Bug 1223746 (CVE-2023-49606)

Summary: VUL-0: CVE-2023-49606: tinyproxy: use-after-free vulnerability via crafted HTTP request in remove_connection_headers() in src/reqs.c
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Jan Engelhardt <jengelh>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andrea.mattiazzo
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/403895/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-05-02 13:13:48 UTC 
A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-49606
https://www.cve.org/CVERecord?id=CVE-2023-49606
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889
https://bugzilla.redhat.com/show_bug.cgi?id=2278395
Comment 1 Andrea Mattiazzo 2024-05-02 13:42:38 UTC 
Tracking as affected:
- openSUSE:Backports:SLE-15-SP5/tinyproxy  1.8.4 
- openSUSE:Backports:SLE-15-SP6/tinyproxy  1.11.1
- openSUSE:Factory/tinyproxy
Comment 2 OBSbugzilla Bot 2024-05-09 11:45:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1223746) was mentioned in
https://build.opensuse.org/request/show/1172918 Factory / tinyproxy
https://build.opensuse.org/request/show/1172919 Backports:SLE-15-SP6 / tinyproxy
https://build.opensuse.org/request/show/1172920 Backports:SLE-15-SP5 / tinyproxy
Comment 3 Marcus Meissner 2024-05-10 16:05:25 UTC 
openSUSE-SU-2024:0119-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1200028,1203553,1223743,1223746
CVE References: CVE-2012-3505,CVE-2017-11747,CVE-2022-40468,CVE-2023-40533,CVE-2023-49606
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    tinyproxy-1.11.2-bp155.3.3.1