From e30e0c309465de4e52addf008ab4404580c0026e Mon Sep 17 00:00:00 2001
From: Vijay Anusuri <vanusuri@mvista.com>
Date: Mon, 12 Feb 2024 09:26:24 +0530
Subject: [PATCH] squid: Backport fix for CVE-2023-50269

import patch from ubuntu to fix
 CVE-2023-50269

Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa
Upstream commit
https://github.com/squid-cache/squid/commit/9f7136105bff920413042a8806cc5de3f6086d6d]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../squid/files/CVE-2023-50269.patch          | 62 +++++++++++++++++++
 .../recipes-daemons/squid/squid_4.9.bb        |  1 +
 2 files changed, 63 insertions(+)
 create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch

diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch b/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch
new file mode 100644
index 0000000000..51c895e0ef
--- /dev/null
+++ b/meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch
@@ -0,0 +1,62 @@
+From: Markus Koschany <apo@debian.org>
+Date: Tue, 26 Dec 2023 19:58:12 +0100
+Subject: CVE-2023-50269
+
+Bug-Debian: https://bugs.debian.org/1058721
+Origin: http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/squid/tree/debian/patches/CVE-2023-50269.patch?h=ubuntu/focal-security&id=9ccd217ca9428c9a6597e9310a99552026b245fa
+Upstream commit https://github.com/squid-cache/squid/commit/9f7136105bff920413042a8806cc5de3f6086d6d]
+CVE: CVE-2023-50269
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/ClientRequestContext.h |  4 ++++
+ src/client_side_request.cc | 17 +++++++++++++++--
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+--- a/src/ClientRequestContext.h
++++ b/src/ClientRequestContext.h
+@@ -81,6 +81,10 @@
+ #endif
+     ErrorState *error; ///< saved error page for centralized/delayed processing
+     bool readNextRequest; ///< whether Squid should read after error handling
++
++#if FOLLOW_X_FORWARDED_FOR
++    size_t currentXffHopNumber = 0; ///< number of X-Forwarded-For header values processed so far
++#endif
+ };
+ 
+ #endif /* SQUID_CLIENTREQUESTCONTEXT_H */
+--- a/src/client_side_request.cc
++++ b/src/client_side_request.cc
+@@ -78,6 +78,11 @@
+ static const char *const crlf = "\r\n";
+ 
+ #if FOLLOW_X_FORWARDED_FOR
++
++#if !defined(SQUID_X_FORWARDED_FOR_HOP_MAX)
++#define SQUID_X_FORWARDED_FOR_HOP_MAX 64
++#endif
++
+ static void clientFollowXForwardedForCheck(allow_t answer, void *data);
+ #endif /* FOLLOW_X_FORWARDED_FOR */
+ 
+@@ -485,8 +490,16 @@
+                 /* override the default src_addr tested if we have to go deeper than one level into XFF */
+                 Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr;
+             }
+-            calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
+-            return;
++            if (++calloutContext->currentXffHopNumber < SQUID_X_FORWARDED_FOR_HOP_MAX) {
++                calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
++                return;
++            }
++            const auto headerName = Http::HeaderLookupTable.lookup(Http::HdrType::X_FORWARDED_FOR).name;
++            debugs(28, DBG_CRITICAL, "ERROR: Ignoring trailing " << headerName << " addresses");
++            debugs(28, DBG_CRITICAL, "addresses allowed by follow_x_forwarded_for: " << calloutContext->currentXffHopNumber);
++            debugs(28, DBG_CRITICAL, "last/accepted address: " << request->indirect_client_addr);
++            debugs(28, DBG_CRITICAL, "ignored trailing addresses: " << request->x_forwarded_for_iterator);
++            // fall through to resume clientAccessCheck() processing
+         }
+     }
+ 
diff --git a/meta-networking/recipes-daemons/squid/squid_4.9.bb b/meta-networking/recipes-daemons/squid/squid_4.9.bb
index 482ce76d16..09c0a2cd7c 100644
--- a/meta-networking/recipes-daemons/squid/squid_4.9.bb
+++ b/meta-networking/recipes-daemons/squid/squid_4.9.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${BPN}-${PV}.tar.bz2
            file://CVE-2023-46846.patch \
            file://CVE-2023-49285.patch \
            file://CVE-2023-49286.patch \
+           file://CVE-2023-50269.patch \
            "
 
 SRC_URI_remove_toolchain-clang = "file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch"