CVE-2025-62168 fixes

CVE-2025-59362 fix
Fixes: https://bugzilla.suse.com/show_bug.cgi?id=1250627
2025-11-06 16:07:32 +01:00 · 2025-10-02 18:14:03 +02:00
4 changed files with 263 additions and 0 deletions
--- a/CVE-2025-59362.patch
+++ b/CVE-2025-59362.patch
@@ -0,0 +1,49 @@
+From 34d90168f4a6905b254c4158b2e0cb79e4e7c05b Mon Sep 17 00:00:00 2001
+From: Alex Rousskov <rousskov@measurement-factory.com>
+Date: Fri, 29 Aug 2025 10:08:59 -0400
+Subject: [PATCH] Support ASN.1 encoding of long SNMP OIDs
+
+---
+ lib/snmplib/asn1.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/lib/snmplib/asn1.c b/lib/snmplib/asn1.c
+index 81f2051fbe7..2852c26b220 100644
+--- a/lib/snmplib/asn1.c
+++ b/lib/snmplib/asn1.c
+@@ -735,6 +735,7 @@ asn_build_objid(u_char * data, int *datalength,
+      * lastbyte ::= 0 7bitvalue
+      */
+     u_char buf[MAX_OID_LEN];
+    u_char *bufEnd = buf + sizeof(buf);
+     u_char *bp = buf;
+     oid *op = objid;
+     int asnlength;
+@@ -753,6 +754,10 @@ asn_build_objid(u_char * data, int *datalength,
+     while (objidlength-- > 0) {
+         subid = *op++;
+         if (subid < 127) {  /* off by one? */
+            if (bp >= bufEnd) {
+                snmp_set_api_error(SNMPERR_ASN_ENCODE);
+                return (NULL);
+            }
+             *bp++ = subid;
+         } else {
+             mask = 0x7F;    /* handle subid == 0 case */
+@@ -770,8 +775,16 @@ asn_build_objid(u_char * data, int *datalength,
+                 /* fix a mask that got truncated above */
+                 if (mask == 0x1E00000)
+                     mask = 0xFE00000;
+                if (bp >= bufEnd) {
+                    snmp_set_api_error(SNMPERR_ASN_ENCODE);
+                    return (NULL);
+                }
+                 *bp++ = (u_char) (((subid & mask) >> bits) | ASN_BIT8);
+             }
+            if (bp >= bufEnd) {
+                snmp_set_api_error(SNMPERR_ASN_ENCODE);
+                return (NULL);
+            }
+             *bp++ = (u_char) (subid & mask);
+         }
+     }
--- a/CVE-2025-62168.patch
+++ b/CVE-2025-62168.patch
@@ -0,0 +1,200 @@
+ported from
+
+commit e7e9073a2435cc93b913553d147b497fda77c1ab
+Author: Amos Jeffries <yadij@users.noreply.github.com>
+Date:   Sat Oct 11 16:33:02 2025 +1300
+
+    Bug 3390: Proxy auth data visible to scripts (#2249)
+    
+    Original changes to redact credentials from error page %R code
+    expansion output was incomplete. It missed the parse failure
+    case where ErrorState::request_hdrs raw buffer contained
+    sensitive information.
+    
+    Also missed was the %W case where full request message headers
+    were generated in a mailto link. This case is especially
+    problematic as it may be delivered over insecure SMTP even if
+    the error was secured with HTTPS.
+    
+    After this change:
+    * The HttpRequest message packing code for error pages is de-duplicated
+      and elides authentication headers for both %R and %W code outputs.
+    * The %R code output includes the CRLF request message terminator.
+    * The email_err_data directive causing advanced details to be added to
+      %W mailto links is disabled by default.
+    
+    Also redact credentials from generated TRACE responses.
