Bug 65023 (CVE-2005-0175)

Summary: VUL-0: CVE-2005-0175: squid: several security related bugs
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: heiko.rommel, patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2005-0175: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2005-01-20 19:42:27 UTC
Hi Klaus, 
here is the requested bugzilla-entry. :) 
 
From: Martin Schulze <joey@infodrom.org> 
To: Free Software Distribution Vendors <vendor-sec@lst.de> 
Message-ID: <20050119072037.GA8820@finlandia.infodrom.north.de> 
X-Spam-Score: -4.901 () BAYES_00 
Subject: [vendor-sec] CAN-2005-009[4-7]: Denial of service in Squid 
Date: Wed, 19 Jan 2005 08:20:38 +0100 
 
CAN-2005-0094 
 
    "infamous41md" discovered a buffer overflow in the parser for 
    Gopher responses which will lead to memory corruption and usually 
    crash Squid. 
 
    http://www.squid-cache.org/Advisories/SQUID-2005_1.txt 
    http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-gopher_html_parsing.patch 
    http://secunia.com/advisories/13825/ 
 
CAN-2005-0095 
 
    "infamous41md" discovered an integer overflow in the receiver of 
    WCCP (Web Cache Communication Protocol) messages.  An attacker 
    could send a specially crafted UDP datagram that will cause Squid 
    to crash. 
 
    http://www.squid-cache.org/Advisories/SQUID-2005_2.txt 
    http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_denial_of_service.patch 
    http://secunia.com/advisories/13825/ 
 
CAN-2005-0096 
 
    Memory leak in the NTLM fakeauth_auth helper for Squid 2.5.STABLE7 
and 
    earlier allows remote attackers to cause a denial of service (memory 
    consumption). 
 
    http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth 
    http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-fakeauth_auth.patch 
    http://secunia.com/advisories/13789/ 
 
CAN-2005-0097 
 
    The NTLM component in Squid 2.5.STABLE7 and earlier allows remote 
    attackers to cause a denial of service (crash) via a malformed NTLM 
    type 3 message. 
 
    http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth 
    http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-fakeauth_auth.patch 
    http://secunia.com/advisories/13789/ 
 
Regards, 
 
        Joey 
 
-- 
Ten years and still binary compatible.  -- XFree86 
_______________________________________________ 
Vendor Security mailing list 
Vendor Security@lst.de 
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
Comment 1 Thomas Biege 2005-01-20 19:42:28 UTC
<!-- SBZ_reproduce  -->
-
Comment 2 Thomas Biege 2005-01-20 20:02:12 UTC
 SM-Tracker-200 
Comment 3 Thomas Biege 2005-01-25 20:16:36 UTC
Hi Klaus, 
can you outline the current status please. 
Comment 4 Klaus Singvogel 2005-01-26 00:16:24 UTC
working on it... 
 
realized, that I want to check out, if are affected by bugzilla#49288 either 
in other SuLi versions... 
Comment 5 Klaus Singvogel 2005-01-26 02:12:12 UTC
BTW: I'm trying to fix these security issues either (no CAN-# found) 
 
http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-response_splitting 
 
http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-header_parsing 
 
http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces 
 
but some of these aren't very short and many changes have been done between 
SLES8 squid and current. :( 
Comment 6 Klaus Singvogel 2005-01-28 00:36:56 UTC
Submitted new packages. Here is a overview of the patches (best viewed with 
fixed font :-) 
 
                                         8.1   8.2   9.0   9.1   9.2 
CAN-2005-0094  gopher_html_parsing       o.k.  o.k.  o.k.  o.k.  o.k. 
CAN-2005-0095  wccp_denial_of_service    mod   o.k.  o.k.  o.k.  o.k. 
CAN-2005-0097  fakeauth_auth             n.a.  o.k.  o.k.  o.k.  o.k. 
CAN-2005-0096  fakeauth_auth             n.a.  o.k.  o.k.  o.k.  o.k. 
               ldap_spaces               mod   mod   mod   mod   o.k. 
               response_splitting        -     mod   mod   mod   o.k. 
               header_parsing            -     -     -     -     - 
 
Note: 
n.a.: not affected = functionality missing in this version 
o.k:  upstream patch applied without any problems 
mod:  upstream patch needed modifications to get applied 
-     major functionality missing, like the FD abstraction layer; 
       cannot apply this patch 
 
Note: 
8.1 includes 8.1, SLES8, SLEC, UL, etc. 
9.1 includes 9.1, SLES9, SLD, etc. 
 
Security team: 
can you please handle next steps of update step, like SWAMP/patchinfo file? 
 
Testing team: 
didn't tested much, please take care. 
 
Comment 7 Thomas Biege 2005-01-28 17:00:01 UTC
Thanks Klaus. 
Comment 8 Thomas Biege 2005-01-28 18:04:50 UTC
`patchinfo-box.squid' -> `/work/src/done/PATCHINFO/patchinfo-box.squid' 
`patchinfo.squid' -> `/work/src/done/PATCHINFO/patchinfo.squid' 
Comment 9 Marcus Meissner 2005-01-28 22:35:40 UTC
>These issues were just reported to vendor-sec.                                  
                                                                                 
OK.  I'm treating these as "not sufficiently public" so there isn't              
any information in the CANs themselves.                                          
                                                                                 
                                                                                 
>Sanity check usernames in squid_ldap_auth                                       
>                                                                                
>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces  
>                                                                                
>Synopsis:                                                                       
>LDAP is very forgiving about spaces in search filters and this could            
>be abused to log in using several variants of the login name, possibly          
>bypassing explicit access controls or confusing accounting                      
                                                                                 
Use CAN-2005-0173                                                                
                                                                                 
                                                                                 
>Reject malformed HTTP requests and responses that conflict with the             
>HTTP specifications                                                             
>                                                                                
>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-header_parsi 
+ng                                                                              
>                                                                                
>This patch makes Squid considerably stricter while parsing the HTTP             
>protocol.                                                                       
                                                                                 
If it just rejected malformed requests because they might be bad, I              
wouldn't normally assign a CAN.  However, some cache poisoning in                
Squid can happen as a result of the Content-Length issue, so:                    
                                                                                 
Use CAN-2005-0174                                                                
                                                                                 
>Strengthen Squid from HTTP response splitting cache pollution attack            
>                                                                                
>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-response_spl 
+itting                                                                          
                                                                                 
Use CAN-2005-0175                                                                
Comment 10 Thomas Biege 2005-02-01 19:48:37 UTC
packages approved
Comment 11 Thomas Biege 2009-10-13 20:59:03 UTC
CVE-2005-0175: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)