Search squid archive

[ADVISORY] SQUID-2011:3 Buffer overflow in Gopher reply parser

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



__________________________________________________________________

      Squid Proxy Cache Security Update Advisory SQUID-2011:3
__________________________________________________________________

Advisory ID:            SQUID-2011:3
Date:                   August 28, 2011
Summary:                Buffer overflow in Gopher reply parser
Affected versions:      Squid 3.0 -> 3.0.STABLE25
                        Squid 3.1 -> 3.1.14
                        Squid 3.2 -> 3.2.0.10
Fixed in Version:       Squid 3.0.STABLE26, 3.1.15, 3.2.0.11
__________________________________________________________________

     http://www.squid-cache.org/Advisories/SQUID-2005_1.txt
     http://www.squid-cache.org/Advisories/SQUID-2011_3.txt
__________________________________________________________________

Problem Description:

 A bug exists in the code that parses responses from Gopher servers.
 The bug results in a buffer overflow if a Gopher server returns a
 line longer than 4096 bytes.  The overflow results in memory
 corruption and usually crashes Squid.

 This is an extension of SQUID-2005:1 which has been opened in the
 Squid 3.x version code due to increased packet read sizes.

__________________________________________________________________

Severity:

 A malicious user may set up a fake Gopher server and forward
 requests to it through Squid.  Specially crafted responses from
 that server may cause Squid to restart.

__________________________________________________________________

Updated Packages:

 This bug is fixed by Squid versions 3.2.0.11, 3.1.15, and
 3.0.STABLE26.

 In addition, patches addressing this problem can be found in our
 patch archives.

Squid-3.0:
 http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9193.patch

Squid-3.1:

http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10363.patch

Squid-3.2:

http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11294.patch


 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__________________________________________________________________

Determining if your version is vulnerable:

 All Squid-2.x versions are not vulnerable. This problem is
 limited to Squid-3.x versions with large read buffer sizes.

 Unpatched Squid-3.0 releases up to and including 3.0.STABLE25
 are vulnerable.

 Unpatched Squid-3.1 releases up to and including 3.1.14 are
 vulnerable.

 Unpatched Squid-3.2 releases up to and including 3.2.0.10 are
 vulnerable.

__________________________________________________________________

Workarounds:

 Since real Gopher servers are extremely rare these days, there is
 almost no reason for Squid to contact a Gopher server.  You can
 add a simple access control rule to deny all Gopher requests to
 Squid:

    acl Gopher proto Gopher
    http_access deny Gopher

 Restart or reconfigure Squid after editing squid.conf.  Test your
 access controls with a simple request:

    % squidclient gopher://127.0.0.1/

 You should see an "Access Denied" message.

__________________________________________________________________

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-users@xxxxxxxxxxxxxxx mailing list is your primary
 support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 squid-bugs@xxxxxxxxxxxxxxx mailing list. It's a closed list
 (though anyone can post) and security related bug reports are
 treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

 The vulnerability was found by Ben Hawkes, Google Security Team

__________________________________________________________________

Revision history:

 2011-08-28 12:29 GMT Initial release of this document
__________________________________________________________________
END


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux