Date: Tue, 16 Sep 2014 21:35:15 +1200 From: Amos Jeffries <squid3@...enet.co.nz> To: oss-security@...ts.openwall.com Subject: Re: Re: CVE-Request: squid pinger remote DoS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 16/09/2014 6:56 p.m., cve-assign@...re.org wrote: >> I made a fix for squid 3.4.6 and request a CVE > >> https://bugzilla.novell.com/show_bug.cgi?id=891268 > > Regardless of the "what happens to squid itself" answer, is it > known that the crash has a security impact? This message seemed to > conclude with an implied request for more information, e.g., "it > looks like you can," etc. An example of a security impact would be: > the administrator wanted pinger to be running, and a crash means > that pinger processes/threads are no longer available, and pinger > is not automatically restarted. > > If there is a security impact, then the patch in Novell Bug 891268 > would probably correspond to at least three CVE IDs, e.g., > > 1. "used to index into a string array" possibly corresponds to > http://cwe.mitre.org/data/definitions/129.html for the modified > default case after case 136, and approximately two other places in > the patch > > 2. added "if (n <= 0)" code possibly corresponds to > http://cwe.mitre.org/data/definitions/389.html > > 3. added "if (preply.psize) < 0" code apparently corresponds to a > more general issue with missing data validation > What could happen worst-case (#1 or #3 on a proxy with logging set to level 2) is that the pinger can be used to deliver strings from heap to the Squid parent process cache.log. With #3 the size is not limited to c-string bytes terminated on first nil. There it amounts to the difference between the expected payload and received payload. A negative value in that calculation could result in a large number of bytes flooding the parent processes log, slowing the entire service down and/or exhausting log disk space, which in turn can crash the parent process. The best-case being that some HTTP servers are assigned incorrect RTT values. Which adversely affects latency based routing logics for all traffic involving that server IP. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUGARSAAoJELJo5wb/XPRj52QH/A1y8EHZvXYYReaeToydtZa7 0vlbEMnDxBaVr4vNEp3Sf9UThZ/FUPYUjmMrBLCKyZ7wMJQPYWaf0HRdc9Qo6yau 8uja0tzjzwYNrVbZ5kb83xlEbLnviytQZv3aTljbVRN7Ys1bOqhjSsUVv8mf2syS YGIzTktVgUX+k/eXXH4WoBEPhtlJvaAsnpyTL8RmtgBsVIvF/HltK/kSgFdS9t8O rWUbTdlsBHKH3QBLYVvk3opdPCByJ79kiu+c3TjKgbJyFxfktIqrWQgQPUh9kO1K o9mjhIrFwUSlpUmIzoFHAzqHWtBJnYBHfD/tZF3Iv9QjFQ5YqZUCT9MPdjA0ZP8= =frFw -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.