It was discovered [1] that pinger code that checks for nodes being alive doesn't properly validate ICMP and ICMPv6 replies, in particular icmp6 types which are used to index into a string array. This could cause crashes when the index is OOB. CVE reuqested at [1] too, and a patch is available at [2]. It looks like you can only DoS the pinger sub-system, not the whole squid though. [1]: http://seclists.org/oss-sec/2014/q3/539 [2]: https://bugzilla.novell.com/show_bug.cgi?id=891268
Created squid tracking bugs for this issue: Affects: fedora-all [bug 1139721]
This issue affects handling of ICMPv6 replies. The code uses an ICMP type value from the received packet, ands the value with 0x7f (i.e. limiting the value to 127) and uses the result as index to icmp6HighPktStr[] or icmp6LowPktStr[] array when generating debug message. http://bazaar.launchpad.net/~squid/squid/trunk/view/13573/src/icmp/Icmp6.cc#L293 Those are static .bss arrays with 33 or 10 times respectively: http://bazaar.launchpad.net/~squid/squid/trunk/view/13573/src/icmp/Icmp6.cc#L51 leading to an out-of-bounds read. Maximum overread is 127-10 * sizeof(char*). This may lead to crash if reaches unmapped memory. Affected code was first introduced in Squid 3, hence Squid 2 versions (shipped with Red Hat Enterprise Linux 5 and earlier) are not affected. This problem exists in the source of the squid packages shipped in Red Hat Enterprise Linux 6 and 7, and current Fedora. However, it is not built. It is only built when building program called "pinger". This program is not built or included in squid packages in Red Hat Enterprise Linux or Fedora. Also, as the crash can only affect external program, not the main Squid process, it is unclear if it could have any security impact at all. Statement: This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they do not provide the vulnerable program "pinger".
(In reply to Tomas Hoger from comment #2) > This issue affects handling of ICMPv6 replies. There is actually similar bug in the ICMP(v4) handling code: http://bazaar.launchpad.net/~squid/squid/trunk/view/13573/src/icmp/Icmp4.cc#L248 http://bazaar.launchpad.net/~squid/squid/trunk/view/13573/src/icmp/Icmp4.cc#L44 icmpPktStr[] is an array with 18 items, while icmp_type used as index to this array is an 8-bit value that is taken form the received packet without further validation, leading to overread of up to (256-18) * sizeof(char*). Unlike the issue in the ICMPv6 code, ICMPv4 issue exists in Squid 2.x versions. However, as noted above, it is only used by the pinger program not included in squid packages in Red Hat Enterprise Linux or Fedora.
Upstream commit: http://bazaar.launchpad.net/~squid/squid/trunk/revision/13583
2 CVEs were assigned to this issue at http://seclists.org/oss-sec/2014/q3/626 : > > 1. "used to index into a string array" possibly corresponds to > > http://cwe.mitre.org/data/definitions/129.html [Open URL] for the modified > > default case after case 136, and approximately two other places in the > > patch > > Use CVE-2014-7141. > > > 3. added "if (preply.psize) < 0" code apparently corresponds to a more > > general issue with missing data validation > > Use CVE-2014-7142.
External References: http://www.squid-cache.org/Advisories/SQUID-2014_4.txt
(In reply to Vasyl Kaigorodov from comment #5) > > > 3. added "if (preply.psize) < 0" code apparently corresponds to a more > > > general issue with missing data validation > > > > Use CVE-2014-7142. The CVE-2014-7142 does not belong here, this bug only covers CVE-2014-7141.
See bug #1148832 for information on CVE-2014-7142.