Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 16 Sep 2014 21:35:15 +1200
From: Amos Jeffries <>
Subject: Re: Re: CVE-Request: squid pinger remote DoS

Hash: SHA1

On 16/09/2014 6:56 p.m., wrote:
>> I made a fix for squid 3.4.6 and request a CVE
> Regardless of the "what happens to squid itself" answer, is it
> known that the crash has a security impact? This message seemed to
> conclude with an implied request for more information, e.g., "it
> looks like you can," etc. An example of a security impact would be:
> the administrator wanted pinger to be running, and a crash means
> that pinger processes/threads are no longer available, and pinger
> is not automatically restarted.
> If there is a security impact, then the patch in Novell Bug 891268 
> would probably correspond to at least three CVE IDs, e.g.,
> 1. "used to index into a string array" possibly corresponds to 
> for the modified 
> default case after case 136, and approximately two other places in
> the patch
> 2. added "if (n <= 0)" code possibly corresponds to 
> 3. added "if (preply.psize) < 0" code apparently corresponds to a
> more general issue with missing data validation

What could happen worst-case (#1 or #3 on a proxy with logging set to
level 2) is that the pinger can be used to deliver strings from heap
to the Squid parent process cache.log.

With #3 the size is not limited to c-string bytes terminated on first
nil. There it amounts to the difference between the expected payload
and received payload. A negative value in that calculation could
result in a large number of bytes flooding the parent processes log,
slowing the entire service down and/or exhausting log disk space,
which in turn can crash the parent process.

The best-case being that some HTTP servers are assigned incorrect RTT
values. Which adversely affects latency based routing logics for all
traffic involving that server IP.

Version: GnuPG v2.0.22 (MingW32)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