Bug 78093 (CVE-2005-0718)

Summary: VUL-0: CVE-2005-0718: Squid DoS
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-0718: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2005-04-15 11:30:16 UTC 
We received the following report via full-disclosure.
The issue is public.

This is probably more a normal bug than a security issue:
http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-post

Date: Thu, 14 Apr 2005 11:29:49 +0200
From: Martin Pitt <martin.pitt@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Subject: [Full-disclosure] [USN-111-1] Squid vulnerability

===========================================================
Ubuntu Security Notice USN-111-1	     April 14, 2005
squid vulnerability
CAN-2005-0718
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

squid

The problem can be corrected by upgrading the affected package to
version 2.5.5-6ubuntu0.7. In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

A remote Denial of Service vulnerability has been discovered in Squid.
If the remote end aborted the connection during a PUT or POST request,
Squid tried to free an already freed part of memory, which eventually
caused the server to crash.

[...]
Comment 1 Klaus Singvogel 2005-04-21 13:02:52 UTC 
Ok. Made patches and submitted them. Done. :-) 
  
Affected versions: 8.2, 9.0, 9.1 (and all derivatives, like SLES9), and 9.2  
Not affected: 9.3 (already included), and propably 8.1 (and all derivatives,  
like SLES8, UL1).  
  
I'm not 100% sure about 8.1, because I only see that the relevant code isn't  
present there. Maybe the problem occurs (semanticly seen) somewhere else, but  
the part where we have patches for was first time introduced by squid-2.5 and  
8.1 contains squid-2.4. So I doubt, that it is affected.  
  
Security-team: please proof, if you have doubts. I checked it now for > 3 
hours. 
  
Security-team: please handle rest of process, like patchinfo. Thanks in 
advance.
Comment 2 Ludwig Nussel 2005-04-21 13:54:09 UTC 
One needs to really understand the squid code to understand the fix so this 
would need help from upstream. It's just a DoS, so unless you have a testcase 
that proves 8.1 is vulnerable i'd consider it as not affected for now.
Comment 3 Klaus Singvogel 2005-04-21 14:59:36 UTC 
It seems that noone has a testcase for this issue. No one can reproduce it. 
It occurs rarely as a crash.
Comment 4 Ludwig Nussel 2005-04-21 15:18:02 UTC 
SM-Tracker-1018
Comment 5 Klaus Singvogel 2005-04-25 14:15:28 UTC 
Ludwig: please note that there are no patches for 8.1 nor 9.3. 
mls informed me that the patchinfo files contains both distris (he fixes it). 
But be aware when writing the security announcement.
Comment 6 Ludwig Nussel 2005-05-03 11:14:34 UTC 
updates released
Comment 7 Thomas Biege 2009-10-13 21:16:41 UTC 
CVE-2005-0718: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)