Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 279380 (CVE-2009-2855) - <net-proxy/squid-2.7.6-r2/3.0.18-r1 DoS in external auth header parser (CVE-2009-2855)
Summary: <net-proxy/squid-2.7.6-r2/3.0.18-r1 DoS in external auth header parser (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2009-2855
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.squid-cache.org/bugs/show_...
Whiteboard: C3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-27 19:37 UTC by Robert Buchholz (RETIRED)
Modified: 2011-10-26 20:47 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-07-27 19:37:22 UTC
Bastian Blank reported an infinite loop when processing auth headers.

No upstream patch yet.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-19 09:41:05 UTC
CVE-2009-2855 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2855):
  The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7
  allows remote attackers to cause a denial of service via a crafted
  auth header with certain comma delimiters that trigger an infinite
  loop of calls to the strcspn function.

Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2009-08-21 15:24:29 UTC
This seems related to an older Bug:
http://www.squid-cache.org/bugs/show_bug.cgi?id=2541
Upstream Patch: http://www.squid-cache.org/bugs/attachment.cgi?id=2041
Comment 3 Alin Năstac (RETIRED) gentoo-dev 2009-08-22 13:00:24 UTC
Fixed in versions squid-2.7.6-r2, squid-3.0.18-r1 and squid-3.1.0.13_beta-r1.

Arch teams, please mark version squid-3.0.18-r1 *and* squid-2.7.6-r2 as stable.
Comment 4 Jeroen Roovers gentoo-dev 2009-08-22 16:57:02 UTC
Stable for HPPA.
Comment 5 nixnut (RETIRED) gentoo-dev 2009-08-23 09:59:23 UTC
ppc stable
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-08-25 12:00:56 UTC
x86 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-08-25 13:36:05 UTC
alpha/arm/ia64/sparc stable
Comment 8 Steve Dibb (RETIRED) gentoo-dev 2009-08-27 20:21:14 UTC
amd64 stable
Comment 9 Brent Baude (RETIRED) gentoo-dev 2009-08-31 00:04:39 UTC
ppc64 done
Comment 10 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-02 09:25:01 UTC
GLSA voting: YES
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2009-09-14 21:56:58 UTC
Yes, too. Request filed.
Comment 12 martin holzer 2011-01-17 15:42:30 UTC
could be closed, not more in cvs tree
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2011-10-26 20:47:56 UTC
This issue was resolved and addressed in
 GLSA 201110-24 at http://security.gentoo.org/glsa/glsa-201110-24.xml
by GLSA coordinator Tim Sammut (underling).