80201 – www-proxy/squid: Buffer overflow in WCCP recvfrom() call

Bug 80201 - www-proxy/squid: Buffer overflow in WCCP recvfrom() call

Summary: www-proxy/squid: Buffer overflow in WCCP recvfrom() call

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://www.squid-cache.org/Advisories...
Whiteboard:	A3 [glsa] jaervosz
Keywords:

Depends on:
Blocks:	79495
	Show dependency tree

Reported:	2005-01-31 05:47 UTC by Jean-François Brunette (RETIRED)
Modified:	2005-02-02 12:38 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jean-François Brunette (RETIRED) gentoo-dev

2005-01-31 05:47:40 UTC

Problem Description:

The WCCP recvfrom() call accepts more data than will fit in
the allocated buffer. An attacker may send a larger-than-normal
WCCP message to Squid and overflow this buffer.
__________________________________________________________________

Severity:

The bug is important because it allows remote attackers to crash
Squid, causing a disription in service. However, the bug is
exploitable only if you have configured Squid to send WCCP messages
to, and expect WCCP replies from, a router.

Sites that do not use WCCP are not vulnerable.

__________________________________________________________________

Updated Packages:

An individual patch for this issues can be found in our
patch archive for version Squid-2.5.STABLE7:

http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_buffer_overflow.patch

If necessary, this short patch should also apply to previous
versions of Squid.

If you are using a prepackaged version of Squid then please
refer to the package vendor for availability information on
updated packages.

__________________________________________________________________

Determining if your version is vulnerable:

Your installation is vulnerable if you have configured Squid to
send WCCP messages to a router, and thus expect replies from a
router. Look for the 'wccp_router' dirctive in your squid.conf
file. Also, look for this line in cache.log:

Accepting WCCP messages on port 2048, FD 15

__________________________________________________________________

Workarounds:

If WCCP is not essential to your operation, disable it
by commenting out the 'wccp_router' directive in
squid.conf.

You may also compile Squid without any WCCP code at all
by giving the --disable-wccp option to the ./configure
script.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-01-31 05:54:53 UTC

Andrew please bump.

The date on squid-2.5.STABLE7-response_splitting.patch seems to have changed also. Did they change the patch?

Comment 2 Andrew Bevitt 2005-02-01 01:53:06 UTC

See squid-2.5.7-r5 patchset 20050201

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-02-01 02:15:38 UTC

Thx Andrew.

This one is ready for GLSA.

The patch was changed slightly in squid-2.5.7-r5 patchset 20050201:
285,298d284
< Index: squid/src/store_digest.c
< diff -c squid/src/store_digest.c:1.51 squid/src/store_digest.c:1.51.2.1
< *** squid/src/store_digest.c:1.51     Wed Oct 24 00:55:44 2001
< --- squid/src/store_digest.c  Sun Jan 30 18:49:42 2005
< ***************
< *** 387,392 ****
< --- 387,393 ----
<       (long int) e->mem_obj->reply->expires, (int) (e->mem_obj->reply->expires - squid_curtime));
<       storeBuffer(e);
<       httpReplySwapOut(e->mem_obj->reply, e);
< +     e->mem_obj->reply->hdr_sz = e->mem_obj->inmem_hi;
<       storeDigestCBlockSwapOut(e);
<       storeBufferFlush(e);
<       eventAdd("storeDigestSwapOutStep", storeDigestSwapOutStep, sd_state.rewrite_lock, 0.0, 1);

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-02-02 12:38:30 UTC

GLSA 200502-04