Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 476562 (CVE-2013-4115) - <net-proxy/squid-{3.2.12,3.3.7}: "idnsALookup()" DNS Name Handling Buffer Overflow Vulnerability (CVE-2013-4115)
Summary: <net-proxy/squid-{3.2.12,3.3.7}: "idnsALookup()" DNS Name Handling Buffer Ove...
Status: RESOLVED FIXED
Alias: CVE-2013-4115
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/54076/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-11 18:21 UTC by Agostino Sarubbo
Modified: 2013-09-27 09:52 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-07-11 18:21:04 UTC
From ${URL} :

Description

A vulnerability has been reported in Squid, which can be exploited by malicious users to cause a 
DoS (Denial of Service).

The vulnerability is caused due to an error within the "idnsALookup()" function (dns_internal.cc) 
when handling DNS query generation requests and can be exploited to cause a buffer overflow by 
sending specially crafted HTTP requests.

The vulnerability is reported in versions 3.2 through 3.2.11 and versions 3.3 through 3.3.6.


Solution:
Update to version 3.2.12 or 3.3.7 or apply patch.

Provided and/or discovered by:
The vendor credits Nathan Hoad, Netbox Blue.

Original Advisory:
http://www.squid-cache.org/Advisories/SQUID-2013_2.txt


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Chris Reffett gentoo-dev Security 2013-07-11 22:03:43 UTC
The versions with the fixes are already in the tree. @maintainers: please ack a stable.
Comment 2 Eray Aslan gentoo-dev 2013-07-12 05:15:12 UTC
@security:  We can stabilise =net-proxy/squid-3.2.12.  Thank you.
Comment 3 Chris Reffett gentoo-dev Security 2013-07-12 20:41:36 UTC
Arches, please stabilize =net-proxy/squid-3.2.12, target arches: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86. Thanks!
Comment 4 Jeroen Roovers gentoo-dev 2013-07-13 01:41:58 UTC
(In reply to Chris Reffett from comment #3)
> Arches, please stabilize =net-proxy/squid-3.2.12, target arches: alpha amd64
> arm hppa ia64 ppc ppc64 sparc x86. Thanks!

Like this please:

Arch teams, please test and mark stable:
=net-proxy/squid-3.2.12
Stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 5 Agostino Sarubbo gentoo-dev 2013-07-13 05:55:24 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-07-13 05:55:35 UTC
x86 stable
Comment 7 Jeroen Roovers gentoo-dev 2013-07-13 12:29:50 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2013-07-13 18:16:43 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-07-13 19:14:56 UTC
ppc64 stable
Comment 10 Eray Aslan gentoo-dev 2013-07-14 08:52:50 UTC
Another security bump in the meantime:
http://www.squid-cache.org/Advisories/SQUID-2013_3.txt

We should stabilize =net-proxy/squid-3.2.13

@security:  Please let me know how you want to proceed (separate bug? continue here?).  Thanks.
Comment 11 Agostino Sarubbo gentoo-dev 2013-07-14 14:19:28 UTC
alpha stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-07-14 17:36:48 UTC
arm stable
Comment 13 Jeroen Roovers gentoo-dev 2013-07-15 20:51:35 UTC
Continued in bug #476960.
Comment 14 Sergey Popov gentoo-dev 2013-08-24 05:37:07 UTC
GLSA vote: yes
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2013-08-29 18:00:29 UTC
CVE-2013-4115 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4115):
  Buffer overflow in the idnsALookup function in dns_internal.cc in Squid 3.2
  through 3.2.11 and 3.3 through 3.3.6 allows remote attackers to cause a
  denial of service (memory corruption and server termination) via a long name
  in a DNS lookup request.
Comment 16 Tobias Heinlein (RETIRED) gentoo-dev 2013-09-03 17:21:59 UTC
Added to existing draft.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2013-09-27 09:52:18 UTC
This issue was resolved and addressed in
 GLSA 201309-22 at http://security.gentoo.org/glsa/glsa-201309-22.xml
by GLSA coordinator Sergey Popov (pinkbyte).