Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 301828 (CVE-2010-0308) - <net-proxy/squid-3.1.6-r1 DoS (CVE-2010-{0308,0639})
Summary: <net-proxy/squid-3.1.6-r1 DoS (CVE-2010-{0308,0639})
Status: RESOLVED FIXED
Alias: CVE-2010-0308
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.squid-cache.org/Versions/v...
Whiteboard: B3 [glsa]
Keywords:
: 304751 311653 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-01-22 11:45 UTC by Clemente Aguiar
Modified: 2011-10-26 20:47 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Updated -gentoo patch, with fix for broken hunk (squid-3.0.25-gentoo.patch,13.55 KB, patch)
2010-03-24 23:36 UTC, Brian De Wolf
no flags Details | Diff
Updated cross-compile patch for offset changes (squid-3.0.25-cross-compile.patch,1.35 KB, patch)
2010-03-24 23:38 UTC, Brian De Wolf
no flags Details | Diff
Updated libmd5 patch for offset changes (squid-3.0.25-libmd5.patch,631 bytes, patch)
2010-03-24 23:39 UTC, Brian De Wolf
no flags Details | Diff
Updated adapted-zph patch for offset changes (squid-3.0.25-adapted-zph.patch,6.87 KB, patch)
2010-03-24 23:39 UTC, Brian De Wolf
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Clemente Aguiar 2010-01-22 11:45:15 UTC
Squid version 3.0 STABLE21 is out.

Reproducible: Always
Comment 1 Clemente Aguiar 2010-02-01 10:29:00 UTC
Actually version 3.0 STABLE22 is already out.

There is a security issue with previous version:
http://www.squid-cache.org/Advisories/SQUID-2010_1.txt
Comment 2 Krzysztof Olędzki 2010-02-02 18:17:15 UTC
The 2.7 branch also needs to be fixed and currently there is no new release available. Hopefully, there is a patch that can be added to a new ebuild:
 http://www.squid-cache.org/Versions/v2/HEAD/changesets/12597.patch
Comment 3 Clemente Aguiar 2010-02-03 08:26:57 UTC
Squid-3.0.STABLE23 has been released.

This is a correction on 3.0.STABLE22 which has now been withdrawn from 
circulation.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2010-02-08 14:53:32 UTC
net-proxy: Can this go stable?
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-02-08 15:01:05 UTC
Forget my last post.

net-proxy: please provide updated ebuilds. 
Comment 6 Paul B. Henson 2010-03-04 19:41:06 UTC
Any ETA on a new ebuild to resolve this security issue?

Thanks...
Comment 7 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-03-05 13:10:38 UTC
CVE-2010-0308 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0308):
  lib/rfc1035.c in Squid 2.x, 3.0 through 3.0.STABLE22, and 3.1 through
  3.1.0.15 allows remote attackers to cause a denial of service
  (assertion failure) via a crafted DNS packet that only contains a
  header.

CVE-2010-0639 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0639):
  The htcpHandleTstRequest function in htcp.c in Squid 2.x and 3.0
  through 3.0.STABLE23 allows remote attackers to cause a denial of
  service (crash) via crafted packets to the HTCP port, which triggers
  a NULL pointer dereference.

Comment 8 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-03-05 13:16:14 UTC
net-proxy: ping!
Comment 9 Paul B. Henson 2010-03-16 01:00:33 UTC
Squid 3.0.STABLE25 has been released...
Comment 10 Krzysztof Olędzki 2010-03-16 01:56:48 UTC
(In reply to comment #9)
> Squid 3.0.STABLE25 has been released...
> 

And 2.7.STABLE8!
Comment 11 Brian De Wolf 2010-03-24 23:04:19 UTC
I took a shot at making an ebuild for 3.0.25.  It looks fairly simple, renaming squid-3.0.20-r1.ebuild works, squid-3.0.20-gentoo.patch has one hunk that fails (it removes -Werror from a line and the line around the -Werror changed), and the other patches (squid-3.0.20-cross-compile.patch, squid-3.0.20-libmd5.patch, and squid-3.0.20-adapted-zph.patch) appear to apply with offsets.