+    
+    ---------
+    
+    Co-authored-by: Alex Rousskov <rousskov@measurement-factory.com>
+
+Index: squid-6.12/src/HttpRequest.cc
+===================================================================
+--- squid-6.12.orig/src/HttpRequest.cc
+++ squid-6.12/src/HttpRequest.cc
+@@ -341,7 +341,7 @@ HttpRequest::swapOut(StoreEntry * e)
+ 
+ /* packs request-line and headers, appends <crlf> terminator */
+ void
+-HttpRequest::pack(Packable * p) const
+HttpRequest::pack(Packable * p, const bool maskSensitiveInfo) const
+ {
+     assert(p);
+     /* pack request-line */
+@@ -349,8 +349,8 @@ HttpRequest::pack(Packable * p) const
+                SQUIDSBUFPRINT(method.image()), SQUIDSBUFPRINT(url.path()),
+                http_ver.major, http_ver.minor);
+     /* headers */
+-    header.packInto(p);
+-    /* trailer */
+    header.packInto(p, maskSensitiveInfo);
+    /* indicate the end of the header section */
+     p->append("\r\n", 2);
+ }
+ 
+Index: squid-6.12/src/HttpRequest.h
+===================================================================
+--- squid-6.12.orig/src/HttpRequest.h
+++ squid-6.12/src/HttpRequest.h
+@@ -206,7 +206,7 @@ public:
+ 
+     void swapOut(StoreEntry * e);
+ 
+-    void pack(Packable * p) const;
+    void pack(Packable * p, bool maskSensitiveInfo = false) const;
+ 
+     static void httpRequestPack(void *obj, Packable *p);
+ 
+Index: squid-6.12/src/cf.data.pre
+===================================================================
+--- squid-6.12.orig/src/cf.data.pre
+++ squid-6.12/src/cf.data.pre
+@@ -8931,12 +8931,18 @@ NAME: email_err_data
+ COMMENT: on|off
+ TYPE: onoff
+ LOC: Config.onoff.emailErrData
+-DEFAULT: on
+DEFAULT: off
+ DOC_START
+ 	If enabled, information about the occurred error will be
+ 	included in the mailto links of the ERR pages (if %W is set)
+ 	so that the email body contains the data.
+ 	Syntax is <A HREF="mailto:%w%W">%w</A>
+
+	SECURITY WARNING:
+		Request headers and other included facts may contain
+		sensitive information about transaction history, the
+		Squid instance, and its environment which would be
+		unavailable to error recipients otherwise.
+ DOC_END
+ 
+ NAME: deny_info
+Index: squid-6.12/src/client_side_reply.cc
+===================================================================
+--- squid-6.12.orig/src/client_side_reply.cc
+++ squid-6.12/src/client_side_reply.cc
+@@ -94,7 +94,7 @@ clientReplyContext::clientReplyContext(C
+ void
+ clientReplyContext::setReplyToError(
+     err_type err, Http::StatusCode status, char const *uri,
+-    const ConnStateData *conn, HttpRequest *failedrequest, const char *unparsedrequest,
+    const ConnStateData *conn, HttpRequest *failedrequest, const char *,
+ #if USE_AUTH
+     Auth::UserRequest::Pointer auth_user_request
+ #else
+@@ -104,9 +104,6 @@ clientReplyContext::setReplyToError(
+ {
+     auto errstate = clientBuildError(err, status, uri, conn, failedrequest, http->al);
+ 
+-    if (unparsedrequest)
+-        errstate->request_hdrs = xstrdup(unparsedrequest);
+-
+ #if USE_AUTH
+     errstate->auth_user_request = auth_user_request;
+ #endif
+@@ -995,11 +992,14 @@ clientReplyContext::traceReply()
+     triggerInitialStoreRead();
+     http->storeEntry()->releaseRequest();
+     http->storeEntry()->buffer();
+    MemBuf content;
+    content.init();
+    http->request->pack(&content, true /* hide authorization data */);
+     const HttpReplyPointer rep(new HttpReply);
+-    rep->setHeaders(Http::scOkay, nullptr, "text/plain", http->request->prefixLen(), 0, squid_curtime);
+    rep->setHeaders(Http::scOkay, nullptr, "message/http", content.contentSize(), 0, squid_curtime);
+    rep->body.set(SBuf(content.buf, content.size));
+     http->storeEntry()->replaceHttpReply(rep);
+-    http->request->swapOut(http->storeEntry());
+-    http->storeEntry()->complete();
+    http->storeEntry()->completeSuccessfully("traceReply() stored the entire response");
+ }
+ 
+ #define SENDING_BODY 0
+Index: squid-6.12/src/errorpage.cc
+===================================================================
+--- squid-6.12.orig/src/errorpage.cc
+++ squid-6.12/src/errorpage.cc
+@@ -792,7 +792,6 @@ ErrorState::~ErrorState()
