Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 381065 (CVE-2011-3205) - <net-proxy/squid-3.1.15 Buffer Overflow Vulnerability (CVE-2011-3205)
Summary: <net-proxy/squid-3.1.15 Buffer Overflow Vulnerability (CVE-2011-3205)
Status: RESOLVED FIXED
Alias: CVE-2011-3205
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: https://secunia.com/advisories/45805/
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-08-29 14:34 UTC by Agostino Sarubbo
Modified: 2011-10-26 20:48 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-08-29 14:34:32 UTC
From secunia security advisor at $URL:

Description:
The vulnerability is caused due to a boundary error when processing Gopher responses and can be exploited to cause a buffer overflow via an overly long string.
Successful exploitation may allow execution of arbitrary code.

Solution:
Update to version 3.0.STABLE26 or 3.1.15.
Comment 1 Agostino Sarubbo gentoo-dev 2011-08-29 22:24:03 UTC
all member of net-proxy herd are away atm.
I want CC Eray; he is the committers of last version[1] available in tree, so, probably he wants take care of this bump.


[1]:
29 Apr 2011; Eray Aslan <eras@gentoo.org> +squid-3.1.12.ebuild,
+files/squid-3.1.12-gentoo.patch:
Non-maintainer version bump - bug #362049
Comment 2 Eray Aslan gentoo-dev 2011-08-31 08:11:46 UTC
+*squid-3.1.15 (31 Aug 2011)
+
+  31 Aug 2011; Eray Aslan <eras@gentoo.org> +squid-3.1.15.ebuild,
+  +files/squid-3.1.15-gentoo.patch:
+  version bump - security bug #381065
+
Comment 3 Agostino Sarubbo gentoo-dev 2011-08-31 08:44:43 UTC
Great, thanks Eray for your extra-works ;)

arches, please test and mark stable : 

=net-proxy/squid-3.1.15

target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2011-09-01 08:20:49 UTC
amd64 ok
Comment 5 Ian Delaney (RETIRED) gentoo-dev 2011-09-01 10:43:58 UTC
AMD64;

ditto Ago
Comment 6 Tony Vroon (RETIRED) gentoo-dev 2011-09-01 14:21:54 UTC
+  01 Sep 2011; Tony Vroon <chainsaw@gentoo.org> squid-3.1.15.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian
+  "idella4" Delaney in security bug #381065.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2011-09-03 05:55:26 UTC
Stable for HPPA.
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-09-03 08:50:15 UTC
ppc/ppc64 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2011-09-03 13:29:47 UTC
alpha/arm/ia64/sparc/x86 stable
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-09-04 00:26:48 UTC
Thanks, folks. Added to existing GLSA request.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 22:48:06 UTC
CVE-2011-3205 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3205):
  Buffer overflow in the gopherToHTML function in gopher.cc in the Gopher
  reply parser in Squid 3.0 before 3.0.STABLE26, 3.1 before 3.1.15, and 3.2
  before 3.2.0.11 allows remote Gopher servers to cause a denial of service
  (memory corruption and daemon restart) or possibly have unspecified other
  impact via a long line in a response.  NOTE: This issue exists because of a
  CVE-2005-0094 regression.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2011-10-26 20:48:13 UTC
This issue was resolved and addressed in
 GLSA 201110-24 at http://security.gentoo.org/glsa/glsa-201110-24.xml
by GLSA coordinator Tim Sammut (underling).