Development Project: server:proxy/squid

/var/cache/squid/               squid:root      750
/var/log/squid/                 squid:root      750
/usr/sbin/pinger                root:squid      4750
/usr/sbin/basic_pam_auth        root:shadow     2750

are the permissions wanted.

First comments_
- we lived without pinger being setuid root for now. why is it needed now?


- basic_pam_auth ... sounds like a helper we have in various iterations

  /sbin/unix2_chkpwd or /sbin/unix_chkpwd

  we could use those.

logfiles ... ?

Why now all of this?

I have just followed all things that are supposed to be done packaging this package as outlined in packaging guidelines

- Logfiles sure can be removed (that is not new stuff look at package in factory  https://build.opensuse.org/package/view_file/openSUSE:Factory/squid/squid.permissions?expand=1)
- pinger no need it is anyway for very specific use case with upstream proxy servers
- basic_pam_auth you are correct but i do not have time to write c wrapper by myself in this moment

For me returning everything as it was is ok but it is up to you to decide

we just need to review the things, which is a usual step in the process.

Just realized that my comment could be interpreted as not well intended meaning for what I sincerely  apologize. I was questioning myself not you with first question. There was no intention to rush anything in your workflow. Sometimes text can not express what was meaning of thought process of person behind keyboard.

I did the 'setuid' root for /usr/sbin/pinger.

pinger does not work without beeing 'setuid' root.
If you have other ideas, to get this fixed then just let me know. I am open for any suggestion.

Created attachment 605504 [details]
squid-icmp-DoS.patch

Fixing a DoS in the ICMP pinger.

Please remove the suid bit from pinger and instead use
the file-capability "cap_net_raw". This suffices for opening RAW sockets.
We use the same for the ping binary too. It should work out
of the box. If it doesnt, we can adjust the pinger code.

bugbot adjusting priority

sebastian, did you email the squid people?

Affected packages:

SLE-11-SP3: squid3
SLE-11-SP3-PRODUCTS: squid3
SLE-11-SP3-UPTU: squid3

Squid mail server is down at present so official line of contact is cut. But I (upstream) am aware of this from reading this bug report anyway, so upstream patch and release fixing the array access segfault will be published over the next few days.

CVE-2014-0486 appears to have been assigned to unrelated software judging by the Debian security team records for it. Am getting that checked. The last advisory we were allocated was in the 36nn range, so I expect this will be something higher.

A patch implementing the cap_net_raw permission is greatly appreciated. It can be linked here or mailed to me directly.

The CVE was incorrectly used here, another CVE is needed for squid/pinger dos.

For me the code looks like it could run with cap_net_raw
as is. The setgid/setuid wont fail if its running non-suid
and automatically drops gid/uid in case its made +s.

If you experiance that there are other problems with the caps,
I am happy to provide a patch.

Created attachment 606482 [details]
icmp pinger DOS patch updated to compile on 3.4.7

Fixed patch for ICMP DOS, function prototype for forgotten - fixed

from Mitre:

> From: Amos Jeffries <squid3@treenet.co.nz>

> What could happen worst-case (#1 or #3 ... flooding the parent
> processes log, slowing the entire service down and/or exhausting log
> disk space, which in turn can crash the parent process. ... The
> best-case being that some HTTP servers are assigned incorrect RTT
> values. Which adversely affects latency based routing logics ...


As far as we can tell, CVE IDs are required for cases #1 and #3:

> 1. "used to index into a string array" possibly corresponds to
> http://cwe.mitre.org/data/definitions/129.html for the modified
> default case after case 136, and approximately two other places in the
> patch

Use CVE-2014-7141.


> 3. added "if (preply.psize) < 0" code apparently corresponds to a more
> general issue with missing data validation

Use CVE-2014-7142.

What is currently in /etc/permissions.* is (permissions-2014.08.26.1452-1.1.x86_64)
---------------------------------------------
# from the squid package
/usr/sbin/pam_auth                                      root:shadow       4755
---------------------------------------------
This corresponds to old name of current /usr/sbin/basic_pam_auth, so if we could get that renamed in permissions package (and addition of capabilities for pinger)
we would be able to close this issue and push 3.4.7 to Factory.
Package is already prepared for removal of SetBadness if work is done on permissions.

Thank you in advance.

Everything committed. You can close the bug if that works now.

This is an autogenerated message for OBS integration:
This bug (891268) was mentioned in
https://build.opensuse.org/request/show/259903 Factory / permissions

done

Is this affecting sles11sp3? If yes - can we expect a patch for it?

Since sle11sp3 should not have a mode 04750 pinger, and the issue is low
severity its not necessary to patch it.

However, the DoS patch could be included in the next regular squid update
for sle11sp3.

SUSE-RU-2015:1848-1: An update that has 6 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 685093,891268,895647,904060,906336,943471
CVE References: 
Sources used:
SUSE Linux Enterprise Server 12 (src):    permissions-2015.09.28.1626-3.1
SUSE Linux Enterprise Desktop 12 (src):    permissions-2015.09.28.1626-3.1

openSUSE-RU-2015:1973-1: An update that has 6 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 685093,891268,895647,904060,906336,943471
CVE References: 
Sources used:
openSUSE Leap 42.1 (src):    permissions-2015.09.28.1626-5.1