← Back to branch summary

~ubuntu-branches/ubuntu/intrepid/squid/intrepid-security

« back to all changes in this revision

Viewing changes to debian/patches/08-CVE-2009-2855.dpatch

  • Committer: Bazaar Package Importer
  • Author(s): Marc Deslauriers
  • Date: 2010-02-12 13:02:19 UTC
  • Revision ID: james.westby@ubuntu.com-20100212130219-2cl78pma7lf1h2nm
Tags: 2.7.STABLE3-1ubuntu2.2
* SECURITY UPDATE: denial of service via crafted auth header
  - debian/patches/08-CVE-2009-2855.dpatch: correctly parse delimiters in
    src/HttpHeaderTools.c.
  - CVE-2009-2855
* SECURITY UPDATE: denial of service via crafted DNS packet
  - debian/patches/09-CVE-2010-0308.dpatch: don't abort on error in
    lib/rfc1035.c.
  - CVE-2010-0308

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/08-CVE-2009-2855.dpatch
 
1
#! /bin/sh /usr/share/dpatch/dpatch-run
 
2
# Description: fix denial of service via crafted auth header
 
3
# Origin: upstream, http://www.squid-cache.org/cgi-bin/cvsweb.cgi/squid/src/HttpHeaderTools.c.diff?r1=1.37.2.3&r2=1.37.2.4
 
4
# Bug: http://bugs.squid-cache.org/show_bug.cgi?id=2541
 
5
# Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534982
 
6
 
 
7
@DPATCH@
 
8
diff -urNad squid-2.7.STABLE3~/src/HttpHeaderTools.c squid-2.7.STABLE3/src/HttpHeaderTools.c
 
9
--- squid-2.7.STABLE3~/src/HttpHeaderTools.c    2008-04-01 21:00:11.000000000 -0400
 
10
+++ squid-2.7.STABLE3/src/HttpHeaderTools.c     2010-02-12 13:01:59.000000000 -0500
 
11
@@ -239,6 +239,10 @@
 
12
 strListGetItem(const String * str, char del, const char **item, int *ilen, const char **pos)
 
13
 {
 
14
     size_t len;
 
15
+    /* ',' is always enabled as field delimiter as this is required for
 
16
+     * processing merged header values properly, even if Cookie normally
 
17
+     * uses ';' as delimiter.
 
18
+     */
 
19
     static char delim[3][8] =
 
20
     {
 
21
        "\"?,",
 
22
@@ -261,16 +265,15 @@
 
23
     /* find next delimiter */
 
24
     do {
 
25
        *pos += strcspn(*pos, delim[quoted]);
 
26
-       if (**pos == del)
 
27
-           break;
 
28
        if (**pos == '"') {
 
29
            quoted = !quoted;
 
30
            *pos += 1;
 
31
-       }
 
32
-       if (quoted && **pos == '\\') {
 
33
+       } else if (quoted && **pos == '\\') {
 
34
            *pos += 1;
 
35
            if (**pos)
 
36
                *pos += 1;
 
37
+       } else {
 
38
+           break;              /* Delimiter found, marking the end of this value */
 
39
        }
 
40
     } while (**pos);
 
41
     len = *pos - *item;                /* *pos points to del or '\0' */