Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 290623 (CVE-2009-3700) - <net-proxy/squidguard-1.4-r4: Security restrictions bypasses (CVE-2009-{3700,3826})
Summary: <net-proxy/squidguard-1.4-r4: Security restrictions bypasses (CVE-2009-{3700,...
Status: RESOLVED FIXED
Alias: CVE-2009-3700
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/37107/
Whiteboard: B4 [noglsa]
Keywords:
: 290981 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-10-26 20:20 UTC by Tobias Heinlein (RETIRED)
Modified: 2009-12-18 08:25 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Heinlein (RETIRED) gentoo-dev 2009-10-26 20:20:01 UTC 
From secunia:

DESCRIPTION:
Some security issues have been reported in squidGuard, which can be
exploited by malicious people to bypass certain security
restrictions.

1) A boundary error in sgLog.c can be exploited to put the
application in emergency mode and disable the filter via an overly
long URL containing multiple '/' characters.

2) Two errors in the processing of overly long URLs can be exploited
to bypass the URL filter.

The security issues are reported in versions 1.3 and 1.4. Prior
versions may also be affected.

SOLUTION:
Apply patches.

squidGuard 1.3:
http://www.squidguard.org/Downloads/Patches/1.3/squidGuard-1.3-patch-20091015.tar.gz
http://www.squidguard.org/Downloads/Patches/1.3/squidGuard-1.3-patch-20091019.tar.gz

squidGuard 1.4:
http://www.squidguard.org/Downloads/Patches/1.4/squidGuard-1.4-patch-20091015.tar.gz
http://www.squidguard.org/Downloads/Patches/1.4/squidGuard-1.4-patch-20091019.tar.gz

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

ORIGINAL ADVISORY:
http://www.squidguard.org/Downloads/Patches/1.4/Readme.Patch-20091015
http://www.squidguard.org/Downloads/Patches/1.4/Readme.Patch-20091019
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2009-10-26 20:21:47 UTC 
Maintainers, please provide an ebuild that includes the said patches.
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2009-10-29 14:20:43 UTC 
*** Bug 290981 has been marked as a duplicate of this bug. ***
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-31 19:30:29 UTC 
CVE-2009-3700 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3700):
  Buffer overflow in sgLog.c in squidGuard 1.3 and 1.4 allows remote
  attackers to cause a denial of service (application hang or loss of
  blocking functionality) via a long URL with many / (slash)
  characters, related to "emergency mode."

CVE-2009-3826 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3826):
  Multiple buffer overflows in squidGuard 1.4 allow remote attackers to
  bypass intended URL blocking via a long URL, related to (1) the
  relationship between a certain buffer size in squidGuard and a
  certain buffer size in Squid and (2) a redirect URL that contains
  information about the originally requested URL.
Comment 4 Alin Năstac (RETIRED) gentoo-dev 2009-11-28 08:46:57 UTC 
Patch 20091019 was already applied in version 1.4-r3, see vsnprintf.patch.

Second patch has been imported in our tree as upstream-fixes.patch, although the quality of this patch is dubious.

Please mark squid-1.4-r4 as stable.
Comment 5 Markus Meier gentoo-dev 2009-11-30 10:10:00 UTC 
amd64/x86 stable, all arches done.
Comment 6 Markus Meier gentoo-dev 2009-11-30 10:11:23 UTC 
sorry... my script is running insane
Comment 7 Brent Baude (RETIRED) gentoo-dev 2009-11-30 17:50:04 UTC 
ppc64 done
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2009-12-09 18:59:47 UTC 
Stable for PPC.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 02:04:22 UTC 
GLSA vote: no.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-12-18 08:25:14 UTC 
NO too, closing