Bug 1216715

Summary: VUL-0: squid: Chunked Encoding Stack Overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, andrea.mattiazzo, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/383469/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Base64 encoded reproducer

Description Alexander Bergmann 2023-10-30 16:12:29 UTC 
Created attachment 870520 [details]
Base64 encoded reproducer

Details can be found here:

https://megamansec.github.io/Squid-Security-Audit/chunked-stackoverflow.html

The reproducer is working and was tested with SLE-15-SP5:

you need 3 systems: 
- squid (192.168.0.1)
- http server (192.168.0.2)
- lynx client (192.168.0.3)

1. Install and start squid on a dedicated system. Default config is fine.

2. Have a second system ready that acts as a HTTP server with the following
   command and payload. (needs to be restarted after every request)

   # base64 -d PoC_Chunked_Encoding.base64 | nc -l 192.168.0.2 80

3. On the squid server run a strace command on the (squid-1) command.

   # strace -f -p <squid-1 PID>

4. Run lynx with a http_proxy configured.

   http_proxy:http://192.168.0.1:3128

   # lynx http://192.168.0.2

Now you should see that the (squid-1) process got killed.

--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x7ffdb074bf48} ---                                                                                                                                                                
+++ killed by SIGSEGV (core dumped) +++
Comment 1 Alexander Bergmann 2023-10-31 08:24:58 UTC 
The interruption of the (squid-1) process is not stopping the whole squid service. The process gets re-spawned directly after the core dump.
Comment 2 Adam Majer 2024-03-06 12:19:15 UTC 
Looks like this is,

https://github.com/squid-cache/squid/security/advisories/GHSA-72c2-c3wm-8qxc

with CVE-2024-25111
Comment 4 OBSbugzilla Bot 2024-03-06 15:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1216715) was mentioned in
https://build.opensuse.org/request/show/1155563 Factory / squid
Comment 5 Andrea Mattiazzo 2024-03-08 08:58:38 UTC 
*** Bug 1221139 has been marked as a duplicate of this bug. ***
Comment 9 Maintenance Automation 2024-04-04 16:30:12 UTC 
SUSE-SU-2024:1115-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1216715, 1219960
CVE References: CVE-2024-25111, CVE-2024-25617
Maintenance Incident: [SUSE:Maintenance:33028](https://smelt.suse.de/incident/33028/)
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 squid-4.17-4.44.1
SUSE Linux Enterprise Server 12 SP5 (src):
 squid-4.17-4.44.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 squid-4.17-4.44.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2024-04-04 16:30:14 UTC 
SUSE-SU-2024:1114-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1216715, 1219960
CVE References: CVE-2024-25111, CVE-2024-25617
Maintenance Incident: [SUSE:Maintenance:33029](https://smelt.suse.de/incident/33029/)
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 squid-4.17-150000.5.52.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 squid-4.17-150000.5.52.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 squid-4.17-150000.5.52.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 squid-4.17-150000.5.52.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 squid-4.17-150000.5.52.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 squid-4.17-150000.5.52.1
SUSE Enterprise Storage 7.1 (src):
 squid-4.17-150000.5.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2024-04-04 16:30:16 UTC 
SUSE-SU-2024:1113-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1216715, 1219960
CVE References: CVE-2024-25111, CVE-2024-25617
Maintenance Incident: [SUSE:Maintenance:33030](https://smelt.suse.de/incident/33030/)
Sources used:
openSUSE Leap 15.4 (src):
 squid-5.7-150400.3.26.1
openSUSE Leap 15.5 (src):
 squid-5.7-150400.3.26.1
Server Applications Module 15-SP5 (src):
 squid-5.7-150400.3.26.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 squid-5.7-150400.3.26.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 squid-5.7-150400.3.26.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 squid-5.7-150400.3.26.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 squid-5.7-150400.3.26.1
SUSE Manager Proxy 4.3 (src):
 squid-5.7-150400.3.26.1
SUSE Manager Retail Branch Server 4.3 (src):
 squid-5.7-150400.3.26.1
SUSE Manager Server 4.3 (src):
 squid-5.7-150400.3.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Andrea Mattiazzo 2024-04-05 07:24:46 UTC 
Closing.