Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 476562 (CVE-2013-4115)

Summary: <net-proxy/squid-{3.2.12,3.3.7}: "idnsALookup()" DNS Name Handling Buffer Overflow Vulnerability (CVE-2013-4115)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: eras, net-proxy+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-07-11 18:21:04 UTC
From ${URL} :


A vulnerability has been reported in Squid, which can be exploited by malicious users to cause a 
DoS (Denial of Service).

The vulnerability is caused due to an error within the "idnsALookup()" function ( 
when handling DNS query generation requests and can be exploited to cause a buffer overflow by 
sending specially crafted HTTP requests.

The vulnerability is reported in versions 3.2 through 3.2.11 and versions 3.3 through 3.3.6.

Update to version 3.2.12 or 3.3.7 or apply patch.

Provided and/or discovered by:
The vendor credits Nathan Hoad, Netbox Blue.

Original Advisory:

@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-11 22:03:43 UTC
The versions with the fixes are already in the tree. @maintainers: please ack a stable.
Comment 2 Eray Aslan gentoo-dev 2013-07-12 05:15:12 UTC
@security:  We can stabilise =net-proxy/squid-3.2.12.  Thank you.
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-12 20:41:36 UTC
Arches, please stabilize =net-proxy/squid-3.2.12, target arches: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86. Thanks!
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2013-07-13 01:41:58 UTC
(In reply to Chris Reffett from comment #3)
> Arches, please stabilize =net-proxy/squid-3.2.12, target arches: alpha amd64
> arm hppa ia64 ppc ppc64 sparc x86. Thanks!

Like this please:

Arch teams, please test and mark stable:
Stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 5 Agostino Sarubbo gentoo-dev 2013-07-13 05:55:24 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-07-13 05:55:35 UTC
x86 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2013-07-13 12:29:50 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2013-07-13 18:16:43 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-07-13 19:14:56 UTC
ppc64 stable
Comment 10 Eray Aslan gentoo-dev 2013-07-14 08:52:50 UTC
Another security bump in the meantime:

We should stabilize =net-proxy/squid-3.2.13

@security:  Please let me know how you want to proceed (separate bug? continue here?).  Thanks.
Comment 11 Agostino Sarubbo gentoo-dev 2013-07-14 14:19:28 UTC
alpha stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-07-14 17:36:48 UTC
arm stable
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2013-07-15 20:51:35 UTC
Continued in bug #476960.
Comment 14 Sergey Popov gentoo-dev 2013-08-24 05:37:07 UTC
GLSA vote: yes
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2013-08-29 18:00:29 UTC
CVE-2013-4115 (
  Buffer overflow in the idnsALookup function in in Squid 3.2
  through 3.2.11 and 3.3 through 3.3.6 allows remote attackers to cause a
  denial of service (memory corruption and server termination) via a long name
  in a DNS lookup request.
Comment 16 Tobias Heinlein (RETIRED) gentoo-dev 2013-09-03 17:21:59 UTC
Added to existing draft.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2013-09-27 09:52:18 UTC
This issue was resolved and addressed in
 GLSA 201309-22 at
by GLSA coordinator Sergey Popov (pinkbyte).