Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 16 Sep 2014 21:35:15 +1200
From: Amos Jeffries <squid3@...enet.co.nz>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE-Request: squid pinger remote DoS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16/09/2014 6:56 p.m., cve-assign@...re.org wrote:
>> I made a fix for squid 3.4.6 and request a CVE
> 
>> https://bugzilla.novell.com/show_bug.cgi?id=891268
> 
> Regardless of the "what happens to squid itself" answer, is it
> known that the crash has a security impact? This message seemed to
> conclude with an implied request for more information, e.g., "it
> looks like you can," etc. An example of a security impact would be:
> the administrator wanted pinger to be running, and a crash means
> that pinger processes/threads are no longer available, and pinger
> is not automatically restarted.
> 
> If there is a security impact, then the patch in Novell Bug 891268 
> would probably correspond to at least three CVE IDs, e.g.,
> 
> 1. "used to index into a string array" possibly corresponds to 
> http://cwe.mitre.org/data/definitions/129.html for the modified 
> default case after case 136, and approximately two other places in
> the patch
> 
> 2. added "if (n <= 0)" code possibly corresponds to 
> http://cwe.mitre.org/data/definitions/389.html
> 
> 3. added "if (preply.psize) < 0" code apparently corresponds to a
> more general issue with missing data validation
> 

What could happen worst-case (#1 or #3 on a proxy with logging set to
level 2) is that the pinger can be used to deliver strings from heap
to the Squid parent process cache.log.

With #3 the size is not limited to c-string bytes terminated on first
nil. There it amounts to the difference between the expected payload
and received payload. A negative value in that calculation could
result in a large number of bytes flooding the parent processes log,
slowing the entire service down and/or exhausting log disk space,
which in turn can crash the parent process.


The best-case being that some HTTP servers are assigned incorrect RTT
values. Which adversely affects latency based routing logics for all
traffic involving that server IP.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUGARSAAoJELJo5wb/XPRj52QH/A1y8EHZvXYYReaeToydtZa7
0vlbEMnDxBaVr4vNEp3Sf9UThZ/FUPYUjmMrBLCKyZ7wMJQPYWaf0HRdc9Qo6yau
8uja0tzjzwYNrVbZ5kb83xlEbLnviytQZv3aTljbVRN7Ys1bOqhjSsUVv8mf2syS
YGIzTktVgUX+k/eXXH4WoBEPhtlJvaAsnpyTL8RmtgBsVIvF/HltK/kSgFdS9t8O
rWUbTdlsBHKH3QBLYVvk3opdPCByJ79kiu+c3TjKgbJyFxfktIqrWQgQPUh9kO1K
o9mjhIrFwUSlpUmIzoFHAzqHWtBJnYBHfD/tZF3Iv9QjFQ5YqZUCT9MPdjA0ZP8=
=frFw
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.