Ubuntu
squid3 package

squid3 missing pie and bind-now hardening options

Bug #986314 reported by Steve Beattie
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
squid3 (Debian)
Fix Released
Unknown
squid3 (Ubuntu)
Fix Released
High
Jamie Strandboge
Precise
Fix Released
High
Unassigned

Bug Description

The squid (v2) package had all of the hardening options enabled (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542723) due to squid receiving and parsing network input and the number of and severity of prior security issues; however, with the transition to squid3 some of these options were lost by falling back to the default compiler settings.

STEPS TO REPRODUCE:
1) install the hardening-includes package
2) run '/usr/bin/hardening-check /usr/sbin/squid3'

If all the hardening options were enabled at compile time, the output and return code should be:

  $ hardening-check /usr/sbin/squid3
  /usr/sbin/squid3:
   Position Independent Executable: yes
   Stack protected: yes
   Fortify Source functions: yes (some protected functions found)
   Read-only relocations: yes
   Immediate binding: yes
  $ echo $?
  0

However, with the current squid3 version in precise(3.1.19-1ubuntu2) , the output and return code are like so:

  $ /usr/bin/hardening-check /usr/sbin/squid3
  /usr/sbin/squid3:
   Position Independent Executable: no, normal executable!
   Stack protected: yes
   Fortify Source functions: yes (some protected functions found)
   Read-only relocations: yes
   Immediate binding: no not found!
  $ echo $?
  1

You can also use the test-built-binaries.py script from the lp:qa-regression-testing testsuite, with python-nose to run just the squid portion, like so:

  $ nosetests test-built-binaries.py:BuiltBinariesTest.test_squid -v
  Testing squid ... ok

  ----------------------------------------------------------------------
  Ran 1 test in 3.699s

  OK

Revision history for this message
Steve Beattie (sbeattie) wrote :

For more details on the hardening options, please see http://wiki.debian.org/Hardening

Attached is a debdiff for precise-proposed SRU that addresses the issue as well as fixes the file descriptor limit in bug 986159. I've built and confirmed both issues locally, as well as performed a modicum of testing to verify that squid3 still functions as expected.

Thanks.

Steve Beattie (sbeattie)
Changed in squid3 (Ubuntu):
importance: Undecided → High
tags: added: qa-r-t regression-release
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "squid3_3.1.19-1ubuntu3.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Revision history for this message
Micah Gersten (micahg) wrote :

Waiting in unapproved for precise-proposed

Changed in squid3 (Ubuntu Precise):
importance: High → Undecided
importance: Undecided → High
status: New → Fix Committed
Bug Watch Updater (bug-watch-updater)
Changed in squid3 (Debian):
status: Unknown → New
Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Hello Steve, or anyone else affected,

Accepted squid3 into precise-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Revision history for this message
Sebastien Bacher (seb128) wrote :

Could you verify the fix so the update can move out of the testing area to -updates?

Revision history for this message
Stéphane Graber (stgraber) wrote :

Followed the testcase, hardening-check output looks good after upgrading to -proposed and squid still starts.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squid3 - 3.1.19-1ubuntu3

---------------
squid3 (3.1.19-1ubuntu3) precise-proposed; urgency=low

  * debian/rules: re-enable all hardening options lost in the
    squid->squid3 transition (LP: #986314)
  * debian/squid3.upstart: move ulimit command to script section
    so that it applies to the started squid daemon. Thanks to Timur
    Irmatov (LP: #986159)
 -- Steve Beattie <email address hidden> Fri, 20 Apr 2012 11:09:46 -0700

Changed in squid3 (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Quantal was never updated so I will upload those changes.

Changed in squid3 (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Fix Committed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squid3 - 3.1.19-1ubuntu3.1

---------------
squid3 (3.1.19-1ubuntu3.1) quantal; urgency=low

  * debian/rules: re-enable all hardening options lost in the
    squid->squid3 transition (LP: #986314)
  * debian/squid3.upstart: move ulimit command to script section
    so that it applies to the started squid daemon. Thanks to Timur
    Irmatov (LP: #986159)
 -- Jamie Strandboge <email address hidden> Wed, 13 Jun 2012 09:06:51 -0500

Changed in squid3 (Ubuntu):
status: In Progress → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in squid3 (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.