patch + squid-2.5.STABLE5-msnt_auth_doc.patch \ + squid-2.5.STABLE5-CONNECT_log_size.patch \ + squid-2.5.STABLE5-proxy_abuse.patch PATCH_DIST_STRIP= -p1 MAINTAINER= tmseck@netcologne.de diff --git a/www/squid26/distinfo b/www/squid26/distinfo index db5de42b4fb4..98d0c1344ded 100644 --- a/www/squid26/distinfo +++ b/www/squid26/distinfo @@ -44,3 +44,7 @@ MD5 (squid2.5/squid-2.5.STABLE5-dns_localhost.patch) = cee1c1417185696f5ab9c94fb SIZE (squid2.5/squid-2.5.STABLE5-dns_localhost.patch) = 1408 MD5 (squid2.5/squid-2.5.STABLE5-msnt_auth_doc.patch) = 6031dda00c8e963e7f9ca17b369006bd SIZE (squid2.5/squid-2.5.STABLE5-msnt_auth_doc.patch) = 16644 +MD5 (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 9bc3c39ca19ae2a4922d4a0e11bb4238 +SIZE (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 2011 +MD5 (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 8b169a288a0491a760f4d04c4f5eab21 +SIZE (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 761 diff --git a/www/squid26/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c b/www/squid26/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c new file mode 100644 index 000000000000..c837e41da5d3 --- /dev/null +++ b/www/squid26/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c @@ -0,0 +1,87 @@ +This patch fixes a buffer overflow vulnerability in the NTLM auth +helper which was reported by Stefan Esser on the 07th June 2004. +Original advisory: +<http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false> +CVE-ID: CAN-2004-0541 +Patch obtained from: +<http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch> +The patch was slightly modified by the me (tmseck@netcologne.de) to make +it apply cleanly to the FreeBSD port. + +Index: libntlmssp.c +=================================================================== +RCS file: /server/cvs-server/squid/squid/helpers/ntlm_auth/SMB/libntlmssp.c,v +retrieving revision 1.7 +diff -u -3 -p -u -r1.7 libntlmssp.c +--- helpers/ntlm_auth/SMB/libntlmssp.c 30 Nov 2001 09:50:28 -0000 1.7 ++++ helpers/ntlm_auth/SMB/libntlmssp.c 20 May 2004 22:31:33 -0000 +@@ -161,7 +161,10 @@ make_challenge(char *domain, char *domai + #define min(A,B) (A<B?A:B) + + int ntlm_errno; +-static char credentials[1024]; /* we can afford to waste */ ++#define MAX_USERNAME_LEN 255 ++#define MAX_DOMAIN_LEN 255 ++#define MAX_PASSWD_LEN 31 ++static char credentials[MAX_USERNAME_LEN+MAX_DOMAIN_LEN+2]; /* we can afford to waste */ + + + /* Fetches the user's credentials from the challenge. +@@ -197,7 +200,7 @@ char * + ntlm_check_auth(ntlm_authenticate * auth, int auth_length) + { + int rv; +- char pass[25] /*, encrypted_pass[40] */; ++ char pass[MAX_PASSWD_LEN+1]; + char *domain = credentials; + char *user; + lstring tmp; +@@ -215,8 +218,13 @@ ntlm_check_auth(ntlm_authenticate * auth + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } ++ if (tmp.l > MAX_DOMAIN_LEN) { ++ debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } + memcpy(domain, tmp.str, tmp.l); +- user = domain + tmp.l; ++ user = domain + tmp.l + 1; + *user++ = '\0'; + + /* debug("fetching user name\n"); */ +@@ -226,20 +234,30 @@ ntlm_check_auth(ntlm_authenticate * auth + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } ++ if (tmp.l > MAX_USERNAME_LEN) { ++ debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } + memcpy(user, tmp.str, tmp.l); + *(user + tmp.l) = '\0'; + + +- /* Authenticating against the NT response doesn't seem to work... */ ++ /* Authenticating against the NT response doesn't seem to work... */ + tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->lmresponse); + if (tmp.str == NULL || tmp.l == 0) { + fprintf(stderr, "No auth at all. Returning no-auth\n"); + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } +- ++ if (tmp.l > MAX_PASSWD_LEN) { ++ debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } ++ + memcpy(pass, tmp.str, tmp.l); +- pass[25] = '\0'; ++ pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0'; + + #if 1 + debug ("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'" diff --git a/www/squid27/Makefile b/www/squid27/Makefile index bc8d8fbba548..8bc9b0833d32 100644 --- a/www/squid27/Makefile +++ b/www/squid27/Makefile @@ -29,7 +29,7 @@ PORTNAME= squid PORTVERSION= 2.5.5 -PORTREVISION= 8 +PORTREVISION= 9 CATEGORIES= www MASTER_SITES= \ ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \ @@ -63,7 +63,9 @@ PATCHFILES= squid-2.5.STABLE5-ntlm_assert.patch \ squid-2.5.STABLE5-debug_client_ip.patch \ squid-2.5.STABLE5-ftp_html_doctype.patch \ squid-2.5.STABLE5-dns_localhost.patch \ - squid-2.5.STABLE5-msnt_auth_doc.patch + squid-2.5.STABLE5-msnt_auth_doc.patch \ + squid-2.5.STABLE5-CONNECT_log_size.patch \ + squid-2.5.STABLE5-proxy_abuse.patch PATCH_DIST_STRIP= -p1 MAINTAINER= tmseck@netcologne.de diff --git a/www/squid27/distinfo b/www/squid27/distinfo index db5de42b4fb4..98d0c1344ded 100644 --- a/www/squid27/distinfo +++ b/www/squid27/distinfo @@ -44,3 +44,7 @@ MD5 (squid2.5/squid-2.5.STABLE5-dns_localhost.patch) = cee1c1417185696f5ab9c94fb SIZE (squid2.5/squid-2.5.STABLE5-dns_localhost.patch) = 1408 MD5 (squid2.5/squid-2.5.STABLE5-msnt_auth_doc.patch) = 6031dda00c8e963e7f9ca17b369006bd SIZE (squid2.5/squid-2.5.STABLE5-msnt_auth_doc.patch) = 16644 +MD5 (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 9bc3c39ca19ae2a4922d4a0e11bb4238 +SIZE (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 2011 +MD5 (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 8b169a288a0491a760f4d04c4f5eab21 +SIZE (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 761 diff --git a/www/squid27/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c b/www/squid27/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c new file mode 100644 index 000000000000..c837e41da5d3 --- /dev/null +++ b/www/squid27/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c @@ -0,0 +1,87 @@ +This patch fixes a buffer overflow vulnerability in the NTLM auth +helper which was reported by Stefan Esser on the 07th June 2004. +Original advisory: +<http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false> +CVE-ID: CAN-2004-0541 +Patch obtained from: +<http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch> +The patch was slightly modified by the me (tmseck@netcologne.de) to make +it apply cleanly to the FreeBSD port. + +Index: libntlmssp.c +=================================================================== +RCS file: /server/cvs-server/squid/squid/helpers/ntlm_auth/SMB/libntlmssp.c,v +retrieving revision 1.7 +diff -u -3 -p -u -r1.7 libntlmssp.c +--- helpers/ntlm_auth/SMB/libntlmssp.c 30 Nov 2001 09:50:28 -0000 1.7 ++++ helpers/ntlm_auth/SMB/libntlmssp.c 20 May 2004 22:31:33 -0000 +@@ -161,7 +161,10 @@ make_challenge(char *domain, char *domai + #define min(A,B) (A<B?A:B) + + int ntlm_errno; +-static char credentials[1024]; /* we can afford to waste */ ++#define MAX_USERNAME_LEN 255 ++#define MAX_DOMAIN_LEN 255 ++#define MAX_PASSWD_LEN 31 ++static char credentials[MAX_USERNAME_LEN+MAX_DOMAIN_LEN+2]; /* we can afford to waste */ + + + /* Fetches the user's credentials from the challenge. +@@ -197,7 +200,7 @@ char * + ntlm_check_auth(ntlm_authenticate * auth, int auth_length) + { + int rv; +- char pass[25] /*, encrypted_pass[40] */; ++ char pass[MAX_PASSWD_LEN+1]; + char *domain = credentials; + char *user; + lstring tmp; +@@ -215,8 +218,13 @@ ntlm_check_auth(ntlm_authenticate * auth + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } ++ if (tmp.l > MAX_DOMAIN_LEN) { ++ debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } + memcpy(domain, tmp.str, tmp.l); +- user = domain + tmp.l; ++ user = domain + tmp.l + 1; + *user++ = '\0'; + + /* debug("fetching user name\n"); */ +@@ -226,20 +234,30 @@ ntlm_check_auth(ntlm_authenticate * auth + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } ++ if (tmp.l > MAX_USERNAME_LEN) { ++ debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } + memcpy(user, tmp.str, tmp.l); + *(user + tmp.l) = '\0'; + + +- /* Authenticating against the NT response doesn't seem to work... */ ++ /* Authenticating against the NT response doesn't seem to work... */ + tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->lmresponse); + if (tmp.str == NULL || tmp.l == 0) { + fprintf(stderr, "No auth at all. Returning no-auth\n"); + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } +- ++ if (tmp.l > MAX_PASSWD_LEN) { ++ debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } ++ + memcpy(pass, tmp.str, tmp.l); +- pass[25] = '\0'; ++ pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0'; + + #if 1 + debug ("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'" diff --git a/www/squid30/Makefile b/www/squid30/Makefile index bc8d8fbba548..8bc9b0833d32 100644 --- a/www/squid30/Makefile +++ b/www/squid30/Makefile @@ -29,7 +29,7 @@ PORTNAME= squid PORTVERSION= 2.5.5 -PORTREVISION= 8 +PORTREVISION= 9 CATEGORIES= www MASTER_SITES= \ ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \ @@ -63,7 +63,9 @@ PATCHFILES= squid-2.5.STABLE5-ntlm_assert.patch \ squid-2.5.STABLE5-debug_client_ip.patch \ squid-2.5.STABLE5-ftp_html_doctype.patch \ squid-2.5.STABLE5-dns_localhost.patch \ - squid-2.5.STABLE5-msnt_auth_doc.patch + squid-2.5.STABLE5-msnt_auth_doc.patch \ + squid-2.5.STABLE5-CONNECT_log_size.patch \ + squid-2.5.STABLE5-proxy_abuse.patch PATCH_DIST_STRIP= -p1 MAINTAINER= tmseck@netcologne.de diff --git a/www/squid30/distinfo b/www/squid30/distinfo index db5de42b4fb4..98d0c1344ded 100644 --- a/www/squid30/distinfo +++ b/www/squid30/distinfo @@ -44,3 +44,7 @@ MD5 (squid2.5/squid-2.5.STABLE5-dns_localhost.patch) = cee1c1417185696f5ab9c94fb SIZE (squid2.5/squid-2.5.STABLE5-dns_localhost.patch) = 1408 MD5 (squid2.5/squid-2.5.STABLE5-msnt_auth_doc.patch) = 6031dda00c8e963e7f9ca17b369006bd SIZE (squid2.5/squid-2.5.STABLE5-msnt_auth_doc.patch) = 16644 +MD5 (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 9bc3c39ca19ae2a4922d4a0e11bb4238 +SIZE (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 2011 +MD5 (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 8b169a288a0491a760f4d04c4f5eab21 +SIZE (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 761 diff --git a/www/squid30/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c b/www/squid30/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c new file mode 100644 index 000000000000..c837e41da5d3 --- /dev/null +++ b/www/squid30/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c @@ -0,0 +1,87 @@ +This patch fixes a buffer overflow vulnerability in the NTLM auth +helper which was reported by Stefan Esser on the 07th June 2004. +Original advisory: +<http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false> +CVE-ID: CAN-2004-0541 +Patch obtained from: +<http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch> +The patch was slightly modified by the me (tmseck@netcologne.de) to make +it apply cleanly to the FreeBSD port. + +Index: libntlmssp.c +=================================================================== +RCS file: /server/cvs-server/squid/squid/helpers/ntlm_auth/SMB/libntlmssp.c,v +retrieving revision 1.7 +diff -u -3 -p -u -r1.7 libntlmssp.c +--- helpers/ntlm_auth/SMB/libntlmssp.c 30 Nov 2001 09:50:28 -0000 1.7 ++++ helpers/ntlm_auth/SMB/libntlmssp.c 20 May 2004 22:31:33 -0000 +@@ -161,7 +161,10 @@ make_challenge(char *domain, char *domai + #define min(A,B) (A<B?A:B) + + int ntlm_errno; +-static char credentials[1024]; /* we can afford to waste */ ++#define MAX_USERNAME_LEN 255 ++#define MAX_DOMAIN_LEN 255 ++#define MAX_PASSWD_LEN 31 ++static char credentials[MAX_USERNAME_LEN+MAX_DOMAIN_LEN+2]; /* we can afford to waste */ + + + /* Fetches the user's credentials from the challenge. +@@ -197,7 +200,7 @@ char * + ntlm_check_auth(ntlm_authenticate * auth, int auth_length) + { + int rv; +- char pass[25] /*, encrypted_pass[40] */; ++ char pass[MAX_PASSWD_LEN+1]; + char *domain = credentials; + char *user; + lstring tmp; +@@ -215,8 +218,13 @@ ntlm_check_auth(ntlm_authenticate * auth + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } ++ if (tmp.l > MAX_DOMAIN_LEN) { ++ debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } + memcpy(domain, tmp.str, tmp.l); +- user = domain + tmp.l; ++ user = domain + tmp.l + 1; + *user++ = '\0'; + + /* debug("fetching user name\n"); */ +@@ -226,20 +234,30 @@ ntlm_check_auth(ntlm_authenticate * auth + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } ++ if (tmp.l > MAX_USERNAME_LEN) { ++ debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } + memcpy(user, tmp.str, tmp.l); + *(user + tmp.l) = '\0'; + + +- /* Authenticating against the NT response doesn't seem to work... */ ++ /* Authenticating against the NT response doesn't seem to work... */ + tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->lmresponse); + if (tmp.str == NULL || tmp.l == 0) { + fprintf(stderr, "No auth at all. Returning no-auth\n"); + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } +- ++ if (tmp.l > MAX_PASSWD_LEN) { ++ debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } ++ + memcpy(pass, tmp.str, tmp.l); +- pass[25] = '\0'; ++ pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0'; + + #if 1 + debug ("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'" diff --git a/www/squid31/Makefile b/www/squid31/Makefile index bc8d8fbba548..8bc9b0833d32 100644 --- a/www/squid31/Makefile +++ b/www/squid31/Makefile @@ -29,7 +29,7 @@ PORTNAME= squid PORTVERSION= 2.5.5 -PORTREVISION= 8 +PORTREVISION= 9 CATEGORIES= www MASTER_SITES= \ ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \ @@ -63,7 +63,9 @@ PATCHFILES= squid-2.5.STABLE5-ntlm_assert.patch \ squid-2.5.STABLE5-debug_client_ip.patch \ squid-2.5.STABLE5-ftp_html_doctype.patch \ squid-2.5.STABLE5-dns_localhost.patch \ - squid-2.5.STABLE5-msnt_auth_doc.patch + squid-2.5.STABLE5-msnt_auth_doc.patch \ + squid-2.5.STABLE5-CONNECT_log_size.patch \ + squid-2.5.STABLE5-proxy_abuse.patch PATCH_DIST_STRIP= -p1 MAINTAINER= tmseck@netcologne.de diff --git a/www/squid31/distinfo b/www/squid31/distinfo index db5de42b4fb4..98d0c1344ded 100644 --- a/www/squid31/distinfo +++ b/www/squid31/distinfo @@ -44,3 +44,7 @@ MD5 (squid2.5/squid-2.5.STABLE5-dns_localhost.patch) = cee1c1417185696f5ab9c94fb SIZE (squid2.5/squid-2.5.STABLE5-dns_localhost.patch) = 1408 MD5 (squid2.5/squid-2.5.STABLE5-msnt_auth_doc.patch) = 6031dda00c8e963e7f9ca17b369006bd SIZE (squid2.5/squid-2.5.STABLE5-msnt_auth_doc.patch) = 16644 +MD5 (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 9bc3c39ca19ae2a4922d4a0e11bb4238 +SIZE (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 2011 +MD5 (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 8b169a288a0491a760f4d04c4f5eab21 +SIZE (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 761 diff --git a/www/squid31/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c b/www/squid31/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c new file mode 100644 index 000000000000..c837e41da5d3 --- /dev/null +++ b/www/squid31/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c @@ -0,0 +1,87 @@ +This patch fixes a buffer overflow vulnerability in the NTLM auth +helper which was reported by Stefan Esser on the 07th June 2004. +Original advisory: +<http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false> +CVE-ID: CAN-2004-0541 +Patch obtained from: +<http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch> +The patch was slightly modified by the me (tmseck@netcologne.de) to make +it apply cleanly to the FreeBSD port. + +Index: libntlmssp.c +=================================================================== +RCS file: /server/cvs-server/squid/squid/helpers/ntlm_auth/SMB/libntlmssp.c,v +retrieving revision 1.7 +diff -u -3 -p -u -r1.7 libntlmssp.c +--- helpers/ntlm_auth/SMB/libntlmssp.c 30 Nov 2001 09:50:28 -0000 1.7 ++++ helpers/ntlm_auth/SMB/libntlmssp.c 20 May 2004 22:31:33 -0000 +@@ -161,7 +161,10 @@ make_challenge(char *domain, char *domai + #define min(A,B) (A<B?A:B) + + int ntlm_errno; +-static char credentials[1024]; /* we can afford to waste */ ++#define MAX_USERNAME_LEN 255 ++#define MAX_DOMAIN_LEN 255 ++#define MAX_PASSWD_LEN 31 ++static char credentials[MAX_USERNAME_LEN+MAX_DOMAIN_LEN+2]; /* we can afford to waste */ + + + /* Fetches the user's credentials from the challenge. +@@ -197,7 +200,7 @@ char * + ntlm_check_auth(ntlm_authenticate * auth, int auth_length) + { + int rv; +- char pass[25] /*, encrypted_pass[40] */; ++ char pass[MAX_PASSWD_LEN+1]; + char *domain = credentials; + char *user; + lstring tmp; +@@ -215,8 +218,13 @@ ntlm_check_auth(ntlm_authenticate * auth + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } ++ if (tmp.l > MAX_DOMAIN_LEN) { ++ debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } + memcpy(domain, tmp.str, tmp.l); +- user = domain + tmp.l; ++ user = domain + tmp.l + 1; + *user++ = '\0'; + + /* debug("fetching user name\n"); */ +@@ -226,20 +234,30 @@ ntlm_check_auth(ntlm_authenticate * auth + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } ++ if (tmp.l > MAX_USERNAME_LEN) { ++ debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } + memcpy(user, tmp.str, tmp.l); + *(user + tmp.l) = '\0'; + + +- /* Authenticating against the NT response doesn't seem to work... */ ++ /* Authenticating against the NT response doesn't seem to work... */ + tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->lmresponse); + if (tmp.str == NULL || tmp.l == 0) { + fprintf(stderr, "No auth at all. Returning no-auth\n"); + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } +- ++ if (tmp.l > MAX_PASSWD_LEN) { ++ debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN); ++ ntlm_errno = NTLM_LOGON_ERROR; ++ return NULL; ++ } ++ + memcpy(pass, tmp.str, tmp.l); +- pass[25] = '\0'; ++ pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0'; + + #if 1 + debug ("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'" |