__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2011:3
__________________________________________________________________
Advisory ID: SQUID-2011:3
Date: August 28, 2011
Summary: Buffer overflow in Gopher reply parser
Affected versions: Squid 3.0 -> 3.0.STABLE25
Squid 3.1 -> 3.1.14
Squid 3.2 -> 3.2.0.10
Fixed in Version: Squid 3.0.STABLE26, 3.1.15, 3.2.0.11
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2005_1.txt
http://www.squid-cache.org/Advisories/SQUID-2011_3.txt
__________________________________________________________________
Problem Description:
A bug exists in the code that parses responses from Gopher servers.
The bug results in a buffer overflow if a Gopher server returns a
line longer than 4096 bytes. The overflow results in memory
corruption and usually crashes Squid.
This is an extension of SQUID-2005:1 which has been opened in the
Squid 3.x version code due to increased packet read sizes.
__________________________________________________________________
Severity:
A malicious user may set up a fake Gopher server and forward
requests to it through Squid. Specially crafted responses from
that server may cause Squid to restart.
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid versions 3.2.0.11, 3.1.15, and
3.0.STABLE26.
In addition, patches addressing this problem can be found in our
patch archives.
Squid-3.0:
http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9193.patch
Squid-3.1:
http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10363.patch
Squid-3.2:
http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11294.patch
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
__________________________________________________________________
Determining if your version is vulnerable:
All Squid-2.x versions are not vulnerable. This problem is
limited to Squid-3.x versions with large read buffer sizes.
Unpatched Squid-3.0 releases up to and including 3.0.STABLE25
are vulnerable.
Unpatched Squid-3.1 releases up to and including 3.1.14 are
vulnerable.
Unpatched Squid-3.2 releases up to and including 3.2.0.10 are
vulnerable.
__________________________________________________________________
Workarounds:
Since real Gopher servers are extremely rare these days, there is
almost no reason for Squid to contact a Gopher server. You can
add a simple access control rule to deny all Gopher requests to
Squid:
acl Gopher proto Gopher
http_access deny Gopher
Restart or reconfigure Squid after editing squid.conf. Test your
access controls with a simple request:
% squidclient gopher://127.0.0.1/
You should see an "Access Denied" message.
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If your install and build Squid from the original Squid sources
then the squid-users@xxxxxxxxxxxxxxx mailing list is your primary
support point. For subscription details see
<http://www.squid-cache.org/Support/mailing-lists.html>.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
<http://bugs.squid-cache.org/>.
For reporting of security sensitive bugs send an email to the
squid-bugs@xxxxxxxxxxxxxxx mailing list. It's a closed list
(though anyone can post) and security related bug reports are
treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
The vulnerability was found by Ben Hawkes, Google Security Team
__________________________________________________________________
Revision history:
2011-08-28 12:29 GMT Initial release of this document
__________________________________________________________________
END