+ {
+     safe_free(redirect_url);
+     safe_free(url);
+-    safe_free(request_hdrs);
+     wordlistDestroy(&ftp.server_msg);
+     safe_free(ftp.request);
+     safe_free(ftp.reply);
+@@ -850,7 +849,7 @@ ErrorState::Dump(MemBuf * mb)
+                     SQUIDSBUFPRINT(request->url.path()),
+                     AnyP::ProtocolType_str[request->http_ver.protocol],
+                     request->http_ver.major, request->http_ver.minor);
+-        request->header.packInto(&str);
+        request->header.packInto(&str, true);
+     }
+ 
+     str.append("\r\n", 2);
+@@ -1111,17 +1110,9 @@ ErrorState::compileLegacyCode(Build &bui
+             } else
+                 p = "[no request]";
+             break;
+-        }
+-        if (request) {
+-            mb.appendf(SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\n",
+-                       SQUIDSBUFPRINT(request->method.image()),
+-                       SQUIDSBUFPRINT(request->url.path()),
+-                       AnyP::ProtocolType_str[request->http_ver.protocol],
+-                       request->http_ver.major, request->http_ver.minor);
+-            request->header.packInto(&mb, true); //hide authorization data
+-        } else if (request_hdrs) {
+-            p = request_hdrs;
+-        } else {
+        } else if (request) {
+            request->pack(&mb, true /* hide authorization data */);
+		} else {
+             p = "[no request]";
+         }
+         break;
+Index: squid-6.12/src/errorpage.h
+===================================================================
+--- squid-6.12.orig/src/errorpage.h
+++ squid-6.12/src/errorpage.h
+@@ -194,7 +194,6 @@ public:
+         MemBuf *listing = nullptr;
+     } ftp;
+ 
+-    char *request_hdrs = nullptr;
+     char *err_msg = nullptr; /* Preformatted error message from the cache */
+ 
+     AccessLogEntryPointer ale; ///< transaction details (or nil)
+Index: squid-6.12/src/tests/stub_HttpRequest.cc
+===================================================================
+--- squid-6.12.orig/src/tests/stub_HttpRequest.cc
+++ squid-6.12/src/tests/stub_HttpRequest.cc
+@@ -45,7 +45,7 @@ bool HttpRequest::expectingBody(const Ht
+ bool HttpRequest::bodyNibbled() const STUB_RETVAL(false)
+ int HttpRequest::prefixLen() const STUB_RETVAL(0)
+ void HttpRequest::swapOut(StoreEntry *) STUB
+-void HttpRequest::pack(Packable *) const STUB
+void HttpRequest::pack(Packable *, bool) const STUB
+ void HttpRequest::httpRequestPack(void *, Packable *) STUB
+ HttpRequest * HttpRequest::FromUrl(const SBuf &, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr)
+ HttpRequest * HttpRequest::FromUrlXXX(const char *, const MasterXaction::Pointer &, const HttpRequestMethod &) STUB_RETVAL(nullptr)
--- a/squid.changes
+++ b/squid.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Thu Nov  6 15:07:07 UTC 2025 - Adam Majer <adam.majer@suse.de>
+
+- CVE-2025-62168.patch: Proxy auth data visible to scripts (bsc#1252281, CVE-2025-62168)
+
+-------------------------------------------------------------------
+Thu Oct  2 15:53:06 UTC 2025 - Adam Majer <adam.majer@suse.de>
+
+- CVE-2025-59362.patch: Squid cache buffer overflow (bsc#1250627, CVE-2025-59362)
+
 -------------------------------------------------------------------
 Mon Dec  9 13:01:22 UTC 2024 - Adam Majer <adam.majer@suse.de>

--- a/squid.spec
+++ b/squid.spec
@@ -49,6 +49,8 @@ Patch1:         missing_installs.patch
 Patch2:         old_nettle_compat.patch
 Patch3:         harden_squid.service.patch
 Patch4:         CVE-2024-33427.patch
+Patch5:         CVE-2025-59362.patch
+Patch6:         CVE-2025-62168.patch
 BuildRequires:  cppunit-devel
 BuildRequires:  expat
 BuildRequires:  fdupes
@@ -106,6 +108,8 @@ accelerator.
 cp %{SOURCE10} .
 %patch -P 3 -p1
 %patch -P 4 -p1
+%patch -P 5 -p1
+%patch -P 6 -p1

 # upstream patches after RELEASE
 perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"`
Author	SHA256	Message	Date
Adam Majer	835bdb040f	CVE-2025-62168 fixes	2025-11-06 16:07:32 +01:00
Adam Majer	aeca661920	CVE-2025-59362 fix Fixes: https://bugzilla.suse.com/show_bug.cgi?id=1250627	2025-10-02 18:14:03 +02:00