CVE-2009-3305 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3305): Polipo 1.0.4, and possibly other versions, allows remote attackers to cause a denial of service (crash) via a request with a Cache-Control header that lacks a value for the max-age field, which triggers a segmentation fault in the httpParseHeaders function in http_parse.c, and possibly other unspecified vectors.
CVE-2009-4413 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4413): The httpClientDiscardBody function in client.c in Polipo 0.9.8, 0.9.12, 1.0.4, and possibly other versions, allows remote attackers to cause a denial of service (crash) via a request with a large Content-Length value, which triggers an integer overflow, a signed-to-unsigned conversion error with a negative value, and a segmentation fault.
Lets handle both here.
Both security problems are fixed in the latest 1.0.4.1 release. See the attached patch for minor ebuild updates from 1.0.4 to 1.0.4.1.
Created attachment 227355 [details, diff] Ebuild updates for polipo-1.0.4.1 Ebuild updates for polipo-1.0.4.1: * Update SRC_URI * Revert keywords to testing
1.0.4.1 is in the tree. 31 January 2010: Polipo 1.0.4.1: Cherry-picked fixes from 1.0.5 * Fixed an integer overflow that may lead to a crash (http://secunia.com/advisories/37607/). Discovered by Jeremy Brown. (CVE-2009-4413) * Fixed a crash that occurs when a server sends a malformed Cache-Control: header (CVE-2009-3305). Patch from Stefan Fritsch. * Prevent an infinite loop when a bodyless 204 or 1xx response is encountered. * Don't crash when we get an error while waiting for 100 continue status.
Arch teams, please test and mark stable: =net-proxy/polipo-1.0.4.1 Target KEYWORDS="amd64 x86"
Thanks, jer. Rerating B3 for DoS.
Builds and runs fine on x86. Please mark stable for x86.
x86 stable, thanks Myckel
amd64 stable, all arches done.
*** Bug 296334 has been marked as a duplicate of this bug. ***
DOS in app -> closing noglsa. Feel free to reopen if you think otherwise.