Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 16 Sep 2014 21:35:15 +1200
From: Amos Jeffries <>
Subject: Re: Re: CVE-Request: squid pinger remote DoS

Hash: SHA1

On 16/09/2014 6:56 p.m., wrote:
>> I made a fix for squid 3.4.6 and request a CVE
> Regardless of the "what happens to squid itself" answer, is it
> known that the crash has a security impact? This message seemed to
> conclude with an implied request for more information, e.g., "it
> looks like you can," etc. An example of a security impact would be:
> the administrator wanted pinger to be running, and a crash means
> that pinger processes/threads are no longer available, and pinger
> is not automatically restarted.
> If there is a security impact, then the patch in Novell Bug 891268 
> would probably correspond to at least three CVE IDs, e.g.,
> 1. "used to index into a string array" possibly corresponds to 
> for the modified 
> default case after case 136, and approximately two other places in
> the patch
> 2. added "if (n <= 0)" code possibly corresponds to 
> 3. added "if (preply.psize) < 0" code apparently corresponds to a
> more general issue with missing data validation

What could happen worst-case (#1 or #3 on a proxy with logging set to
level 2) is that the pinger can be used to deliver strings from heap
to the Squid parent process cache.log.

With #3 the size is not limited to c-string bytes terminated on first
nil. There it amounts to the difference between the expected payload
and received payload. A negative value in that calculation could
result in a large number of bytes flooding the parent processes log,
slowing the entire service down and/or exhausting log disk space,
which in turn can crash the parent process.

The best-case being that some HTTP servers are assigned incorrect RTT
values. Which adversely affects latency based routing logics for all
traffic involving that server IP.

Version: GnuPG v2.0.22 (MingW32)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.