Bug 1827552 (CVE-2019-12519)

Summary: CVE-2019-12519 squid: improper check for new member in ESIExpression::Evaluate allows for stack buffer overflow
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anon.amish, jonathansteffan, luhliari, mkyral, pavlix, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: squid 4.11, squid 5.0.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Squid through version 4.7. When handling the tag esi:when, when ESI is enabled, Squid calls the ESIExpression::Evaluate function which uses a fixed stack buffer to hold the expression. While processing the expression, there is no check to ensure that the stack won't overflow. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-06 16:31:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1828362, 1828370, 1828360, 1828364, 1828366, 1828368    
Bug Blocks: 1827553    

Description Marian Rehak 2020-04-24 07:51:47 UTC
An issue was discovered in Squid through 4.7. When handling the tag esi:when when ESI is enabled, Squid calls ESIExpression::Evaluate. This function uses a fixed stack buffer to hold the expression while it's being evaluated. When processing the expression, it could either evaluate the top of the stack, or add a new member to the stack. When adding a new member, there is no check to ensure that the stack won't overflow.

Comment 5 Stefan Cornelius 2020-04-30 13:15:20 UTC
Statement:

The squid packages are compiled with protections like stack canaries, which should reduce the chance of a successful exploitation dramatically and the most likely outcome is a crash without code execution.

Comment 6 errata-xmlrpc 2020-05-06 12:14:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:2038 https://access.redhat.com/errata/RHSA-2020:2038

Comment 7 errata-xmlrpc 2020-05-06 13:24:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2039 https://access.redhat.com/errata/RHSA-2020:2039

Comment 8 errata-xmlrpc 2020-05-06 13:48:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2041 https://access.redhat.com/errata/RHSA-2020:2041

Comment 9 errata-xmlrpc 2020-05-06 13:48:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2040 https://access.redhat.com/errata/RHSA-2020:2040

Comment 10 Product Security DevOps Team 2020-05-06 16:31:57 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-12519