Bug 1730528 (CVE-2019-12529)

Summary: CVE-2019-12529 squid: Out of bounds read in Proxy-Authorization header causes DoS
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anon.amish, code, jonathansteffan, kyoshida, luhliari, uwe.knop, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: squid 4.8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:21:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1730529, 1738580, 1738581    
Bug Blocks: 1730537    

Description Dhananjay Arunesh 2019-07-17 04:14:59 UTC 
An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checking its table. The length is then used to start decoding the string. There are no checks to ensure that the length it calculates isn't greater than the input buffer. This leads to adjacent memory being decoded as well. An attacker would not be able to retrieve the decoded data unless the Squid maintainer had configured the display of usernames on error pages.

Reference:
http://www.squid-cache.org/Versions/v4/changesets/
https://github.com/squid-cache/squid/commits/v4

Upstream commit:
http://www.squid-cache.org/Versions/v4/changesets/squid-4-dd46b5417809647f561d8a5e0e74c3aacd235258.patch
Comment 1 Dhananjay Arunesh 2019-07-17 04:15:59 UTC 
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1730529]
Comment 2 Cedric Buissart 2019-08-07 10:08:32 UTC 
External References:

http://www.squid-cache.org/Advisories/SQUID-2019_2.txt
Comment 3 Cedric Buissart 2019-08-07 13:48:56 UTC 
Mitigation:

Remove 'auth_param basic ...' configuration settings from squid.conf
Comment 6 Product Security DevOps Team 2020-11-04 02:21:34 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-12529
Comment 7 errata-xmlrpc 2020-11-04 03:31:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4743 https://access.redhat.com/errata/RHSA-2020:4743