Bug 1216715 - VUL-0: squid: Chunked Encoding Stack Overflow
Summary: VUL-0: squid: Chunked Encoding Stack Overflow
Status: RESOLVED FIXED
: CVE-2024-25111 (view as bug list)
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/383469/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-10-30 16:12 UTC by Alexander Bergmann
Modified: 2024-04-05 07:24 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Base64 encoded reproducer (103.07 KB, text/plain)
2023-10-30 16:12 UTC, Alexander Bergmann 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2023-10-30 16:12:29 UTC 
Created attachment 870520 [details]
Base64 encoded reproducer

Details can be found here:

https://megamansec.github.io/Squid-Security-Audit/chunked-stackoverflow.html

The reproducer is working and was tested with SLE-15-SP5:

you need 3 systems: 
- squid (192.168.0.1)
- http server (192.168.0.2)
- lynx client (192.168.0.3)

1. Install and start squid on a dedicated system. Default config is fine.

2. Have a second system ready that acts as a HTTP server with the following
   command and payload. (needs to be restarted after every request)

   # base64 -d PoC_Chunked_Encoding.base64 | nc -l 192.168.0.2 80

3. On the squid server run a strace command on the (squid-1) command.

   # strace -f -p <squid-1 PID>

4. Run lynx with a http_proxy configured.

   http_proxy:http://192.168.0.1:3128

   # lynx http://192.168.0.2

Now you should see that the (squid-1) process got killed.

--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x7ffdb074bf48} ---                                                                                                                                                                
+++ killed by SIGSEGV (core dumped) +++
Comment 1 Alexander Bergmann 2023-10-31 08:24:58 UTC 
The interruption of the (squid-1) process is not stopping the whole squid service. The process gets re-spawned directly after the core dump.
Comment 2 Adam Majer 2024-03-06 12:19:15 UTC 
Looks like this is,

https://github.com/squid-cache/squid/security/advisories/GHSA-72c2-c3wm-8qxc

with CVE-2024-25111
Comment 4 OBSbugzilla Bot 2024-03-06 15:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1216715) was mentioned in
https://build.opensuse.org/request/show/1155563 Factory / squid
Comment 5 Andrea Mattiazzo 2024-03-08 08:58:38 UTC 
*** Bug 1221139 has been marked as a duplicate of this bug. ***
Comment 9 Maintenance Automation 2024-04-04 16:30:12 UTC 
SUSE-SU-2024:1115-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1216715, 1219960
CVE References: CVE-2024-25111, CVE-2024-25617
Maintenance Incident: [SUSE:Maintenance:33028](https://smelt.suse.de/incident/33028/)
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 squid-4.17-4.44.1
SUSE Linux Enterprise Server 12 SP5 (src):
 squid-4.17-4.44.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 squid-4.17-4.44.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2024-04-04 16:30:14 UTC 
SUSE-SU-2024:1114-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1216715, 1219960
CVE References: CVE-2024-25111, CVE-2024-25617
Maintenance Incident: [SUSE:Maintenance:33029](https://smelt.suse.de/incident/33029/)
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 squid-4.17-150000.5.52.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 squid-4.17-150000.5.52.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 squid-4.17-150000.5.52.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 squid-4.17-150000.5.52.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 squid-4.17-150000.5.52.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 squid-4.17-150000.5.52.1
SUSE Enterprise Storage 7.1 (src):
 squid-4.17-150000.5.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2024-04-04 16:30:16 UTC 
SUSE-SU-2024:1113-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1216715, 1219960
CVE References: CVE-2024-25111, CVE-2024-25617
Maintenance Incident: [SUSE:Maintenance:33030](https://smelt.suse.de/incident/33030/)
Sources used:
openSUSE Leap 15.4 (src):
 squid-5.7-150400.3.26.1
openSUSE Leap 15.5 (src):
 squid-5.7-150400.3.26.1
Server Applications Module 15-SP5 (src):
 squid-5.7-150400.3.26.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 squid-5.7-150400.3.26.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 squid-5.7-150400.3.26.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 squid-5.7-150400.3.26.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 squid-5.7-150400.3.26.1
SUSE Manager Proxy 4.3 (src):
 squid-5.7-150400.3.26.1
SUSE Manager Retail Branch Server 4.3 (src):
 squid-5.7-150400.3.26.1
SUSE Manager Server 4.3 (src):
 squid-5.7-150400.3.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Andrea Mattiazzo 2024-04-05 07:24:46 UTC 
Closing.