diff options
author | krion <krion@FreeBSD.org> | 2004-06-29 00:56:04 +0800 |
---|---|---|
committer | krion <krion@FreeBSD.org> | 2004-06-29 00:56:04 +0800 |
commit | 7e10041514b7746de3d7b9f14dcba8ea5277f1ca (patch) | |
tree | c3a9ff3de463c2bc7230e56936211c2017cfcb7e /www/squid | |
parent | 05dfd76664d37f1811ead951be9c05d37a768125 (diff) | |
download | freebsd-ports-graphics-7e10041514b7746de3d7b9f14dcba8ea5277f1ca.tar.gz freebsd-ports-graphics-7e10041514b7746de3d7b9f14dcba8ea5277f1ca.tar.zst freebsd-ports-graphics-7e10041514b7746de3d7b9f14dcba8ea5277f1ca.zip |
Fix the patch that simulates the autotools bootstrap for the
follow-xff-patchset (thanks to Michael Ranner for spotting the
problem and testing the fix). While at it, wordsmith the
comments in the patch.
Use the official patch for the NTLM auth helper vulnerability,
see <http://www.squid-cache.org/Versions/v2/2.5/bugs/> for
details.
Build install the SMB basic authentication helpers by default
PR: ports/68448
Submitted by: maintainer
Diffstat (limited to 'www/squid')
-rw-r--r-- | www/squid/Makefile | 7 | ||||
-rw-r--r-- | www/squid/distinfo | 2 | ||||
-rw-r--r-- | www/squid/files/follow_xff-configure.patch | 23 | ||||
-rw-r--r-- | www/squid/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c | 78 |
4 files changed, 24 insertions, 86 deletions
diff --git a/www/squid/Makefile b/www/squid/Makefile index c01bb810d8e..a168b219b97 100644 --- a/www/squid/Makefile +++ b/www/squid/Makefile @@ -29,7 +29,7 @@ PORTNAME= squid PORTVERSION= 2.5.5 -PORTREVISION= 11 +PORTREVISION= 12 CATEGORIES= www MASTER_SITES= \ ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \ @@ -65,7 +65,8 @@ PATCHFILES= squid-2.5.STABLE5-ntlm_assert.patch \ squid-2.5.STABLE5-dns_localhost.patch \ squid-2.5.STABLE5-msnt_auth_doc.patch \ squid-2.5.STABLE5-CONNECT_log_size.patch \ - squid-2.5.STABLE5-proxy_abuse.patch + squid-2.5.STABLE5-proxy_abuse.patch \ + squid-2.5.STABLE5-ntlm_auth_overflow.patch PATCH_DIST_STRIP= -p1 MAINTAINER= tmseck@netcologne.de @@ -123,7 +124,7 @@ CONFIGURE_ARGS= --bindir=${PREFIX}/sbin --sysconfdir=${PREFIX}/etc/squid \ # Authentication methods and modules: -basic_auth= NCSA PAM YP MSNT winbind +basic_auth= NCSA PAM YP MSNT SMB winbind external_acl= ip_user unix_group wbinfo_group winbind_group MAN8+= pam_auth.8 squid_unix_group.8 .if defined(WITH_SQUID_LDAP_AUTH) diff --git a/www/squid/distinfo b/www/squid/distinfo index 98d0c1344de..9f798808315 100644 --- a/www/squid/distinfo +++ b/www/squid/distinfo @@ -48,3 +48,5 @@ MD5 (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 9bc3c39ca19ae2a4922d4a SIZE (squid2.5/squid-2.5.STABLE5-CONNECT_log_size.patch) = 2011 MD5 (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 8b169a288a0491a760f4d04c4f5eab21 SIZE (squid2.5/squid-2.5.STABLE5-proxy_abuse.patch) = 761 +MD5 (squid2.5/squid-2.5.STABLE5-ntlm_auth_overflow.patch) = 30c7c5e2ba03655dbde9d3e65409baed +SIZE (squid2.5/squid-2.5.STABLE5-ntlm_auth_overflow.patch) = 3198 diff --git a/www/squid/files/follow_xff-configure.patch b/www/squid/files/follow_xff-configure.patch index a0920813868..0cf30da6c14 100644 --- a/www/squid/files/follow_xff-configure.patch +++ b/www/squid/files/follow_xff-configure.patch @@ -1,10 +1,23 @@ -!Patch configure directly to enable testing for the -!