Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 16 Sep 2014 21:35:15 +1200
From: Amos Jeffries <squid3@...enet.co.nz>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE-Request: squid pinger remote DoS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16/09/2014 6:56 p.m., cve-assign@...re.org wrote:
>> I made a fix for squid 3.4.6 and request a CVE
> 
>> https://bugzilla.novell.com/show_bug.cgi?id=891268
> 
> Regardless of the "what happens to squid itself" answer, is it
> known that the crash has a security impact? This message seemed to
> conclude with an implied request for more information, e.g., "it
> looks like you can," etc. An example of a security impact would be:
> the administrator wanted pinger to be running, and a crash means
> that pinger processes/threads are no longer available, and pinger
> is not automatically restarted.
> 
> If there is a security impact, then the patch in Novell Bug 891268 
> would probably correspond to at least three CVE IDs, e.g.,
> 
> 1. "used to index into a string array" possibly corresponds to 
> http://cwe.mitre.org/data/definitions/129.html for the modified 
> default case after case 136, and approximately two other places in
> the patch
> 
> 2. added "if (n <= 0)" code possibly corresponds to 
> http://cwe.mitre.org/data/definitions/389.html
> 
> 3. added "if (preply.psize) < 0" code apparently corresponds to a
> more general issue with missing data validation
> 

What could happen worst-case (#1 or #3 on a proxy with logging set to
level 2) is that the pinger can be used to deliver strings from heap
to the Squid parent process cache.log.

With #3 the size is not limited to c-string bytes terminated on first
nil. There it amounts to the difference between the expected payload
and received payload. A negative value in that calculation could
result in a large number of bytes flooding the parent processes log,
slowing the entire service down and/or exhausting log disk space,
which in turn can crash the parent process.


The best-case being that some HTTP servers are assigned incorrect RTT
values. Which adversely affects latency based routing logics for all
traffic involving that server IP.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUGARSAAoJELJo5wb/XPRj52QH/A1y8EHZvXYYReaeToydtZa7
0vlbEMnDxBaVr4vNEp3Sf9UThZ/FUPYUjmMrBLCKyZ7wMJQPYWaf0HRdc9Qo6yau
8uja0tzjzwYNrVbZ5kb83xlEbLnviytQZv3aTljbVRN7Ys1bOqhjSsUVv8mf2syS
YGIzTktVgUX+k/eXXH4WoBEPhtlJvaAsnpyTL8RmtgBsVIvF/HltK/kSgFdS9t8O
rWUbTdlsBHKH3QBLYVvk3opdPCByJ79kiu+c3TjKgbJyFxfktIqrWQgQPUh9kO1K
o9mjhIrFwUSlpUmIzoFHAzqHWtBJnYBHfD/tZF3Iv9QjFQ5YqZUCT9MPdjA0ZP8=
=frFw
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