squid3: segfault when ftp passive mode is not available
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Squid |
Unknown
|
Unknown
|
|||
squid3 (Debian) |
Fix Released
|
Unknown
|
|||
squid3 (Ubuntu) |
Fix Released
|
Medium
|
Andreas Hasenack | ||
Trusty |
Won't Fix
|
Medium
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Andreas Hasenack | ||
Yakkety |
Won't Fix
|
Medium
|
Andreas Hasenack |
Bug Description
[Impact]
Users who use squid as an FTP proxy and access sites that block ftp PASV mode will trigger a squid segfault. That means a brief service interruption, as upstart/systemd will restart it.
Since this is a crash, the backport seems justified. But there is an effective workaround, see below.
Upstream committed a fix, the same fix we are introducing here, which essentially adds a lot of NULL checks but at the same time disables the fallback ftp command EPRT should passive mode fail. Upstream states that this command doesn't work properly in squid yet.
This is also the recommended workaround: disable EPRT by setting the following in /etc/squid/
ftp_eprt off
[Test Case]
- setup a xenial machine/lxd with proftpd configured like this (/etc/proftpd/
http://
- restart proftpd: sudo service proftpd restart
Alternatively, setup any anonymout ftp server to your liking with passive mode disabled/forbidden.
- Create a simple file under the anonymous area, for the ftp client to fetch later on:
echo hello | sudo tee /srv/ftp/readme.txt
- install the squid proxy under test in another machine/lxd.
- configure /etc/squid/
- in the above, adjust localnet to your network, or replace the line "http_access allow localnet" with "http_access allow all" to accept everything
- restart squid: sudo service squid restart
- access the ftp server via the squid proxy:
$ ftp_proxy=http://
(replace the URLs with whatever you need to reach the squid server under test, and the ftp server you setup)
In the case of a vulnerable squid server you will get:
a) wget gives up:
andreas@nsn7:~$ ftp_proxy=http://
--2017-07-07 11:58:16-- ftp://xenial-
Resolving xenial-
Connecting to xenial-
Proxy request sent, awaiting response... No data received.
Giving up.
b) /var/log/
2017/07/07 14:58:19 kid1| Starting Squid Cache version 3.5.12 for x86_64-
2017/07/07 14:58:19 kid1| Service Name: squid
2017/07/07 14:58:19 kid1| Process ID 1638
c) proftpd /var/log/
xenial-
xenial-
xenial-
xenial-
xenial-
xenial-
In the case of the fixed squid server, you will get:
a) wget gets a 502 error instead of "no data":
andreas@nsn7:~$ ftp_proxy=http://
--2017-07-07 12:04:14-- ftp://xenial-
Resolving xenial-
Connecting to xenial-
Proxy request sent, awaiting response... 502 Bad Gateway
2017-07-07 12:04:14 ERROR 502: Bad Gateway.
b) /var/log/
1499439854.710 18 10.0.100.1 TCP_MISS/502 4324 GET ftp://xenial-
[Regression Potential]
You won't be able to use squid to access FTP sites that block passive mode transfers. But that was the case already, except it was the segfault that was preventing this from working, and not an error message.
There are many more fixes in the 3.5 branch that are not being applied here, related to other problems. Debian upted to upgrade to 3.5.23 in their bug http://
One could argue that updating to that version is "safer" than cherry picking a patch from their code tree.
[Other Info]
I don't have a patch for trusty, which is on an older version of squid (3.3.8-1ubuntu6.9). The code changed a lot and it's not just a matter of fixing conflicts.
Changed in squid3 (Debian): | |
status: | Unknown → Confirmed |
Changed in squid3 (Debian): | |
status: | Confirmed → Fix Released |
Changed in squid3 (Ubuntu): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
status: | Confirmed → In Progress |
importance: | Undecided → Medium |
Changed in squid3 (Ubuntu Yakkety): | |
status: | New → In Progress |
assignee: | nobody → Andreas Hasenack (ahasenack) |
importance: | Undecided → Medium |
Changed in squid3 (Ubuntu Xenial): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Andreas Hasenack (ahasenack) |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in squid3 (Ubuntu Trusty): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
description: | updated |
description: | updated |
description: | updated |
Workaround is to configure "ftp_eprt off" for now.
A possible fix patch is available at upstream Squid Project in 3.5.23 release. Though we are not sure of completeness yet so the upstream bug report is staying open for now.