--enable-follow-x-forwarding-for configuration option -!instead of running configure.in through autoconf as in the -!original follow-XFF patchset from devel.squid-cache.org. +!Simulate the autotools bootstrap of the follow-x-forwarded-for patchset. +! !Beware that all line number informations in configure.log greater -!than 2972 are offset by -29 (correcting all line numbers would have +!than 2972 are offset by at least -29 (correcting all line numbers would have !bloated the patch by 92kB!) +--- include/autoconf.h.in.orig Sat Jan 18 02:46:11 2003 ++++ include/autoconf.h.in Thu Jun 24 13:19:07 2004 +@@ -291,6 +291,12 @@ + #define USE_IDENT 1 + + /* ++ * Compile in support for following X-Forwarded-For headers? ++ * Enabled by default. ++ */ ++#define FOLLOW_X_FORWARDED_FOR 1 ++ ++/* + * If your system has statvfs(), and if it actually works! + */ + #undef HAVE_STATVFS --- configure.orig Tue Mar 2 10:18:14 2004 +++ configure Tue Mar 2 10:18:56 2004 @@ -222,6 +222,12 @@ diff --git a/www/squid/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c b/www/squid/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c deleted file mode 100644 index 54eeeb6bcde..00000000000 --- a/www/squid/files/patch-helpers-ntlm_auth-SMB-libntlmssp.c +++ /dev/null @@ -1,78 +0,0 @@ -This patch fixes a buffer overflow vulnerability in the NTLM auth -helper which was reported by iDefense on the 07th June 2004. -Original advisory: -<http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false> -CVE-ID: CAN-2004-0541 -Patch and correction obtained from: -<http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch> -<http://www.squid-cache.org/bugs/show_bug.cgi?id=998> - ---- helpers/ntlm_auth/SMB/libntlmssp.c.orig Fri Nov 30 10:50:06 2001 -+++ helpers/ntlm_auth/SMB/libntlmssp.c Fri Jun 18 13:17:35 2004 -@@ -161,7 +161,10 @@ make_challenge(char *domain, char *domai - #define min(A,B) (A<B?A:B) - - int ntlm_errno; --static char credentials[1024]; /* we can afford to waste */ -+#define MAX_USERNAME_LEN 255 -+#define MAX_DOMAIN_LEN 255 -+#define MAX_PASSWD_LEN 31 -+static char credentials[MAX_USERNAME_LEN+MAX_DOMAIN_LEN+2]; /* we can afford to waste */ - - - /* Fetches the user's credentials from the challenge. -@@ -197,7 +200,7 @@ char * - ntlm_check_auth(ntlm_authenticate * auth, int auth_length) - { - int rv; -- char pass[25] /*, encrypted_pass[40] */; -+ char pass[MAX_PASSWD_LEN+1]; - char *domain = credentials; - char *user; - lstring tmp; -@@ -215,6 +218,11 @@ ntlm_check_auth(ntlm_authenticate * auth - ntlm_errno = NTLM_LOGON_ERROR; - return NULL; - } -+ if (tmp.l > MAX_DOMAIN_LEN) { -+ debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN); -+ ntlm_errno = NTLM_LOGON_ERROR; -+ return NULL; -+ } - memcpy(domain, tmp.str, tmp.l); - user = domain + tmp.l; - *user++ = '\0'; -@@ -226,20 +234,30 @@ ntlm_check_auth(ntlm_authenticate * auth - ntlm_errno = NTLM_LOGON_ERROR; - return NULL; - } -+ if (tmp.l > MAX_USERNAME_LEN) { -+ debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN); -+ ntlm_errno = NTLM_LOGON_ERROR; -+ return NULL; -+ } - memcpy(user, tmp.str, tmp.l); - *(user + tmp.l) = '\0'; - - -- /* Authenticating against the NT response doesn't seem to work... */ -+ /* Authenticating against the NT response doesn't seem to work... */ - tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->lmresponse); - if (tmp.str == NULL || tmp.l == 0) { - fprintf(stderr, "No auth at all. Returning no-auth\n"); - ntlm_errno = NTLM_LOGON_ERROR; - return NULL; - } -- -+ if (tmp.l > MAX_PASSWD_LEN) { -+ debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN); -+ ntlm_errno = NTLM_LOGON_ERROR; -+ return NULL; -+ } -+ - memcpy(pass, tmp.str, tmp.l); -- pass[25] = '\0'; -+ pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0'; - - #if 1 - debug ("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'" |