Bug 1264445

Summary: squid: Integer overflow in HTTP Proxy causes DoS
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, henrik, jonathansteffan, luhliari, psimerda, thozza
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: squid 3.5.9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-27 14:31:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1264450    
Bug Blocks: 1264449    
Attachments:
Description Flags
Upstream patch none

Description Adam Mariš 2015-09-18 13:22:39 UTC 
An integer overflow vulnerability was found in SSL/TLS parser in Squid HTTP Proxy, that can lead to invalid pointer reading from random memory on some CPU architectures. This leads to wrong TLS extensiosn being used for the client or it can also cause the crash of the proxy terminating all active transactions. This can be triggered remotely. Although there is one layer of authorization applied before this processing to check that the client is allowed to use the proxy, the check is considered generally weak. Affected versions are from 3.5.0.1 to 3.5.8, which are built with OpenSSL and configured for "SSL-Bump" decryption.

CVE request:

http://seclists.org/oss-sec/2015/q3/577
Comment 1 Adam Mariš 2015-09-18 13:24:13 UTC 
Created attachment 1074906 [details]
Upstream patch
Comment 2 Adam Mariš 2015-09-18 13:28:56 UTC 
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1264450]
Comment 3 Adam Mariš 2015-09-21 12:31:05 UTC 
Security Advisory:

http://www.squid-cache.org/Advisories/SQUID-2015_3.txt
Comment 4 Stefan Cornelius 2015-10-27 14:31:49 UTC 
I believe this was introduced via:
http://bazaar.launchpad.net/~squid/squid/trunk/revision/14012

This code never made it into RHEL5, 6, or 7.

Statement:

This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 5, 6, and 7.