Bug 626927 (CVE-2010-2951)

Summary: CVE-2010-2951 squid: child assertion failure when processing large DNS replies with no IPv6 resolver present
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: henrik, jonathansteffan, jskala, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-25 13:03:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 626933    
Bug Blocks:    

Description Jan Lieskovsky 2010-08-24 17:25:28 UTC 
A buffer overread flaw was found in the way Squid proxy caching server
processed large DNS replies in cases, when no IPv6 resolver was present.
A remote attacker could provide DNS reply with large amount of data,
leading to denial of service (squid server crash).

Upstream bug report:
  [1] http://bugs.squid-cache.org/show_bug.cgi?id=3021

Relevant upstream changeset:
  [2] http://bazaar.launchpad.net/~squid/squid/3.1/revision/10072

References:
  [3] http://marc.info/?l=squid-users&m=128263555724981&w=2
  [4] http://bugs.gentoo.org/show_bug.cgi?id=334263

CVE Request:
  [5] http://www.openwall.com/lists/oss-security/2010/08/24/6
Comment 1 Jan Lieskovsky 2010-08-24 17:27:34 UTC 
This issue did NOT affect the versions of the squid package, as shipped
with Red Hat Enterprise Linux 3, 4, or 5.

--

This issue affects the versions of the squid package, as shipped with
Fedora release of 12 and 13.

Please fix.
Comment 2 Jan Lieskovsky 2010-08-24 17:39:46 UTC 
Created squid tracking bugs for this issue

Affects: fedora-all [bug 626933]
Comment 3 Henrik Nordström 2010-08-24 17:58:45 UTC 
This affects the 3.1.6 version in Fedora updates-testing only. Issue got introduced in Squid-3.1.5.1. Latest stable release pushed for Fedora is 3.1.4 which do not have this issue.

It's a stability issue where Squid due to a coding error automatically restarts if not able to talk to a resolver over IPv6 and needing to retry the DNS query over TCP.

It's not really something I would grade as a security issue.
Comment 4 Henrik Nordström 2010-08-24 18:03:44 UTC 
And no, it's not a buffer overflow. Just a plain assertion failed crash/abort due to trying to use a unset socket filedescriptor (-1) for talking to the resolver.
Comment 5 Tomas Hoger 2010-08-25 13:03:30 UTC 
Henrik, thank you for clarifications!
Comment 6 Vincent Danen 2010-11-03 23:45:36 UTC 
*** Bug 649543 has been marked as a duplicate of this bug. ***