53367 – net-www/squid - Cache NTLM Authentication Helper Buffer Overflow Vulnerability

Bug 53367 - net-www/squid - Cache NTLM Authentication Helper Buffer Overflow Vulnerability

Summary: net-www/squid - Cache NTLM Authentication Helper Buffer Overflow Vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High major (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	C1 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2004-06-08 17:50 UTC by Carsten Lohrke (RETIRED)
Modified:	2011-10-30 22:40 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Flags:	jaervosz: Assigned_To? (jaervosz)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carsten Lohrke (RETIRED) gentoo-dev

2004-06-08 17:50:21 UTC

Remote exploitation of a buffer overflow vulnerability in Squid Web
Proxy Cache could allow a remote attacker to execute arbitrary code.
Squid Web Proxy Cache supports Basic, Digest and NTLM authentication.
The vulnerability specifically exists within the NTLM authentication
helper routine, ntlm_check_auth(), located in
helpers/ntlm_auth/SMB/libntlmssp.c:

[...]

iDEFENSE has confirmed the existence of this vulnerability in
Squid-Proxy 2.5.*-STABLE and 3.*-PRE when Squid-Proxy is compiled with
the NTLM helper enabled.

http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=true

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2004-06-09 01:49:36 UTC

CAN-2004-0541
I think the default is not to use NTLM auth cache helper so I rated this as C1 rather than B1.

Andrew: could you apply the patch provided at :
http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch
and bump to 2.5.5-r2 ?

Please also confirm if default configuration files shipped in Gentoo enable the NTLM auth cache helper or not...

Thanks !

Comment 2 Carsten Lohrke (RETIRED) gentoo-dev

2004-06-09 07:11:12 UTC

Right, it's compiled in, but not enabled by default.

Comment 3 Andrew Bevitt 2004-06-11 07:12:10 UTC

OK fix now just gone into CVS...

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-06-11 10:07:14 UTC

x86 ppc sparc alpha hppa ia64: please mark stable

Comment 5 Bryan Østergaard (RETIRED) gentoo-dev

2004-06-11 21:55:38 UTC

Stable on alpha.

Comment 6 Guy Martin (RETIRED) gentoo-dev

2004-06-12 10:27:47 UTC

Stable on hppa.

Comment 7 Jason Wever (RETIRED) gentoo-dev

2004-06-12 16:21:40 UTC

Stable on sparc.

Comment 8 Brandon Hale (RETIRED) gentoo-dev

2004-06-15 19:11:37 UTC

Stable on x86.

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-06-16 05:40:01 UTC

GLSA drafted: security please review

ppc please mark stable

Please remove old unneeded versions from portage.

ia64 also remember to mark stable.

Comment 10 Daniel Ostrow (RETIRED) gentoo-dev

2004-06-16 13:00:09 UTC

Stable on ppc.

Comment 11 Andrew Bevitt 2004-06-17 02:33:32 UTC

waiting for ia64 to mark stable

Comment 12 Kurt Lieber (RETIRED) gentoo-dev

2004-06-17 05:16:07 UTC

glsa 200406-13