Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 300173 (CVE-2009-3305)

Summary: <net-proxy/polipo-1.0.4.1 httpParseHeaders() DoS (CVE-2009-{3305,4413})
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: bircoph, craig, jer, kfm, net-proxy+disabled, radhermit
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://groups.google.com/group/linux.debian.bugs.dist/browse_thread/thread/dca6877a8117f0df
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 296334    
Attachments:
Description Flags
Ebuild updates for polipo-1.0.4.1 none

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2010-01-08 16:00:11 UTC 
CVE-2009-3305 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3305):
  Polipo 1.0.4, and possibly other versions, allows remote attackers to
  cause a denial of service (crash) via a request with a Cache-Control
  header that lacks a value for the max-age field, which triggers a
  segmentation fault in the httpParseHeaders function in http_parse.c,
  and possibly other unspecified vectors.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-08 20:40:12 UTC 
CVE-2009-4413 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4413):
  The httpClientDiscardBody function in client.c in Polipo 0.9.8,
  0.9.12, 1.0.4, and possibly other versions, allows remote attackers
  to cause a denial of service (crash) via a request with a large
  Content-Length value, which triggers an integer overflow, a
  signed-to-unsigned conversion error with a negative value, and a
  segmentation fault.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-08 20:41:03 UTC 
Lets handle both here.
Comment 3 Tim Harder gentoo-dev 2010-04-11 09:44:41 UTC 
Both security problems are fixed in the latest 1.0.4.1 release. See the attached patch for minor ebuild updates from 1.0.4 to 1.0.4.1.
Comment 4 Tim Harder gentoo-dev 2010-04-11 09:46:14 UTC 
Created attachment 227355 [details, diff]
Ebuild updates for polipo-1.0.4.1

Ebuild updates for polipo-1.0.4.1:
  * Update SRC_URI
  * Revert keywords to testing
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2010-05-26 17:37:21 UTC 
1.0.4.1 is in the tree.


31 January 2010: Polipo 1.0.4.1:
  Cherry-picked fixes from 1.0.5
  * Fixed an integer overflow that may lead to a crash
    (http://secunia.com/advisories/37607/). Discovered by Jeremy Brown.
    (CVE-2009-4413)
  * Fixed a crash that occurs when a server sends a malformed
    Cache-Control: header (CVE-2009-3305). Patch from Stefan Fritsch.
  * Prevent an infinite loop when a bodyless 204 or 1xx response is encountered.
  * Don't crash when we get an error while waiting for 100 continue status.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2010-05-26 17:38:39 UTC 
Arch teams, please test and mark stable:
=net-proxy/polipo-1.0.4.1
Target KEYWORDS="amd64 x86"
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-05-26 17:43:53 UTC 
Thanks, jer.
Rerating B3 for DoS.
Comment 8 Myckel Habets (work) 2010-05-27 10:04:09 UTC 
Builds and runs fine on x86. Please mark stable for x86.
Comment 9 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-05-29 16:25:03 UTC 
x86 stable, thanks Myckel
Comment 10 Markus Meier gentoo-dev 2010-05-31 19:35:42 UTC 
amd64 stable, all arches done.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 12:40:26 UTC 
*** Bug 296334 has been marked as a duplicate of this bug. ***
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 12:40:39 UTC 
DOS in app -> closing noglsa. Feel free to reopen if you think otherwise.