Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 428778 (CVE-2012-3501) - <net-proxy/squidclamav-6.8 : URL Parsing Denial of Service Vulnerability (CVE-2012-3501)
Summary: <net-proxy/squidclamav-6.8 : URL Parsing Denial of Service Vulnerability (CVE...
Status: RESOLVED FIXED
Alias: CVE-2012-3501
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/49057/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-31 09:07 UTC by Agostino Sarubbo
Modified: 2012-09-25 00:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-07-31 09:07:23 UTC
Description
A vulnerability has been reported in SquidClamav, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error when parsing a URL, which may result in unescaped URLs to be passed to the system command call. This can be exploited to cause the daemon to crash via specially crafted characters (e.g. %0D or %0A).

The vulnerability is reported in versions prior to 5.8 and 6.7.


Solution
Update to version 5.8 or 6.7.
Comment 1 Agostino Sarubbo gentoo-dev 2012-07-31 09:07:46 UTC
ok to stabilize 6.8 ?
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2012-07-31 13:52:44 UTC
Ok for me.
Comment 3 Agostino Sarubbo gentoo-dev 2012-07-31 14:24:36 UTC
Arches, please test and mark stable:
=net-proxy/squidclamav-6.8
Target KEYWORDS : "amd64 x86"
Comment 4 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-08-01 07:07:37 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2012-08-01 09:46:56 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2012-08-01 09:48:29 UTC
security, please vote.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-08-14 15:48:34 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2012-08-14 16:12:50 UTC
YES too, request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-09-05 11:54:20 UTC
CVE-2012-3501 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3501):
  The squidclamav_check_preview_handler function in squidclamav.c in
  SquidClamav 5.x before 5.8 and 6.x before 6.7 passes an unescaped URL to a
  system command call, which allows remote attackers to cause a denial of
  service (daemon crash) via a URL with certain characters, as demonstrated
  using %0D or %0A.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-09-25 00:12:35 UTC
This issue was resolved and addressed in
 GLSA 201209-08 at http://security.gentoo.org/glsa/glsa-201209-08.xml
by GLSA coordinator Sean Amoss (ackle).