After the -gentoo patch is fixed, it compiles and installs fine.  I have yet to place it in a test environment.  Let me know if I should attach the updated patches to this ticket.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-24 23:20:58 UTC
Sure, that would be nice - I think the net-proxy herd will appreciate it.
If you could test them - even better. :)
Comment 13 Brian De Wolf 2010-03-24 23:36:13 UTC
Created attachment 225165 [details, diff]
Updated -gentoo patch, with fix for broken hunk
Comment 14 Brian De Wolf 2010-03-24 23:38:41 UTC
Created attachment 225167 [details, diff]
Updated cross-compile patch for offset changes
Comment 15 Brian De Wolf 2010-03-24 23:39:23 UTC
Created attachment 225169 [details, diff]
Updated libmd5 patch for offset changes
Comment 16 Brian De Wolf 2010-03-24 23:39:46 UTC
Created attachment 225171 [details, diff]
Updated adapted-zph patch for offset changes
Comment 17 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2010-03-28 10:31:11 UTC
*** Bug 311653 has been marked as a duplicate of this bug. ***
Comment 18 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-09 16:14:26 UTC
@net-proxy: Can someone bump?

FYI: 
3.0.25 is out, but now considered "old".
Squid 3.1.1 is out and "new stable".

Maybe bumping to the 3.1 tree is prefered?!
Comment 19 Alin Năstac (RETIRED) gentoo-dev 2010-08-07 06:45:45 UTC
squid-2.7.9 and squid-3.1.6 were added to the tree.
Arch teams, please stabilize both versions.
Comment 20 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-08-07 17:55:47 UTC
(In reply to comment #19)
> squid-2.7.9 and squid-3.1.6 were added to the tree.
> Arch teams, please stabilize both versions.

both x86 stable
Comment 21 Markos Chandras (RETIRED) gentoo-dev 2010-08-08 12:00:12 UTC
(In reply to comment #20)
> (In reply to comment #19)
> > squid-2.7.9 and squid-3.1.6 were added to the tree.
> > Arch teams, please stabilize both versions.
> 
> both x86 stable
> 
You missed net-libs/libecap

  net-proxy/squid/squid-3.1.6.ebuild: x86(default/linux/x86/10.0) ['net-libs/libecap']

leading to broken deptree


amd64 done
Comment 22 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-08-08 14:16:16 UTC
(In reply to comment #21)
> You missed net-libs/libecap
> 
>   net-proxy/squid/squid-3.1.6.ebuild: x86(default/linux/x86/10.0)
> ['net-libs/libecap']
> 
> leading to broken deptree

Fixed now, sorry. Not sure why my repoman didn't complain.
Comment 23 Jeroen Roovers gentoo-dev 2010-08-09 04:34:34 UTC
Stable for HPPA.
Comment 24 Jeroen Roovers gentoo-dev 2010-08-09 17:51:15 UTC
Stable for PPC.
Comment 25 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-10 14:55:55 UTC
*** Bug 304751 has been marked as a duplicate of this bug. ***
Comment 26 Alin Năstac (RETIRED) gentoo-dev 2010-08-12 06:31:58 UTC
I had to add a new patch to fix bug 331965.
Please resume stabilization process on net-proxy/squid-3.1.6-r1.
Comment 27 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-30 11:12:51 UTC
Explicit request:

Arches, please test and mark stable:
=net-proxy/squid-3.1.6-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Already stabled : "amd64 hppa ppc x86"
Missing keywords: "alpha arm ia64 ppc64 sparc"
Comment 28 Raúl Porcel (RETIRED) gentoo-dev 2010-09-04 14:45:56 UTC
alpha/arm/ia64/sparc stable
Comment 29 Brent Baude (RETIRED) gentoo-dev 2010-09-06 20:20:16 UTC
ppc64 done
Comment 30 Brent Baude (RETIRED) gentoo-dev 2010-09-06 20:24:29 UTC
ppc64 done
Comment 31 Alin Năstac (RETIRED) gentoo-dev 2010-09-23 21:27:14 UTC
@ppc64 team: You forgot to stabilize squid-2.7.9. 
Comment 32 Brent Baude (RETIRED) gentoo-dev 2010-10-01 14:54:34 UTC
ppc64 done
Comment 33 Tim Sammut (RETIRED) gentoo-dev 2010-11-19 18:43:00 UTC
GLSA Vote: Yes, remote DoS from potentially unauthenticated attackers.
Comment 34 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-21 16:51:55 UTC
YES, too. GLSA with #334263 
Comment 35 martin holzer 2011-01-17 15:43:11 UTC
could be closed, not more in cvs tree
Comment 36 GLSAMaker/CVETool Bot gentoo-dev 2011-10-26 20:47:59 UTC
This issue was resolved and addressed in
 GLSA 201110-24 at http://security.gentoo.org/glsa/glsa-201110-24.xml
by GLSA coordinator Tim Sammut (underling).