Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 7 Oct 2011 23:26:13 +0200
From: Julien Cristau <jcristau@...ian.org>
To: oss-security@...ts.openwall.com
Cc: Juliusz Chroboczek <jch@....jussieu.fr>
Subject: Re: Re: CVE Request -- Polipo -- Assertion failure
 by processing certain HTTP POST / PUT requests

On Fri, Oct  7, 2011 at 10:11:10 -0600, Vincent Danen wrote:

> * [2011-10-06 18:37:01 +0200] Juliusz Chroboczek wrote:
> 
> >>  a denial of service flaw was found in the way Polipo, a lightweight
> >>caching web proxy, processed certain HTTP POST / PUT requests. If
> >>polipo was configured to allow remote client connections and particular
> >>host was allowed to connect to polipo server instance, a remote
> >>attacker could use this flaw to cause denial of service (polipo daemon
> >>abort due to assertion failure) via specially-crafted HTTP POST / PUT
> >>request.
> >
> >Yes, this is a known bug with Polipo 1.0.4 and 1.0.4.1.  I believe that
> >it is fixed in the Git trunk, which is unfortunately not ready to be
> >released (and might never be unless a maintainer is found).
> 
> Do you have a link to the commit, or a commit id?  I can't see anything
> on github that looks relevant or recent.
> 
> We do ship this in Fedora, so it would be nice to have the patch that we
> could apply to what we are already shipping if no releases are
> forthcoming.
> 
git bisect using the PoC from the RH bug suggests that was fixed by
https://gitweb.torproject.org/chrisd/polipo.git/commitdiff/0e2b44af619e46e365971ea52b97457bc0778cd3

Cheers,
Julien

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.