Re: Thoughts on CVE-2020-15049/squid3?
On Fri, Sep 25, 2020 at 10:04:59PM +0200, Markus Koschany wrote:
> Hello Roberto,
> Am 25.09.20 um 21:25 schrieb Roberto C. Sánchez:
> > Hello fellow LTS people,
> > I am working on an update for the squid3 package. At this time there
> > are 4 open CVEs, of which 3 have patches that apply with little or no
> > change required. However, the patch for CVE-2020-15049 does not apply
> > at all.
> You should have been aware that I have prepared the last update of
> squid3. I have just noticed that the NOTE on the squid entry in
> dla-needed.txt was removed but the last status was that the package
> simply needs more testing. Hence I didn't bother to readd myself but the
> NOTE was self-explaining (in ELTS and LTS).
Hmm. The note removal is unfortunate :-/
> > Based on the above findings, I am inclined to triage CVE-2020-15049 as
> > <ignored>:
> The patch for CVE-2020-15049 cannot be backported as is. The code that
> was added in the meantime must be taken into consideration as well.
> > [stretch] - squid3 <ignored> (complete fix is too invasive to backport)
> > There appears to be precedent for taking this approach when a fix is far
> > too invasive and where there does not appear to be an alternate approach
> > to address the vulnerability.
> > Unless there are any serious objections in the next few days I will
> > proceed with uploading the update I have prepared and will update the
> > security tracker entry as I have described. (Note: the same applies
> > both for the package in stretch LTS and in jessie ELTS.)
> It is not possible to "fix" the remaining CVE if you ignore
> CVE-2020-15049. The real fix was to backport the new header parsing code
> which includes additional improvements, some of them could be considered
> bug fixes for CVE, but upstream did not request identifiers for them.
The backport seemed to me like it would require too much additional code
change to be feasible without a great deal of additional risk.
> Even if you addressed only the reported CVE, the fix would be incomplete
> because of the missing sanity checks that were additionally added in the
That is consistent with what I concluded.
So, what is the best way to proceed? I presume based on your above
comment that you have already prepared the packages for upload. Are
those the same packages you referenced in your RFT message on 1st July?
(I had to go hunting through the archive to locate the reference.)
Should I review the backported code? The time I have spent digging
through the Git history should be beneficial in such a review.
Roberto C. Sánchez