Bug 626927 (CVE-2010-2951)

Summary: CVE-2010-2951 squid: child assertion failure when processing large DNS replies with no IPv6 resolver present
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: henrik, jonathansteffan, jskala, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-25 13:03:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 626933    
Bug Blocks:    

Description Jan Lieskovsky 2010-08-24 17:25:28 UTC
A buffer overread flaw was found in the way Squid proxy caching server
processed large DNS replies in cases, when no IPv6 resolver was present.
A remote attacker could provide DNS reply with large amount of data,
leading to denial of service (squid server crash).

Upstream bug report:
  [1] http://bugs.squid-cache.org/show_bug.cgi?id=3021

Relevant upstream changeset:
  [2] http://bazaar.launchpad.net/~squid/squid/3.1/revision/10072

  [3] http://marc.info/?l=squid-users&m=128263555724981&w=2
  [4] http://bugs.gentoo.org/show_bug.cgi?id=334263

CVE Request:
  [5] http://www.openwall.com/lists/oss-security/2010/08/24/6

Comment 1 Jan Lieskovsky 2010-08-24 17:27:34 UTC
This issue did NOT affect the versions of the squid package, as shipped
with Red Hat Enterprise Linux 3, 4, or 5.


This issue affects the versions of the squid package, as shipped with
Fedora release of 12 and 13.

Please fix.

Comment 2 Jan Lieskovsky 2010-08-24 17:39:46 UTC
Created squid tracking bugs for this issue

Affects: fedora-all [bug 626933]

Comment 3 Henrik Nordström 2010-08-24 17:58:45 UTC
This affects the 3.1.6 version in Fedora updates-testing only. Issue got introduced in Squid- Latest stable release pushed for Fedora is 3.1.4 which do not have this issue.

It's a stability issue where Squid due to a coding error automatically restarts if not able to talk to a resolver over IPv6 and needing to retry the DNS query over TCP.

It's not really something I would grade as a security issue.

Comment 4 Henrik Nordström 2010-08-24 18:03:44 UTC
And no, it's not a buffer overflow. Just a plain assertion failed crash/abort due to trying to use a unset socket filedescriptor (-1) for talking to the resolver.

Comment 5 Tomas Hoger 2010-08-25 13:03:30 UTC
Henrik, thank you for clarifications!

Comment 6 Vincent Danen 2010-11-03 23:45:36 UTC
*** Bug 649543 has been marked as a duplicate of this bug. ***