diff -u squid-2.6.1/debian/changelog squid-2.6.1/debian/changelog --- squid-2.6.1/debian/changelog +++ squid-2.6.1/debian/changelog @@ -1,3 +1,12 @@ +squid (2.6.1-3ubuntu1.5) edgy-security; urgency=low + + * SECURITY UPDATE: denial of service through memory exhaustion. + * Add cache_header_shrinking.dpatch: upstream fixes thanks to Martin Nagy. + * References + CVE-2007-6239 + + -- Kees Cook Mon, 07 Jan 2008 16:37:33 -0800 + squid (2.6.1-3ubuntu1.3) edgy-security; urgency=low * SECURITY UPDATE: remote denial of service via TRACE method. diff -u squid-2.6.1/debian/patches/00list squid-2.6.1/debian/patches/00list --- squid-2.6.1/debian/patches/00list +++ squid-2.6.1/debian/patches/00list @@ -10,0 +11 @@ +cache_header_shrinking.dpatch only in patch2: unchanged: --- squid-2.6.1.orig/debian/patches/cache_header_shrinking.dpatch +++ squid-2.6.1/debian/patches/cache_header_shrinking.dpatch @@ -0,0 +1,82 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## cache_header_shrinking.dpatch by Kees Cook +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad squid-2.6.1~/include/Array.h squid-2.6.1/include/Array.h +--- squid-2.6.1~/include/Array.h 2005-10-23 08:20:49.000000000 -0700 ++++ squid-2.6.1/include/Array.h 2008-01-07 16:41:47.000000000 -0800 +@@ -50,6 +50,8 @@ + extern void arrayAppend(Array * s, void *obj); + extern void arrayInsert(Array * s, void *obj, int position); + extern void arrayPreAppend(Array * s, int app_count); ++extern void arrayShrink(Array *a, int new_count); ++ + + + #endif /* SQUID_ARRAY_H */ +diff -urNad squid-2.6.1~/lib/Array.c squid-2.6.1/lib/Array.c +--- squid-2.6.1~/lib/Array.c 2005-10-23 08:20:49.000000000 -0700 ++++ squid-2.6.1/lib/Array.c 2008-01-07 16:41:47.000000000 -0800 +@@ -138,3 +138,11 @@ + /* reset, just in case */ + memset(a->items + a->count, 0, (a->capacity - a->count) * sizeof(void *)); + } ++ ++void ++arrayShrink(Array *a, int new_count) ++{ ++ assert(new_count < a->capacity); ++ assert(new_count >= 0); ++ a->count = new_count; ++} +diff -urNad squid-2.6.1~/src/HttpHeader.c squid-2.6.1/src/HttpHeader.c +--- squid-2.6.1~/src/HttpHeader.c 2006-05-25 04:59:29.000000000 -0700 ++++ squid-2.6.1/src/HttpHeader.c 2008-01-07 16:41:47.000000000 -0800 +@@ -375,12 +375,34 @@ + } + } + ++static void ++httpHeaderRepack(HttpHeader * hdr) ++{ ++ HttpHeaderPos dp = HttpHeaderInitPos; ++ HttpHeaderPos pos = HttpHeaderInitPos; ++ ++ /* XXX breaks layering for now! ie, getting grubby fingers in without httpHeaderEntryGet() */ ++ dp = 0; ++ pos = 0; ++ while (dp < hdr->entries.count) { ++ for (; dp < hdr->entries.count && hdr->entries.items[dp] == NULL; dp++); ++ assert(dp < hdr->entries.count); ++ hdr->entries.items[pos] = hdr->entries.items[dp]; ++ if (dp != pos) ++ hdr->entries.items[dp] = NULL; ++ pos++; ++ dp++; ++ } ++ arrayShrink(&hdr->entries, pos); ++} ++ + /* use fresh entries to replace old ones */ + void + httpHeaderUpdate(HttpHeader * old, const HttpHeader * fresh, const HttpHeaderMask * denied_mask) + { + const HttpHeaderEntry *e; + HttpHeaderPos pos = HttpHeaderInitPos; ++ + assert(old && fresh); + assert(old != fresh); + debug(55, 7) ("updating hdr: %p <- %p\n", old, fresh); +@@ -392,6 +414,9 @@ + httpHeaderDelByName(old, strBuf(e->name)); + httpHeaderAddEntry(old, httpHeaderEntryClone(e)); + } ++ ++ /* And now, repack the array to "fill in the holes" */ ++ httpHeaderRepack(old); + } + + /* just handy in parsing: resets and returns false */