Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 190617 - net-proxy/polipo < 1.0.2 Aborted POST Request DoS
Summary: net-proxy/polipo < 1.0.2 Aborted POST Request DoS
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor
Assignee: Gentoo Security
URL: http://secunia.com/advisories/26596/
Whiteboard: B3 [noglsa] p-y
Keywords:
Depends on:
Blocks:
 
Reported: 2007-08-29 08:46 UTC by Pierre-Yves Rofes (RETIRED)
Modified: 2007-09-10 06:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-29 08:46:40 UTC 
A vulnerability has been reported in Polipo, which potentially can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error when handling POST requests that were aborted by the server. This can be exploited to e.g. crash the Polipo service by tricking a user into connecting to a malicious server.

The vulnerability is reported in versions prior to 1.0.2.

Note: This also fixes a crash when handling entities larger than 2 GB.

Solution:
Update to version 1.0.2.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-29 08:47:48 UTC 
setting status / cc'ing. net-proxy, please provide updated ebuild.
Comment 2 Alin Năstac (RETIRED) gentoo-dev 2007-08-29 09:01:04 UTC 
Version 1.0.2 is now in the tree.

Arch teams, please test and mark it stable.
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-29 09:10:43 UTC 
great, thanks for the reactivity :)
Comment 4 Angelo Arrifano (RETIRED) gentoo-dev 2007-08-31 23:41:03 UTC 
net-proxy/polipo-1.0.2

1. Emerges on AMD64.
2. Collision with /usr/info/dir
Comment 5 Alin Năstac (RETIRED) gentoo-dev 2007-09-01 06:26:57 UTC 
Fixed in -r1. Now it installs man and info pages in /usr/share/man respectively /usr/share/info.
Comment 6 Angelo Arrifano (RETIRED) gentoo-dev 2007-09-01 23:21:11 UTC 
net-proxy/polipo-1.0.2

1. Emerges on AMD64.
2. No collisions
3. It's a very easy to configure http proxy server.
   Browsed some webpages through proxy using cache. All OK.
Comment 7 Angelo Arrifano (RETIRED) gentoo-dev 2007-09-01 23:24:25 UTC 
net-proxy/polipo-1.0.2-r1

1. Emerges on AMD64.
2. No collisions
3. It's a very easy to configure http proxy server.
   Browsed some webpages through proxy using cache. All OK.

PS: The test was on r1. Sorry!
Comment 8 Christoph Mende (RETIRED) gentoo-dev 2007-09-01 23:51:37 UTC 
amd64 stable
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-02 20:42:44 UTC 
x86 stable, last arch, GLSA voting now open
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-03 07:57:28 UTC 
thanks Christian.
I tend to vote NO.
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-09-08 15:49:18 UTC 
Voting NO.
Comment 12 Matt Drew (RETIRED) gentoo-dev 2007-09-09 22:34:21 UTC 
I vote no, kick it to the curb.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-09-10 06:23:10 UTC 
Closing without GLSA.