[Bug 1560429] Re: squid3: segfault when ftp passive mode is not available

Andreas Hasenack andreas at canonical.com
Thu Aug 3 13:35:53 UTC 2017


** Description changed:

  [Impact]
  
  Users who use squid as an FTP proxy and access sites that block ftp PASV
  mode will trigger a squid segfault. That means a brief service
  interruption, as upstart/systemd will restart it.
  
  Since this is a crash, the backport seems justified. But there is an
  effective workaround, see below.
  
  Upstream committed a fix, the same fix we are introducing here, which
  essentially adds a lot of NULL checks but at the same time disables the
  fallback ftp command EPRT should passive mode fail. Upstream states that
  this command doesn't work properly in squid yet.
  
  This is also the recommended workaround: disable EPRT by setting the
  following in /etc/squid/squid.conf and restarting the service:
  
  ftp_eprt off
  
  [Test Case]
  
  - setup a xenial machine/lxd with proftpd configured like this
  (/etc/proftpd/proftpd.conf):
  
  http://pastebin.ubuntu.com/25039718/
+ 
+ - restart proftpd: sudo service proftpd restart
  
  Alternatively, setup any anonymout ftp server to your liking with
  passive mode disabled/forbidden.
  
  - Create a simple file under the anonymous area, for the ftp client to fetch later on:
  echo hello | sudo tee /srv/ftp/readme.txt
  
  - install the squid proxy under test in another machine/lxd.
  
  - configure /etc/squid/squid.conf like this:
  http://pastebin.ubuntu.com/25039736/
  
  - in the above, adjust localnet to your network, or replace the line "http_access allow localnet" with "http_access allow all" to accept everything
  - access the ftp server via the squid proxy:
  
  $ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-
  proftpd.lxd/readme.txt -O /dev/null  -t1
  
  (replace the URLs with whatever you need to reach the squid server under
  test, and the ftp server you setup)
  
  In the case of a vulnerable squid server you will get:
  a) wget gives up:
  andreas at nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null  -t1
  --2017-07-07 11:58:16--  ftp://xenial-proftpd.lxd/readme.txt
  Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
  Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
  Proxy request sent, awaiting response... No data received.
  Giving up.
  
  b) /var/log/squid/cache.log shows a squid restart with a new PID:
  2017/07/07 14:58:19 kid1| Starting Squid Cache version 3.5.12 for x86_64-pc-linux-gnu...
  2017/07/07 14:58:19 kid1| Service Name: squid
  2017/07/07 14:58:19 kid1| Process ID 1638
  
  c) proftpd /var/log/proftpd/extended.log will show the passive ftp attempts being forbidden with a 501 error:
  xenial-squid-passive.lxd UNKNOWN - [07/Jul/2017:14:58:16 +0000] "USER anonymous" 331 -
  xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASS (hidden)" 230 -
  xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "TYPE A" 200 -
  xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "MDTM readme.txt" 213 -
  xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "EPSV 1" 501 -
  xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASV" 501 -
  
  In the case of the fixed squid server, you will get:
  a) wget gets a 502 error instead of "no data":
  andreas at nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null  -t1
  --2017-07-07 12:04:14--  ftp://xenial-proftpd.lxd/readme.txt
  Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
  Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
  Proxy request sent, awaiting response... 502 Bad Gateway
  2017-07-07 12:04:14 ERROR 502: Bad Gateway.
  
  b) /var/log/squid/cache.log doesn't "blip", and access.log just logs the 502:
  1499439854.710     18 10.0.100.1 TCP_MISS/502 4324 GET ftp://xenial-proftpd.lxd/readme.txt - HIER_DIRECT/10.0.100.134 text/html
  
  [Regression Potential]
  You won't be able to use squid to access FTP sites that block passive mode transfers. But that was the case already, except it was the segfault that was preventing this from working, and not an error message.
  
  There are many more fixes in the 3.5 branch that are not being applied
  here, related to other problems. Debian upted to upgrade to 3.5.23 in
  their bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793473
  
  One could argue that updating to that version is "safer" than cherry
  picking a patch from their code tree.
  
- 
  [Other Info]
  I don't have a patch for trusty, which is on an older version of squid (3.3.8-1ubuntu6.9). The code changed a lot and it's not just a matter of fixing conflicts.

** Description changed:

  [Impact]
  
  Users who use squid as an FTP proxy and access sites that block ftp PASV
  mode will trigger a squid segfault. That means a brief service
  interruption, as upstart/systemd will restart it.
  
