Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 455324 (CVE-2013-7401) - <net-proxy/c-icap-0.2.6: (upstream: <r1018 in trunk) - Denial of Service (CVE-2013-{7401,7402})
Summary: <net-proxy/c-icap-0.2.6: (upstream: <r1018 in trunk) - Denial of Service (CVE...
Status: RESOLVED FIXED
Alias: CVE-2013-7401
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.osvdb.org/show/osvdb/89304
Whiteboard: B3 [glsa]
Keywords:
: 455316 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-02-03 17:40 UTC by Petr Berestov
Modified: 2014-09-19 19:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Berestov 2013-02-03 17:40:50 UTC
From $URL:
c-icap Server contains a flaw in the parse_request() function of request.c that may allow a remote denial of service. The issue is triggered when the buffer fails to contain a ' ' or '?' symbol, which will cause the end pointer to increase and surpass allocated memory. With a specially crafted request (e.g. via the OPTIONS method), a remote attacker can cause a loss of availability for the program.
EOF

All versions are vulnerable. Currently, we don't have a official upgrades from the vendor. However, i want propose the patch that corrects this issue:
--- c-icap-0.2.2.orig/request.c	2013-02-03 16:37:43.000000000 +0000
+++ c-icap-02.2/request.c	2012-06-19 12:55:51.000000000 +0000
@@ -267,7 +267,7 @@
                req->req_server[servnamelen] = '\0';
                if (*end == '/') {       /*service */
                     start = ++end;
-                    while (*end != ' ' && *end != '?')
+                    while (*end != '\0' && *end != ' ' && *end != '?')
                          end++;
                     len = end - start;
                     if (len > 0) {
Comment 1 Sean Amoss gentoo-dev Security 2013-02-05 12:43:17 UTC
*** Bug 455316 has been marked as a duplicate of this bug. ***
Comment 2 Sean Amoss gentoo-dev Security 2013-02-05 12:56:56 UTC
Thanks for the report, Petr.
Comment 3 Chris Reffett gentoo-dev Security 2013-10-08 03:23:46 UTC
@maintainers: does the proposed patch seem reasonable?
Comment 4 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-10-08 20:11:44 UTC
Upstream has patched this in line 299 with a slightly more intrusive approach:

http://sourceforge.net/p/c-icap/code/HEAD/tree/c-icap-server/trunk/c-icap/request.c

As \0 leads to false, this includes the behavior from the patch Petr suggests. 

This is _not_ part of their 0.2.6 release:

http://sourceforge.net/p/c-icap/code/HEAD/tree/c-icap-server/tags/c_icap_0_2_6/request.c

So, I have decided to bump to 0.2.6 and backport line 299 from trunk in a patch.

+  08 Oct 2013; Tom Wijsman <TomWij@gentoo.org> +c-icap-0.2.6.ebuild,
+  +files/c-icap-0.2.6-fix-icap-parsing.patch:
+  Version bump to 0.2.6, patch DoS due to patching bug for security bug #455324;
+  removal of forced openrc dependency.

Arch teams: Please stabilize net-proxy/c-icap-0.2.6, target: amd64 x86

Feel free to remove the older versions once stabilization succeeded.

If you can't properly test it (I can't); please wait for flameeyes to do so, or in absence please consider to apply the patch against an earlier version then.
Comment 5 Agostino Sarubbo gentoo-dev 2013-10-09 05:45:25 UTC
amd64 stable
Comment 6 Yury German Gentoo Infrastructure gentoo-dev Security 2013-10-10 04:21:55 UTC
Arches, please test and mark stable:                                                                                                           
=net-proxy/c-icap-0.2.6

Target keywords : "amd64 x86"

Note:
URL Removed from Whiteboard: 
http://sourceforge.net/p/c-icap/code/1018/
Comment 7 Agostino Sarubbo gentoo-dev 2013-10-13 10:32:31 UTC
x86 stable
Comment 8 Yury German Gentoo Infrastructure gentoo-dev Security 2014-06-19 03:01:39 UTC
GLSA Vote: Yes
Comment 9 Yury German Gentoo Infrastructure gentoo-dev Security 2014-07-05 15:20:03 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2014-08-04 19:33:03 UTC
YES too, request filed.
Comment 11 Chris Reffett gentoo-dev Security 2014-08-26 17:31:38 UTC
Maintainer timeout, cleanup done.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-09-19 19:08:24 UTC
This issue was resolved and addressed in
 GLSA 201409-07 at http://security.gentoo.org/glsa/glsa-201409-07.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).