Ubuntu
squid3 package

Merge ~ahasenack/ubuntu/+source/squid3:xenial-squid-passive-ftp-1560429 into ~usd-import-team/ubuntu/+source/squid3:ubuntu/xenial-devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/squid3
  3. xenial-squid-passive-ftp-1560429
  4. Merge into ubuntu/xenial-devel
Proposed by Andreas Hasenack on 2017-07-05
Status: Merged
Approved by: Robie Basak on 2017-07-25
Approved revision: f66bf4198f40ddf05aa7874caa48e3edeb134cb7
Merged at revision: 40ee214ebd67caf868164f8ad1c2c3ce78d4850f
Proposed branch: ~ahasenack/ubuntu/+source/squid3:xenial-squid-passive-ftp-1560429
Merge into: ~usd-import-team/ubuntu/+source/squid3:ubuntu/xenial-devel
Diff against target: 216 lines (+194/-0)
3 files modified
debian/changelog (+8/-0)
debian/patches/passive-ftp-segfault-1560429.patch (+185/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Robie Basak 2017-07-05 Approve on 2017-07-25
ChristianEhrhardt Approve on 2017-07-07
Review via email: mp+326860@code.launchpad.net

Description of the Change

d/p/passive-ftp-segfault-1560429.patch: patch to avoid a segfault when proxying to an ftp server which does not allow passive mode (LP: #1560429)

To post a comment you must log in.
ChristianEhrhardt (paelzer) wrote :

reviewed - changes LGTM in general.

I don't like that the nil check fix and the detection of a closed connection are in one change. But that is how upstream did it so I agree to stick with that.

Please do note that the change is meant for SRU but the bug has no SRU template yet.
That would block a potential usdi-merge/sponsoring - so add that now if you can.

review: Approve
Robie Basak (racb) wrote :

Looks good! Nice and clear changelog entry, and the dep3 headers contain all the needed information.

A couple of very minor suggestions on the quilt patch:

1. I recommend configuring quilt with "-p ab --no-timestamps --no-index". See https://wiki.debian.org/UsingQuilt. This removes diff noise in future quilt refreshes.

2. Technically the header should be "Origin: backport, ..." as you made changes to the upstream patch to make it fit, as you noted in the description. That also makes you an Author, so you can add a couple of Author lines (one for the upstream author, and one for you) if you wish.

I pushed these suggestions to https://code.launchpad.net/~racb/ubuntu/+source/squid3/+git/squid3/+ref/xenial-squid-passive-ftp-1560429

review: Approve
Andreas Hasenack (ahasenack) wrote :

