Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 53367

Summary: net-www/squid - Cache NTLM Authentication Helper Buffer Overflow Vulnerability
Product: Gentoo Security Reporter: Carsten Lohrke (RETIRED) <carlo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: andrewbevitt, ppc
Priority: High Flags: jaervosz: Assigned_To? (jaervosz)
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: C1 [glsa]
Package list:
Runtime testing required: ---

Description Carsten Lohrke (RETIRED) gentoo-dev 2004-06-08 17:50:21 UTC 
Remote exploitation of a buffer overflow vulnerability in Squid Web
Proxy Cache could allow a remote attacker to execute arbitrary code.
Squid Web Proxy Cache supports Basic, Digest and NTLM authentication.
The vulnerability specifically exists within the NTLM authentication
helper routine, ntlm_check_auth(), located in
helpers/ntlm_auth/SMB/libntlmssp.c:

[...]

iDEFENSE has confirmed the existence of this vulnerability in
Squid-Proxy 2.5.*-STABLE and 3.*-PRE when Squid-Proxy is compiled with
the NTLM helper enabled.

http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=true
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-06-09 01:49:36 UTC 
CAN-2004-0541
I think the default is not to use NTLM auth cache helper so I rated this as C1 rather than B1.

Andrew: could you apply the patch provided at :
http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch
and bump to 2.5.5-r2 ?

Please also confirm if default configuration files shipped in Gentoo enable the NTLM auth cache helper or not...

Thanks !
Comment 2 Carsten Lohrke (RETIRED) gentoo-dev 2004-06-09 07:11:12 UTC 
Right, it's compiled in, but not enabled by default.
Comment 3 Andrew Bevitt 2004-06-11 07:12:10 UTC 
OK fix now just gone into CVS...
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-06-11 10:07:14 UTC 
x86 ppc sparc alpha hppa ia64: please mark stable
Comment 5 Bryan Østergaard (RETIRED) gentoo-dev 2004-06-11 21:55:38 UTC 
Stable on alpha.
Comment 6 Guy Martin (RETIRED) gentoo-dev 2004-06-12 10:27:47 UTC 
Stable on hppa.
Comment 7 Jason Wever (RETIRED) gentoo-dev 2004-06-12 16:21:40 UTC 
Stable on sparc.
Comment 8 Brandon Hale (RETIRED) gentoo-dev 2004-06-15 19:11:37 UTC 
Stable on x86.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-06-16 05:40:01 UTC 
GLSA drafted: security please review

ppc please mark stable

Please remove old unneeded versions from portage.

ia64 also remember to mark stable.
Comment 10 Daniel Ostrow (RETIRED) gentoo-dev 2004-06-16 13:00:09 UTC 
Stable on ppc.
Comment 11 Andrew Bevitt 2004-06-17 02:33:32 UTC 
waiting for ia64 to mark stable
Comment 12 Kurt Lieber (RETIRED) gentoo-dev 2004-06-17 05:16:07 UTC 
glsa 200406-13