Bug 1827552 (CVE-2019-12519) - CVE-2019-12519 squid: improper check for new member in ESIExpression::Evaluate allows for stack buffer overflow
Summary: CVE-2019-12519 squid: improper check for new member in ESIExpression::Evaluat...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-12519
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1828362 1828370 1828360 1828364 1828366 1828368
Blocks: 1827553
TreeView+ depends on / blocked
 
Reported: 2020-04-24 07:51 UTC by Marian Rehak
Modified: 2020-05-08 01:41 UTC (History)
6 users (show)

Fixed In Version: squid 4.11, squid 5.0.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Squid through version 4.7. When handling the tag esi:when, when ESI is enabled, Squid calls the ESIExpression::Evaluate function which uses a fixed stack buffer to hold the expression. While processing the expression, there is no check to ensure that the stack won't overflow. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2020-05-06 16:31:57 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2038 None None None 2020-05-06 12:14:31 UTC
Red Hat Product Errata RHSA-2020:2039 None None None 2020-05-06 13:24:24 UTC
Red Hat Product Errata RHSA-2020:2040 None None None 2020-05-06 13:48:32 UTC
Red Hat Product Errata RHSA-2020:2041 None None None 2020-05-06 13:48:09 UTC

Description Marian Rehak 2020-04-24 07:51:47 UTC
An issue was discovered in Squid through 4.7. When handling the tag esi:when when ESI is enabled, Squid calls ESIExpression::Evaluate. This function uses a fixed stack buffer to hold the expression while it's being evaluated. When processing the expression, it could either evaluate the top of the stack, or add a new member to the stack. When adding a new member, there is no check to ensure that the stack won't overflow.

Comment 5 Stefan Cornelius 2020-04-30 13:15:20 UTC
Statement:

The squid packages are compiled with protections like stack canaries, which should reduce the chance of a successful exploitation dramatically and the most likely outcome is a crash without code execution.

Comment 6 errata-xmlrpc 2020-05-06 12:14:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:2038 https://access.redhat.com/errata/RHSA-2020:2038

Comment 7 errata-xmlrpc 2020-05-06 13:24:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2039 https://access.redhat.com/errata/RHSA-2020:2039

Comment 8 errata-xmlrpc 2020-05-06 13:48:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2041 https://access.redhat.com/errata/RHSA-2020:2041

Comment 9 errata-xmlrpc 2020-05-06 13:48:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2040 https://access.redhat.com/errata/RHSA-2020:2040

Comment 10 Product Security DevOps Team 2020-05-06 16:31:57 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-12519


Note You need to log in before you can comment on or make changes to this bug.