Thanks, good suggestions. Please tag/upload your branch

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 1d42208..b873856 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,11 @@
6+squid3 (3.5.12-1ubuntu7.4) xenial; urgency=medium
7+
8+ * debian/patches/passive-ftp-segfault-1560429.patch: Fix for segfault
9+ when ftp passive mode is not available. Closes: #793473, LP:
10+ #1560429.
11+
12+ -- Andreas Hasenack <andreas@canonical.com> Fri, 07 Jul 2017 09:39:40 -0300
13+
14 squid3 (3.5.12-1ubuntu7.3) xenial-security; urgency=medium
15
16 * SECURITY UPDATE: cookie data leak via If-Not-Modified HTTP conditional
17diff --git a/debian/patches/passive-ftp-segfault-1560429.patch b/debian/patches/passive-ftp-segfault-1560429.patch
18new file mode 100644
19index 0000000..b29ddec
20--- /dev/null
21+++ b/debian/patches/passive-ftp-segfault-1560429.patch
22@@ -0,0 +1,185 @@
23+Description: Fix for segfault when ftp passive mode is not available
24+ If the remote FTP server does not support EPSV/PASV commands or for a reason
25+ respond with error on these commands then squid will try to use EPRT/PORT and
26+ may crash because these are not fully implemented.
27+ .
28+ Patch was backported from upstream's 3.5 branch, r14115, as it required a
29+ small conflict resolution to a hunk in FtpGateway.cc.
30+ .
31+ Upstream commit message:
32+ Bug 4004 partial: Fix segfault via Ftp::Client::readControlReply
33+ .
34+ Added nil dereference checks for Ftp::Client::ctrl.conn, including:
35+ - Ftp::Client::handlePasvReply() and handleEpsvReply() that dereference
36+ ctrl.conn in DBG_IMPORTANT messages.
37+ - Many functions inside FtpClient.cc and FtpGateway.cc files.
38+ .
39+ TODO: We need to find a better way to handle nil ctrl.conn. It is only
40+ a matter of time when we forget to add another dereference check or
41+ discover a place we missed during this change.
42+ .
43+ Also disabled forwarding of EPRT and PORT commands to origin servers.
44+ Squid support for those commands is broken and their forwarding may
45+ cause segfaults (bug #4004). Active FTP is still supported, of course.
46+Origin: upstream, http://bazaar.launchpad.net/~squid/squid/3.5/revision/14115
47+Bug: http://bugs.squid-cache.org/show_bug.cgi?id=4004
48+Bug-Debian: https://bugs.debian.org/793473
49+Bug-Ubuntu: https://launchpad.net/bugs/1560429
50+Last-Update: 2017-07-04
51+
52+--- squid3-3.5.12.orig/src/clients/FtpClient.cc
53++++ squid3-3.5.12/src/clients/FtpClient.cc
54+@@ -437,6 +437,11 @@ Ftp::Client::handlePasvReply(Ip::Address
55+ char *buf;
56+ debugs(9, 3, status());
57+
58++ if (!Comm::IsConnOpen(ctrl.conn)) {
59++ debugs(9, 5, "The control connection to the remote end is closed");
60++ return false;
61++ }
62++
63+ if (code != 227) {
64+ debugs(9, 2, "PASV not supported by remote end");
65+ return false;
66+@@ -468,6 +473,11 @@ Ftp::Client::handleEpsvReply(Ip::Address
67+ char *buf;
68+ debugs(9, 3, status());
69+
70++ if (!Comm::IsConnOpen(ctrl.conn)) {
71++ debugs(9, 5, "The control connection to the remote end is closed");
72++ return false;
73++ }
74++
75+ if (code != 229 && code != 522) {
76+ if (code == 200) {
77+ /* handle broken servers (RFC 2428 says OK code for EPSV MUST be 229 not 200) */
78+@@ -728,6 +738,11 @@ Ftp::Client::sendPassive()
79+ void
80+ Ftp::Client::connectDataChannel()
81+ {
82++ if (!Comm::IsConnOpen(ctrl.conn)) {
83++ debugs(9, 5, "The control connection to the remote end is closed");
84++ return;
85++ }
86++
87+ safe_free(ctrl.last_command);
88+
89+ safe_free(ctrl.last_reply);
90+--- squid3-3.5.12.orig/src/clients/FtpGateway.cc
91++++ squid3-3.5.12/src/clients/FtpGateway.cc
92+@@ -212,7 +212,9 @@ static FTPSM ftpSendMdtm;
93+ static FTPSM ftpReadMdtm;
94+ static FTPSM ftpSendSize;
95+ static FTPSM ftpReadSize;
96++#if 0
97+ static FTPSM ftpSendEPRT;
98++#endif
99+ static FTPSM ftpReadEPRT;
100+ static FTPSM ftpSendPORT;
101+ static FTPSM ftpReadPORT;
102+@@ -450,6 +452,11 @@ Ftp::Gateway::loginParser(const char *lo
103+ void
