Bug 1312262 (CVE-2016-2571, CVE-2016-2572)

Summary: CVE-2016-2571 CVE-2016-2572 squid: wrong error handling for malformed HTTP responses
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cbuissar, henrik, jonathansteffan, luhliari, psimerda, sardella, thozza, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: squid 4.0.7, squid 3.5.15 Doc Type: Bug Fix
Doc Text:
It was found that squid did not properly handle errors when failing to parse an HTTP response, possibly leading to an assertion failure. A malicious HTTP server could use this flaw to crash squid using a specially crafted HTTP response.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 09:00:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1312267, 1322770    
Bug Blocks: 1312266    

Description Andrej Nemec 2016-02-26 09:22:46 UTC 
Error handling for malformed HTTP responses can lead to a second
assertion with the same effects as the first issue. It is not easily
triggered in Squid-3 or normally in Squid-4.

However fixing the String issue makes it become easily triggerable in
Squid-4, and we do have a history of the assertion itself being
reported as occuring already but been unable to identify the vectors
code path to replicate it yet. So we believe it can be achieved
independent of the String issues, even if we are unable so far to
identify how.
Comment 1 Andrej Nemec 2016-02-26 09:25:43 UTC 
External references:

http://www.squid-cache.org/Advisories/SQUID-2016_2.txt

Upstream patches:

http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13990.patch
http://www.squid-cache.org/Versions/v4/changesets/squid-4-14548.patch

CVE assignment:

http://seclists.org/oss-sec/2016/q1/442

Also adding CVE-2016-2572, as assigned by Mitre for another part of this issue, fixed in this patch.
Comment 2 Andrej Nemec 2016-02-26 09:29:22 UTC 
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1312267]
Comment 6 errata-xmlrpc 2016-11-03 21:17:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2600 https://rhn.redhat.com/errata/RHSA-2016-2600.html
Comment 8 Andrej Nemec 2017-09-08 11:53:02 UTC 
Statement:

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. 

For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.