Date: Tue, 16 Sep 2014 21:35:15 +1200 From: Amos Jeffries <squid3@...enet.co.nz> To: oss-security@...ts.openwall.com Subject: Re: Re: CVE-Request: squid pinger remote DoS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 16/09/2014 6:56 p.m., cve-assign@...re.org wrote: >> I made a fix for squid 3.4.6 and request a CVE > >> https://bugzilla.novell.com/show_bug.cgi?id=891268 > > Regardless of the "what happens to squid itself" answer, is it > known that the crash has a security impact? This message seemed to > conclude with an implied request for more information, e.g., "it > looks like you can," etc. An example of a security impact would be: > the administrator wanted pinger to be running, and a crash means > that pinger processes/threads are no longer available, and pinger > is not automatically restarted. > > If there is a security impact, then the patch in Novell Bug 891268 > would probably correspond to at least three CVE IDs, e.g., > > 1. "used to index into a string array" possibly corresponds to > http://cwe.mitre.org/data/definitions/129.html for the modified > default case after case 136, and approximately two other places in > the patch > > 2. added "if (n <= 0)" code possibly corresponds to > http://cwe.mitre.org/data/definitions/389.html > > 3. added "if (preply.psize) < 0" code apparently corresponds to a > more general issue with missing data validation > What could happen worst-case (#1 or #3 on a proxy with logging set to level 2) is that the pinger can be used to deliver strings from heap to the Squid parent process cache.log. With #3 the size is not limited to c-string bytes terminated on first nil. There it amounts to the difference between the expected payload and received payload. A negative value in that calculation could result in a large number of bytes flooding the parent processes log, slowing the entire service down and/or exhausting log disk space, which in turn can crash the parent process. The best-case being that some HTTP servers are assigned incorrect RTT values. Which adversely affects latency based routing logics for all traffic involving that server IP. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUGARSAAoJELJo5wb/XPRj52QH/A1y8EHZvXYYReaeToydtZa7 0vlbEMnDxBaVr4vNEp3Sf9UThZ/FUPYUjmMrBLCKyZ7wMJQPYWaf0HRdc9Qo6yau 8uja0tzjzwYNrVbZ5kb83xlEbLnviytQZv3aTljbVRN7Ys1bOqhjSsUVv8mf2syS YGIzTktVgUX+k/eXXH4WoBEPhtlJvaAsnpyTL8RmtgBsVIvF/HltK/kSgFdS9t8O rWUbTdlsBHKH3QBLYVvk3opdPCByJ79kiu+c3TjKgbJyFxfktIqrWQgQPUh9kO1K o9mjhIrFwUSlpUmIzoFHAzqHWtBJnYBHfD/tZF3Iv9QjFQ5YqZUCT9MPdjA0ZP8= =frFw -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