An issue was discovered in Squid through 4.7. When handling the tag esi:when when ESI is enabled, Squid calls ESIExpression::Evaluate. This function uses a fixed stack buffer to hold the expression while it's being evaluated. When processing the expression, it could either evaluate the top of the stack, or add a new member to the stack. When adding a new member, there is no check to ensure that the stack won't overflow.
External References: http://www.squid-cache.org/Advisories/SQUID-2019_12.txt https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12519.txt
Patch: http://www.squid-cache.org/Versions/v4/changesets/squid-4-fdd4123629320aa1ee4c3481bb392437c90d188d.patch
Statement: The squid packages are compiled with protections like stack canaries, which should reduce the chance of a successful exploitation dramatically and the most likely outcome is a crash without code execution.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:2038 https://access.redhat.com/errata/RHSA-2020:2038
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:2039 https://access.redhat.com/errata/RHSA-2020:2039
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2041 https://access.redhat.com/errata/RHSA-2020:2041
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:2040 https://access.redhat.com/errata/RHSA-2020:2040
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-12519