Bug 1148832 (CVE-2014-7142)

Summary: CVE-2014-7142 squid: pinger incorrect input validation flaw in handling of ICMP replies (SQUID-2014:4)
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: henrik, jonathansteffan, mluscon, psimerda, thozza
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-02 13:30:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1139719    

Description Vincent Danen 2014-10-02 13:28:51 UTC 
Another flaw was reported in the Squid pinger program due to incorrect input validation.  This could be used to cause a Denial of Service or information leak when the pinger program processes ICMP or ICMPv6 packets.

While this problem exists in the source code of squid packages as shipped with Red Hat Enterprise Linux 6 and 7, as well as current Fedora releases, the program itself is not built.


Statement:

This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they do not provide the vulnerable program "pinger".


External References:

http://www.squid-cache.org/Advisories/SQUID-2014_4.txt
Comment 1 Tomas Hoger 2014-10-06 21:24:31 UTC 
Upstream commit:

http://bazaar.launchpad.net/~squid/squid/trunk/revision/13583

The above commit fixes both CVE-2014-7141 and CVE-2014-7142.

The CVE-2014-7142 issue is an integer underflow when computing size of the ICMP reply data.  This leads to an attempt to copy large amount of data, which should trigger pinger process crash.  Unlike CVE-2014-7141, this issue only existed in ICMP(v4) handling, the ICMPv6 previously had similar check.