  Since this is a crash, the backport seems justified. But there is an
  effective workaround, see below.
  
  Upstream committed a fix, the same fix we are introducing here, which
  essentially adds a lot of NULL checks but at the same time disables the
  fallback ftp command EPRT should passive mode fail. Upstream states that
  this command doesn't work properly in squid yet.
  
  This is also the recommended workaround: disable EPRT by setting the
  following in /etc/squid/squid.conf and restarting the service:
  
  ftp_eprt off
  
  [Test Case]
  
  - setup a xenial machine/lxd with proftpd configured like this
  (/etc/proftpd/proftpd.conf):
  
  http://pastebin.ubuntu.com/25039718/
  
  - restart proftpd: sudo service proftpd restart
  
  Alternatively, setup any anonymout ftp server to your liking with
  passive mode disabled/forbidden.
  
  - Create a simple file under the anonymous area, for the ftp client to fetch later on:
  echo hello | sudo tee /srv/ftp/readme.txt
  
  - install the squid proxy under test in another machine/lxd.
  
  - configure /etc/squid/squid.conf like this:
  http://pastebin.ubuntu.com/25039736/
  
- - in the above, adjust localnet to your network, or replace the line "http_access allow localnet" with "http_access allow all" to accept everything
+ - in the above, adjust localnet to your network, or replace the line
+ "http_access allow localnet" with "http_access allow all" to accept
+ everything
+ 
+ - restart squid: sudo service squid restart
+ 
  - access the ftp server via the squid proxy:
  
  $ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-
  proftpd.lxd/readme.txt -O /dev/null  -t1
  
  (replace the URLs with whatever you need to reach the squid server under
  test, and the ftp server you setup)
  
  In the case of a vulnerable squid server you will get:
  a) wget gives up:
  andreas at nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null  -t1
  --2017-07-07 11:58:16--  ftp://xenial-proftpd.lxd/readme.txt
  Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
  Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
  Proxy request sent, awaiting response... No data received.
  Giving up.
  
  b) /var/log/squid/cache.log shows a squid restart with a new PID:
  2017/07/07 14:58:19 kid1| Starting Squid Cache version 3.5.12 for x86_64-pc-linux-gnu...
  2017/07/07 14:58:19 kid1| Service Name: squid
  2017/07/07 14:58:19 kid1| Process ID 1638
  
  c) proftpd /var/log/proftpd/extended.log will show the passive ftp attempts being forbidden with a 501 error:
  xenial-squid-passive.lxd UNKNOWN - [07/Jul/2017:14:58:16 +0000] "USER anonymous" 331 -
  xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASS (hidden)" 230 -
  xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "TYPE A" 200 -
  xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "MDTM readme.txt" 213 -
  xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "EPSV 1" 501 -
  xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASV" 501 -
  
  In the case of the fixed squid server, you will get:
  a) wget gets a 502 error instead of "no data":
  andreas at nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null  -t1
  --2017-07-07 12:04:14--  ftp://xenial-proftpd.lxd/readme.txt
  Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
  Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
  Proxy request sent, awaiting response... 502 Bad Gateway
  2017-07-07 12:04:14 ERROR 502: Bad Gateway.
  
  b) /var/log/squid/cache.log doesn't "blip", and access.log just logs the 502:
  1499439854.710     18 10.0.100.1 TCP_MISS/502 4324 GET ftp://xenial-proftpd.lxd/readme.txt - HIER_DIRECT/10.0.100.134 text/html
  
  [Regression Potential]
  You won't be able to use squid to access FTP sites that block passive mode transfers. But that was the case already, except it was the segfault that was preventing this from working, and not an error message.
  
  There are many more fixes in the 3.5 branch that are not being applied
  here, related to other problems. Debian upted to upgrade to 3.5.23 in
  their bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793473
  
  One could argue that updating to that version is "safer" than cherry
  picking a patch from their code tree.
  
  [Other Info]
  I don't have a patch for trusty, which is on an older version of squid (3.3.8-1ubuntu6.9). The code changed a lot and it's not just a matter of fixing conflicts.

** Description changed:

  [Impact]
  
  Users who use squid as an FTP proxy and access sites that block ftp PASV
  mode will trigger a squid segfault. That means a brief service
  interruption, as upstart/systemd will restart it.
  
  Since this is a crash, the backport seems justified. But there is an
  effective workaround, see below.
  
  Upstream committed a fix, the same fix we are introducing here, which
  essentially adds a lot of NULL checks but at the same time disables the
  fallback ftp command EPRT should passive mode fail. Upstream states that
  this command doesn't work properly in squid yet.
  
