Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 53367 - net-www/squid - Cache NTLM Authentication Helper Buffer Overflow Vulnerability
Summary: net-www/squid - Cache NTLM Authentication Helper Buffer Overflow Vulnerability
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
Whiteboard: C1 [glsa]
Depends on:
Reported: 2004-06-08 17:50 UTC by Carsten Lohrke (RETIRED)
Modified: 2011-10-30 22:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---
jaervosz: Assigned_To? (jaervosz)


Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2004-06-08 17:50:21 UTC
Remote exploitation of a buffer overflow vulnerability in Squid Web
Proxy Cache could allow a remote attacker to execute arbitrary code.
Squid Web Proxy Cache supports Basic, Digest and NTLM authentication.
The vulnerability specifically exists within the NTLM authentication
helper routine, ntlm_check_auth(), located in


iDEFENSE has confirmed the existence of this vulnerability in
Squid-Proxy 2.5.*-STABLE and 3.*-PRE when Squid-Proxy is compiled with
the NTLM helper enabled.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-06-09 01:49:36 UTC
I think the default is not to use NTLM auth cache helper so I rated this as C1 rather than B1.

Andrew: could you apply the patch provided at :
and bump to 2.5.5-r2 ?

Please also confirm if default configuration files shipped in Gentoo enable the NTLM auth cache helper or not...

Thanks !
Comment 2 Carsten Lohrke (RETIRED) gentoo-dev 2004-06-09 07:11:12 UTC
Right, it's compiled in, but not enabled by default.
Comment 3 Andrew Bevitt 2004-06-11 07:12:10 UTC
OK fix now just gone into CVS...
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-06-11 10:07:14 UTC
x86 ppc sparc alpha hppa ia64: please mark stable
Comment 5 Bryan Østergaard (RETIRED) gentoo-dev 2004-06-11 21:55:38 UTC
Stable on alpha.
Comment 6 Guy Martin (RETIRED) gentoo-dev 2004-06-12 10:27:47 UTC
Stable on hppa.
Comment 7 Jason Wever (RETIRED) gentoo-dev 2004-06-12 16:21:40 UTC
Stable on sparc.
Comment 8 Brandon Hale (RETIRED) gentoo-dev 2004-06-15 19:11:37 UTC
Stable on x86.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-06-16 05:40:01 UTC
GLSA drafted: security please review

ppc please mark stable

Please remove old unneeded versions from portage.

ia64 also remember to mark stable.
Comment 10 Daniel Ostrow (RETIRED) gentoo-dev 2004-06-16 13:00:09 UTC
Stable on ppc.
Comment 11 Andrew Bevitt 2004-06-17 02:33:32 UTC
waiting for ia64 to mark stable
Comment 12 Kurt Lieber (RETIRED) gentoo-dev 2004-06-17 05:16:07 UTC
glsa 200406-13