Bug 1329136 (CVE-2016-4052, CVE-2016-4053, CVE-2016-4054, SQUID-2016:6)

Summary: CVE-2016-4052 CVE-2016-4053 CVE-2016-4054 squid: multiple issues in ESI processing
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bnater, carnil, cbuissar, henrik, jonathansteffan, luhliari, psimerda, thozza
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: squid 3.5.17, squid 4.0.9 Doc Type: Bug Fix
Doc Text:
Buffer overflow and input validation flaws were found in the way Squid processed ESI responses. If Squid was used as a reverse proxy, or for TLS/HTTPS interception, a remote attacker able to control ESI components on an HTTP server could use these flaws to crash Squid, disclose parts of the stack memory, or possibly execute arbitrary code as the user running Squid.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-09 12:44:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1329144, 1330572, 1330573, 1330574, 1330575, 1330576, 1330577    
Bug Blocks: 1329143    

Description Andrej Nemec 2016-04-21 09:37:00 UTC 
Due to buffer overflow issues Squid is vulnerable to a denial
of service attack when processing ESI responses.

Due to incorrect input validation Squid is vulnerable to public
information disclosure of the server stack layout when processing
ESI responses.

Due to incorrect input validation and buffer overflow Squid is
vulnerable to remote code execution when processing ESI
responses.

External references:

http://www.squid-cache.org/Advisories/SQUID-2016_6.txt

Upstream fix:

[RHEL-7]
http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12697.patch

[Fedora-22]
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13235.patch

[Fedora-23]
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14034.patch
Comment 1 Andrej Nemec 2016-04-21 09:47:23 UTC 
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1329144]
Comment 2 Andrej Nemec 2016-04-21 10:01:38 UTC 
CVE assignments:

http://seclists.org/oss-sec/2016/q2/120
Comment 11 errata-xmlrpc 2016-05-31 05:42:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1139 https://access.redhat.com/errata/RHSA-2016:1139
Comment 12 errata-xmlrpc 2016-05-31 05:56:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1140 https://access.redhat.com/errata/RHSA-2016:1140
Comment 13 errata-xmlrpc 2016-05-31 05:57:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1138 https://access.redhat.com/errata/RHSA-2016:1138
Comment 17 Fedora Update System 2016-07-12 20:27:55 UTC 
squid-3.5.19-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2016-07-12 23:52:38 UTC 
squid-3.5.10-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.