104+ Ftp::Gateway::listenForDataChannel(const Comm::ConnectionPointer &conn)
105+ {
106++ if (!Comm::IsConnOpen(ctrl.conn)) {
107++ debugs(9, 5, "The control connection to the remote end is closed");
108++ return;
109++ }
110++
111+ assert(!Comm::IsConnOpen(data.conn));
112+
113+ typedef CommCbMemFunT<Gateway, CommAcceptCbParams> AcceptDialer;
114+@@ -1183,7 +1190,7 @@ Ftp::Gateway::start()
115+
116+ checkUrlpath();
117+ buildTitleUrl();
118+- debugs(9, 5, HERE << "FD " << ctrl.conn->fd << " : host=" << request->GetHost() <<
119++ debugs(9, 5, "FD " << (ctrl.conn != NULL ? ctrl.conn->fd : -1) << " : host=" << request->GetHost() <<
120+ ", path=" << request->urlpath << ", user=" << user << ", passwd=" << password);
121+ state = BEGIN;
122+ Ftp::Client::start();
123+@@ -1750,7 +1757,9 @@ ftpReadPasv(Ftp::Gateway * ftpState)
124+ if (ftpState->handlePasvReply(srvAddr))
125+ ftpState->connectDataChannel();
126+ else {
127+- ftpSendEPRT(ftpState);
128++ ftpFail(ftpState);
129++ // Currently disabled, does not work correctly:
130++ // ftpSendEPRT(ftpState);
131+ return;
132+ }
133+ }
134+@@ -1790,6 +1799,11 @@ ftpOpenListenSocket(Ftp::Gateway * ftpSt
135+ }
136+ safe_free(ftpState->data.host);
137+
138++ if (!Comm::IsConnOpen(ftpState->ctrl.conn)) {
139++ debugs(9, 5, "The control connection to the remote end is closed");
140++ return;
141++ }
142++
143+ /*
144+ * Set up a listen socket on the same local address as the
145+ * control connection.
146+@@ -1875,9 +1889,14 @@ ftpReadPORT(Ftp::Gateway * ftpState)
147+ ftpRestOrList(ftpState);
148+ }
149+
150++#if 0
151+ static void
152+ ftpSendEPRT(Ftp::Gateway * ftpState)
153+ {
154++ /* check the server control channel is still available */
155++ if (!ftpState || !ftpState->haveControlChannel("ftpSendEPRT"))
156++ return;
157++
158+ if (Config.Ftp.epsv_all && ftpState->flags.epsv_all_sent) {
159+ debugs(9, DBG_IMPORTANT, "FTP does not allow EPRT method after 'EPSV ALL' has been sent.");
160+ return;
161+@@ -1913,6 +1932,7 @@ ftpSendEPRT(Ftp::Gateway * ftpState)
162+ ftpState->writeCommand(cbuf);
163+ ftpState->state = Ftp::Client::SENT_EPRT;
164+ }
165++#endif
166+
167+ static void
168+ ftpReadEPRT(Ftp::Gateway * ftpState)
169+@@ -1939,10 +1959,8 @@ Ftp::Gateway::ftpAcceptDataConnection(co
170+ {
171+ debugs(9, 3, HERE);
172+
173+- if (EBIT_TEST(entry->flags, ENTRY_ABORTED)) {
174+- abortTransaction("entry aborted when accepting data conn");
175+- data.listenConn->close();
176+- data.listenConn = NULL;
177++ if (!Comm::IsConnOpen(ctrl.conn)) { /*Close handlers will cleanup*/
178++ debugs(9, 5, "The control connection to the remote end is closed");
179+ return;
180+ }
181+
182+@@ -1955,6 +1973,14 @@ Ftp::Gateway::ftpAcceptDataConnection(co
183+ return;
184+ }
185+
186++ if (EBIT_TEST(entry->flags, ENTRY_ABORTED)) {
187++ abortTransaction("entry aborted when accepting data conn");
188++ data.listenConn->close();
189++ data.listenConn = NULL;
190++ io.conn->close();
191++ return;
192++ }
193++
194+ /* data listening conn is no longer even open. abort. */
195+ if (!Comm::IsConnOpen(data.listenConn)) {
196+ data.listenConn = NULL; // ensure that it's cleared and not just closed.
197+@@ -2705,8 +2731,8 @@ void
198+ Ftp::Gateway::completeForwarding()
199+ {
200+ if (fwd == NULL || flags.completed_forwarding) {
201+- debugs(9, 3, HERE << "completeForwarding avoids " <<
202+- "double-complete on FD " << ctrl.conn->fd << ", Data FD " << data.conn->fd <<
203++ debugs(9, 3, "avoid double-complete on FD " <<
204++ (ctrl.conn != NULL ? ctrl.conn->fd : -1) << ", Data FD " << data.conn->fd <<
205+ ", this " << this << ", fwd " << fwd);
206+ return;
207+ }
208diff --git a/debian/patches/series b/debian/patches/series
209index 36c0a12..cb76767 100644
210--- a/debian/patches/series
211+++ b/debian/patches/series
212@@ -10,3 +10,4 @@ CVE-2016-4554.patch
213 CVE-2016-4555.patch
214 CVE-2016-10002.patch
215 CVE-2016-10003.patch
216+passive-ftp-segfault-1560429.patch

Subscribers

People subscribed via source and target branches