Bug 1329126 (CVE-2016-4051, SQUID-2016:5)

Summary: CVE-2016-4051 squid: buffer overflow in cachemgr.cgi
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, cbuissar, henrik, jonathansteffan, luhliari, psimerda, thozza
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: squid 3.5.17, squid 4.0.9 Doc Type: Bug Fix
Doc Text:
A buffer overflow flaw was found in the way the Squid cachemgr.cgi utility processed remotely relayed Squid input. When the CGI interface utility is used, a remote attacker could possibly use this flaw to execute arbitrary code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-09 12:43:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1329144, 1330572, 1330573, 1330574, 1330575, 1330576, 1330577    
Bug Blocks: 1329143    

Description Andrej Nemec 2016-04-21 09:21:57 UTC 
Due to incorrect buffer management Squid cachemgr.cgi tool is
vulnerable to a buffer overflow when processing remotely supplied
inputs relayed to it from Squid.

External references:

http://www.squid-cache.org/Advisories/SQUID-2016_5.txt

Upstream fixes:

[RHEL-7]
www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_5.patch

[Fedora-23]
http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_5.patch

[Fedora-22]
http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_5.patch
Comment 1 Andrej Nemec 2016-04-21 09:47:17 UTC 
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1329144]
Comment 6 errata-xmlrpc 2016-05-31 05:42:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1139 https://access.redhat.com/errata/RHSA-2016:1139
Comment 7 errata-xmlrpc 2016-05-31 05:56:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1140 https://access.redhat.com/errata/RHSA-2016:1140
Comment 8 errata-xmlrpc 2016-05-31 05:57:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1138 https://access.redhat.com/errata/RHSA-2016:1138
Comment 9 Fedora Update System 2016-07-12 20:28:01 UTC 
squid-3.5.19-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2016-07-12 23:52:43 UTC 
squid-3.5.10-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Cedric Buissart 2016-08-04 13:41:45 UTC 
Additional Note:
It was found that RHSA-2016:1138 (squid-3.1.23-16.el6_8.4 on RHEL-6.8.z) did not fully fixed CVE-2016-4051.
A new fix is available, under the name CVE-2016-5408, and released via errata RHSA-2016:1573