  This is also the recommended workaround: disable EPRT by setting the
  following in /etc/squid/squid.conf and restarting the service:
  
  ftp_eprt off
  
  [Test Case]
  
  - setup a xenial machine/lxd with proftpd configured like this
  (/etc/proftpd/proftpd.conf):
  
  http://pastebin.ubuntu.com/25039718/
  
  - restart proftpd: sudo service proftpd restart
  
  Alternatively, setup any anonymout ftp server to your liking with
  passive mode disabled/forbidden.
  
  - Create a simple file under the anonymous area, for the ftp client to fetch later on:
  echo hello | sudo tee /srv/ftp/readme.txt
  
  - install the squid proxy under test in another machine/lxd.
  
  - configure /etc/squid/squid.conf like this:
- http://pastebin.ubuntu.com/25039736/
+ http://pastebin.ubuntu.com/25233360/
  
  - in the above, adjust localnet to your network, or replace the line
  "http_access allow localnet" with "http_access allow all" to accept
  everything
  
  - restart squid: sudo service squid restart
  
  - access the ftp server via the squid proxy:
  
  $ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-
  proftpd.lxd/readme.txt -O /dev/null  -t1
  
  (replace the URLs with whatever you need to reach the squid server under
  test, and the ftp server you setup)
  
  In the case of a vulnerable squid server you will get:
  a) wget gives up:
  andreas at nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null  -t1
  --2017-07-07 11:58:16--  ftp://xenial-proftpd.lxd/readme.txt
  Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
  Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
  Proxy request sent, awaiting response... No data received.
  Giving up.
  
  b) /var/log/squid/cache.log shows a squid restart with a new PID:
  2017/07/07 14:58:19 kid1| Starting Squid Cache version 3.5.12 for x86_64-pc-linux-gnu...
  2017/07/07 14:58:19 kid1| Service Name: squid
  2017/07/07 14:58:19 kid1| Process ID 1638
  
  c) proftpd /var/log/proftpd/extended.log will show the passive ftp attempts being forbidden with a 501 error:
  xenial-squid-passive.lxd UNKNOWN - [07/Jul/2017:14:58:16 +0000] "USER anonymous" 331 -
  xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASS (hidden)" 230 -
  xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "TYPE A" 200 -
  xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "MDTM readme.txt" 213 -
  xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "EPSV 1" 501 -
  xenial-squid-passive.lxd UNKNOWN ftp [07/Jul/2017:14:58:16 +0000] "PASV" 501 -
  
  In the case of the fixed squid server, you will get:
  a) wget gets a 502 error instead of "no data":
  andreas at nsn7:~$ ftp_proxy=http://xenial-squid-passive.lxd:3128/ wget ftp://xenial-proftpd.lxd/readme.txt -O /dev/null  -t1
  --2017-07-07 12:04:14--  ftp://xenial-proftpd.lxd/readme.txt
  Resolving xenial-squid-passive.lxd (xenial-squid-passive.lxd)... 10.0.100.151
  Connecting to xenial-squid-passive.lxd (xenial-squid-passive.lxd)|10.0.100.151|:3128... connected.
  Proxy request sent, awaiting response... 502 Bad Gateway
  2017-07-07 12:04:14 ERROR 502: Bad Gateway.
  
  b) /var/log/squid/cache.log doesn't "blip", and access.log just logs the 502:
  1499439854.710     18 10.0.100.1 TCP_MISS/502 4324 GET ftp://xenial-proftpd.lxd/readme.txt - HIER_DIRECT/10.0.100.134 text/html
  
  [Regression Potential]
  You won't be able to use squid to access FTP sites that block passive mode transfers. But that was the case already, except it was the segfault that was preventing this from working, and not an error message.
  
  There are many more fixes in the 3.5 branch that are not being applied
  here, related to other problems. Debian upted to upgrade to 3.5.23 in
  their bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793473
  
  One could argue that updating to that version is "safer" than cherry
  picking a patch from their code tree.
  
  [Other Info]
  I don't have a patch for trusty, which is on an older version of squid (3.3.8-1ubuntu6.9). The code changed a lot and it's not just a matter of fixing conflicts.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1560429

Title:
   squid3: segfault when ftp passive mode is not available

To manage notifications about this bug go to:
https://bugs.launchpad.net/squid/+bug/1560429/+subscriptions



More information about the Ubuntu-server-bugs mailing list