Bugzilla – Bug 65023
VUL-0: CVE-2005-0175: squid: several security related bugs
Last modified: 2021-10-27 11:52:48 UTC
Hi Klaus, here is the requested bugzilla-entry. :) From: Martin Schulze <joey@infodrom.org> To: Free Software Distribution Vendors <vendor-sec@lst.de> Message-ID: <20050119072037.GA8820@finlandia.infodrom.north.de> X-Spam-Score: -4.901 () BAYES_00 Subject: [vendor-sec] CAN-2005-009[4-7]: Denial of service in Squid Date: Wed, 19 Jan 2005 08:20:38 +0100 CAN-2005-0094 "infamous41md" discovered a buffer overflow in the parser for Gopher responses which will lead to memory corruption and usually crash Squid. http://www.squid-cache.org/Advisories/SQUID-2005_1.txt http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-gopher_html_parsing.patch http://secunia.com/advisories/13825/ CAN-2005-0095 "infamous41md" discovered an integer overflow in the receiver of WCCP (Web Cache Communication Protocol) messages. An attacker could send a specially crafted UDP datagram that will cause Squid to crash. http://www.squid-cache.org/Advisories/SQUID-2005_2.txt http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_denial_of_service.patch http://secunia.com/advisories/13825/ CAN-2005-0096 Memory leak in the NTLM fakeauth_auth helper for Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (memory consumption). http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-fakeauth_auth.patch http://secunia.com/advisories/13789/ CAN-2005-0097 The NTLM component in Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (crash) via a malformed NTLM type 3 message. http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-fakeauth_auth.patch http://secunia.com/advisories/13789/ Regards, Joey -- Ten years and still binary compatible. -- XFree86 _______________________________________________ Vendor Security mailing list Vendor Security@lst.de https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
<!-- SBZ_reproduce --> -
SM-Tracker-200
Hi Klaus, can you outline the current status please.
working on it... realized, that I want to check out, if are affected by bugzilla#49288 either in other SuLi versions...
BTW: I'm trying to fix these security issues either (no CAN-# found) http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-response_splitting http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-header_parsing http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces but some of these aren't very short and many changes have been done between SLES8 squid and current. :(
Submitted new packages. Here is a overview of the patches (best viewed with fixed font :-) 8.1 8.2 9.0 9.1 9.2 CAN-2005-0094 gopher_html_parsing o.k. o.k. o.k. o.k. o.k. CAN-2005-0095 wccp_denial_of_service mod o.k. o.k. o.k. o.k. CAN-2005-0097 fakeauth_auth n.a. o.k. o.k. o.k. o.k. CAN-2005-0096 fakeauth_auth n.a. o.k. o.k. o.k. o.k. ldap_spaces mod mod mod mod o.k. response_splitting - mod mod mod o.k. header_parsing - - - - - Note: n.a.: not affected = functionality missing in this version o.k: upstream patch applied without any problems mod: upstream patch needed modifications to get applied - major functionality missing, like the FD abstraction layer; cannot apply this patch Note: 8.1 includes 8.1, SLES8, SLEC, UL, etc. 9.1 includes 9.1, SLES9, SLD, etc. Security team: can you please handle next steps of update step, like SWAMP/patchinfo file? Testing team: didn't tested much, please take care.
Thanks Klaus.
`patchinfo-box.squid' -> `/work/src/done/PATCHINFO/patchinfo-box.squid' `patchinfo.squid' -> `/work/src/done/PATCHINFO/patchinfo.squid'
>These issues were just reported to vendor-sec. OK. I'm treating these as "not sufficiently public" so there isn't any information in the CANs themselves. >Sanity check usernames in squid_ldap_auth > >http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces > >Synopsis: >LDAP is very forgiving about spaces in search filters and this could >be abused to log in using several variants of the login name, possibly >bypassing explicit access controls or confusing accounting Use CAN-2005-0173 >Reject malformed HTTP requests and responses that conflict with the >HTTP specifications > >http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-header_parsi +ng > >This patch makes Squid considerably stricter while parsing the HTTP >protocol. If it just rejected malformed requests because they might be bad, I wouldn't normally assign a CAN. However, some cache poisoning in Squid can happen as a result of the Content-Length issue, so: Use CAN-2005-0174 >Strengthen Squid from HTTP response splitting cache pollution attack > >http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-response_spl +itting Use CAN-2005-0175
packages approved
CVE-2005-0175: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)