Overview

File nonce-replay.patch of Package squid.15550

Fix Nonce replay vulnerability in Digest authentication
fixed in version 3.5.2 (CVE-2014-9749, bsc#949942)

=== modified file 'src/auth/digest/Config.cc'
Index: src/auth/digest/Config.cc
===================================================================
--- src/auth/digest/Config.cc.orig
+++ src/auth/digest/Config.cc
@@ -1058,6 +1058,10 @@ Auth::Digest::Config::decode(char const
          * the user agent won't change user name without warning.
          */
         authDigestUserLinkNonce(digest_user, nonce);
+
+        /* auth_user is now linked, we reset these values
+         * after external auth occurs anyway */
+        auth_user->expiretime = current_time.tv_sec;
     } else {
         debugs(29, 9, "Found user '" << username << "' in the user cache as '" << auth_user << "'");
         digest_user = static_cast<Auth::Digest::User *>(auth_user.getRaw());
Index: src/auth/digest/UserRequest.cc
===================================================================
--- src/auth/digest/UserRequest.cc.orig
+++ src/auth/digest/UserRequest.cc
@@ -188,10 +188,6 @@ Auth::Digest::UserRequest::authenticate(
 
     /* password was checked and did match */
     debugs(29, 4, HERE << "user '" << auth_user->username() << "' validated OK");
-
-    /* auth_user is now linked, we reset these values
-     * after external auth occurs anyway */
-    auth_user->expiretime = current_time.tv_sec;
     return;
 }
 
Index: src/auth/Config.cc
===================================================================
--- src/auth/Config.cc.orig
+++ src/auth/Config.cc
@@ -18,6 +18,7 @@
 #include "format/Format.h"
 #include "globals.h"
 #include "Store.h"
+#include "SquidConfig.h"
 #include "wordlist.h"
 
 Auth::ConfigVector Auth::TheConfig;
@@ -166,7 +167,8 @@ Auth::Config::findUserInCache(const char
     if (nameKey && (usernamehash = static_cast<AuthUserHashPointer *>(hash_lookup(proxy_auth_username_cache, nameKey)))) {
         while (usernamehash) {
             if ((usernamehash->user()->auth_type == authType) &&
-                    !strcmp(nameKey, (char const *)usernamehash->key))
+                    !strcmp(nameKey, (char const *)usernamehash->key) &&
+                    usernamehash->user()->expiretime + ::Config.authenticateTTL > current_time.tv_sec)
                 return usernamehash->user();
 
             usernamehash = static_cast<AuthUserHashPointer *>(usernamehash->next);
openSUSE Build Service is sponsored by
Places