[Buildroot] [PATCH] package/squid: add patch for CVE-2025-59362
Arnout Vandecappelle
arnout at rnout.be
Wed Oct 22 16:43:19 UTC 2025
In reply of:
> Fixes the following vulnerability:
>
> - CVE-2025-59362
>
> Squid through 7.1 mishandles ASN.1 encoding of long SNMP OIDs. This
> occurs in asn_build_objid in lib/snmplib/asn1.c.
>
> For more information, see:
>
> - https://nvd.nist.gov/vuln/detail/CVE-2025-59362
> - https://github.com/squid-cache/squid/commit/250a18e0a80694b919972a1836cdfe20f2e1baa0
>
> Signed-off-by: Thomas Perale <thomas.perale at mind.be>
Applied to 2025.02.x and 2025.08.x. Thanks
> ---
> ...Fix-ASN-1-encoding-of-long-SNMP-OIDs.patch | 52 +++++++++++++++++++
> package/squid/squid.mk | 4 ++
> 2 files changed, 56 insertions(+)
> create mode 100644 package/squid/0001-Fix-ASN-1-encoding-of-long-SNMP-OIDs.patch
>
> diff --git a/package/squid/0001-Fix-ASN-1-encoding-of-long-SNMP-OIDs.patch b/package/squid/0001-Fix-ASN-1-encoding-of-long-SNMP-OIDs.patch
> new file mode 100644
> index 0000000000..695ba0255e
> --- /dev/null
> +++ b/package/squid/0001-Fix-ASN-1-encoding-of-long-SNMP-OIDs.patch
> @@ -0,0 +1,52 @@
> +From 0d89165ee6da10e6fa50c44998b3cd16d59400e9 Mon Sep 17 00:00:00 2001
> +From: Alex Rousskov <rousskov at measurement-factory.com>
> +Date: Sat, 30 Aug 2025 06:49:36 +0000
> +Subject: [PATCH] Fix ASN.1 encoding of long SNMP OIDs (#2149)
> +
> +Upstream: https://github.com/squid-cache/squid/commit/250a18e0a80694b919972a1836cdfe20f2e1baa0
> +CVE: CVE-2025-59362
> +Signed-off-by: Thomas Perale <thomas.perale at mind.be>
> +---
> + lib/snmplib/asn1.c | 13 +++++++++++++
> + 1 file changed, 13 insertions(+)
> +
> +diff --git a/lib/snmplib/asn1.c b/lib/snmplib/asn1.c
> +index 81f2051fbe7..2852c26b220 100644
> +--- a/lib/snmplib/asn1.c
> ++++ b/lib/snmplib/asn1.c
> +@@ -735,6 +735,7 @@ asn_build_objid(u_char * data, int *datalength,
> + * lastbyte ::= 0 7bitvalue
> + */
> + u_char buf[MAX_OID_LEN];
> ++ u_char *bufEnd = buf + sizeof(buf);
> + u_char *bp = buf;
> + oid *op = objid;
> + int asnlength;
> +@@ -753,6 +754,10 @@ asn_build_objid(u_char * data, int *datalength,
> + while (objidlength-- > 0) {
> + subid = *op++;
> + if (subid < 127) { /* off by one? */
> ++ if (bp >= bufEnd) {
> ++ snmp_set_api_error(SNMPERR_ASN_ENCODE);
> ++ return (NULL);
> ++ }
> + *bp++ = subid;
> + } else {
> + mask = 0x7F; /* handle subid == 0 case */
> +@@ -770,8 +775,16 @@ asn_build_objid(u_char * data, int *datalength,
> + /* fix a mask that got truncated above */
> + if (mask == 0x1E00000)
> + mask = 0xFE00000;
> ++ if (bp >= bufEnd) {
> ++ snmp_set_api_error(SNMPERR_ASN_ENCODE);
> ++ return (NULL);
> ++ }
> + *bp++ = (u_char) (((subid & mask) >> bits) | ASN_BIT8);
> + }
> ++ if (bp >= bufEnd) {
> ++ snmp_set_api_error(SNMPERR_ASN_ENCODE);
> ++ return (NULL);
> ++ }
> + *bp++ = (u_char) (subid & mask);
> + }
> + }
> diff --git a/package/squid/squid.mk b/package/squid/squid.mk
> index b021170d9b..d445f005b7 100644
> --- a/package/squid/squid.mk
> +++ b/package/squid/squid.mk
> @@ -11,6 +11,10 @@ SQUID_LICENSE = GPL-2.0+
> SQUID_LICENSE_FILES = COPYING
> SQUID_CPE_ID_VENDOR = squid-cache
> SQUID_SELINUX_MODULES = apache squid
> +
> +# 0001-Fix-ASN-1-encoding-of-long-SNMP-OIDs.patch
> +SQUID_IGNORE_CVES += CVE-2025-59362
> +
> SQUID_DEPENDENCIES = libcap host-libcap libtool libxml2 host-pkgconf \
> $(if $(BR2_PACKAGE_LIBNETFILTER_CONNTRACK),libnetfilter_conntrack)
> SQUID_CONF_ENV = \
> --
> 2.51.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
More information about the buildroot
mailing list