Bug 750316 (CVE-2011-4096)

Summary: CVE-2011-4096 squid: Invalid free by processing CNAME DNS record pointing to another CNAME record pointing to an empty A-record
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dapospis, henrik, jonathansteffan, jskala, prc, rcvalle, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 22:02:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 750321, 755016, 755017, 844301    
Bug Blocks: 750322    

Description Jan Lieskovsky 2011-10-31 17:17:57 UTC 
An invalid free flaw was found in the way Squid proxy caching server processed DNS requests, where one CNAME record pointed to another CNAME record pointing to an empty A-record. A remote attacker could issue a specially-crafted DNS request, leading to denial of service (squid daemon abort).

Upstream bug report:
[1] http://bugs.squid-cache.org/show_bug.cgi?id=3237

Relevant upstream patch:
[2] http://bazaar.launchpad.net/~squid/squid/3.1/revision/10384

References:
[3] http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_16.html
[4] http://bugs.squid-cache.org/show_bug.cgi?id=3237#c4
[5] http://bugs.squid-cache.org/show_bug.cgi?id=3237#c5
Comment 1 Jan Lieskovsky 2011-10-31 17:36:24 UTC 
This issue affects the versions of the squid package, as shipped with Fedora release of 14 and 15. Please schedule an update.
Comment 2 Jan Lieskovsky 2011-10-31 17:37:18 UTC 
Created squid tracking bugs for this issue

Affects: fedora-all [bug 750321]
Comment 3 Jan Lieskovsky 2011-10-31 18:06:28 UTC 
CVE request:
[6] http://www.openwall.com/lists/oss-security/2011/10/31/5
Comment 4 Henrik Nordström 2011-10-31 20:35:41 UTC 
CVE-2011-4096 has been assigned to this issue.
Comment 5 Jan Lieskovsky 2011-11-01 11:34:23 UTC 
This issue is scheduled to be corrected in the following squid package updates:
1) squid-3.1.16-1.fc14 for Fedora 14, and
2) squid-3.1.16-1.fc15 for Fedora 15.

Particular updates have been pushed to relevant -testing repositories and upon required testing is complete, they will be pushed to related -stable repositories.
Comment 7 Fedora Update System 2011-11-17 23:32:03 UTC 
squid-3.1.16-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2011-11-17 23:38:49 UTC 
squid-3.1.16-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Ramon de C Valle 2011-11-18 14:38:03 UTC 
Statement:

This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 4 and 5 as they did not include IPv6 support. This issue was introduced with the addition of IPv6 support in Squid 3.1 (in the changes made to the idnsGrokReply function).
Comment 10 Ramon de C Valle 2011-11-18 15:01:07 UTC 
The code for merging multiple AAAA and A result sets is not present in the versions of squid as shipped with Red Hat Enterprise Linux 4 and 5 (i.e. src/dns_internal.cc#1096 of squid-3.1.10-1.el6).
Comment 14 errata-xmlrpc 2011-12-06 21:31:04 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1791 https://rhn.redhat.com/errata/RHSA-2011-1791.html