Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 428778 (CVE-2012-3501)

Summary: <net-proxy/squidclamav-6.8 : URL Parsing Denial of Service Vulnerability (CVE-2012-3501)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: flameeyes, net-proxy+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/49057/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-07-31 09:07:23 UTC
Description
A vulnerability has been reported in SquidClamav, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error when parsing a URL, which may result in unescaped URLs to be passed to the system command call. This can be exploited to cause the daemon to crash via specially crafted characters (e.g. %0D or %0A).

The vulnerability is reported in versions prior to 5.8 and 6.7.


Solution
Update to version 5.8 or 6.7.
Comment 1 Agostino Sarubbo gentoo-dev 2012-07-31 09:07:46 UTC
ok to stabilize 6.8 ?
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2012-07-31 13:52:44 UTC
Ok for me.
Comment 3 Agostino Sarubbo gentoo-dev 2012-07-31 14:24:36 UTC
Arches, please test and mark stable:
=net-proxy/squidclamav-6.8
Target KEYWORDS : "amd64 x86"
Comment 4 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-08-01 07:07:37 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2012-08-01 09:46:56 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2012-08-01 09:48:29 UTC
security, please vote.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-08-14 15:48:34 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2012-08-14 16:12:50 UTC
YES too, request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-09-05 11:54:20 UTC
CVE-2012-3501 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3501):
  The squidclamav_check_preview_handler function in squidclamav.c in
  SquidClamav 5.x before 5.8 and 6.x before 6.7 passes an unescaped URL to a
  system command call, which allows remote attackers to cause a denial of
  service (daemon crash) via a URL with certain characters, as demonstrated
  using %0D or %0A.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-09-25 00:12:35 UTC
This issue was resolved and addressed in
 GLSA 201209-08 at http://security.gentoo.org/glsa/glsa-201209-08.xml
by GLSA coordinator Sean Amoss (ackle).