Bug 222883 (CVE-2007-0247)

Summary: CVE-2007-0247 Squid crashes when receiving certain FTP listings
Product: [Fedora] Fedora Reporter: Lubomir Kundrak <lkundrak>
Component: squidAssignee: Martin Stransky <stransky>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 6Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.squid-cache.org/bugs/show_bug.cgi?id=1857
Whiteboard: impact=important,source=gentoo,reported=20070116,public=20070113
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-01-17 09:21:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 222884    
Attachments:
Description Flags
Upstream patch for Squid FTP triggered DoS #1857 none

Description Lubomir Kundrak 2007-01-16 18:29:37 UTC 
Description of problem:

Visiting this [1] URL makes Squid die upon receival of SIGSEGV Signal.
[1] ftp://ftp.debian.org/pub/debian/dists/sid/main/binary-hurd-i386;type=d

Version-Release number of selected component (if applicable):

Seems to be introduced with 2.5.STABLE11, so does affect
Fedora 5 and 6 and RHEL 5.

Additional info:

Fixed in 2.6.STABLE11.
See the upstream bug report [2] for patch.
[2] http://www.squid-cache.org/bugs/show_bug.cgi?id=1857
Comment 1 Lubomir Kundrak 2007-01-16 18:29:37 UTC 
Created attachment 145712 [details]
Upstream patch for Squid FTP triggered DoS #1857
Comment 2 Martin Stransky 2007-01-17 09:21:28 UTC 
fixed in squid-2.6.STABLE7-1.fc6
Comment 3 Fedora Update System 2007-01-17 16:32:03 UTC 
squid-2.5.STABLE14-3.FC5 has been pushed for fc5, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 4 Josh Bressers 2007-01-21 21:58:57 UTC 
Martin,

I've not seen the fc6 update for this.  Are you planning to wait before pushing it?
Comment 5 Martin Stransky 2007-01-22 08:50:30 UTC 
It's here:

https://porkchop.devel.redhat.com/fedora-updates/show.py?pkg=squid-2.6.STABLE7-1.fc6&update=Final