1827562 – (CVE-2019-12521) CVE-2019-12521 squid: Off-by-one error in addStackElement allows for heap buffer overflow and crash

Bug 1827562 (CVE-2019-12521) - CVE-2019-12521 squid: Off-by-one error in addStackElement allows for heap buffer overflow and crash

Summary: CVE-2019-12521 squid: Off-by-one error in addStackElement allows for heap buf...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-12521
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1828373 1828378
Blocks:	1827553
TreeView+	depends on / blocked

Reported:	2020-04-24 08:16 UTC by Marian Rehak
Modified:	2021-03-26 18:48 UTC (History)
CC List:	5 users (show)
Fixed In Version:	squid 4.11, squid 5.0.2
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in squid. When Squid is parsing ESI, it keeps the ESI elements in ESIContext. ESIContext contains a buffer for holding a stack of ESIElements. When a new ESIElement is parsed, it is added via addStackElement. addStackElement has a check for the number of elements in this buffer, but it's off by 1, leading to a Heap Overflow of 1 element. The overflow is within the same structure so it can't affect adjacent memory blocks, and thus just leads to a crash while processing.
Clone Of:
Environment:
Last Closed:	2020-11-04 02:25:04 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:4743	0	None	None	None	2020-11-04 03:32:03 UTC

Description Marian Rehak 2020-04-24 08:16:19 UTC

When Squid is parsing ESI, it keeps the ESI elements in ESIContext. ESIContext contains a buffer for holding a stack of ESIElements. When a new ESIElement is parsed, it is added via addStackElement. addStackElement has a check for the number of elements in this buffer, but it's off by 1, leading to a Heap Overflow of 1 element. The overflow is within the same structure so it can't affect adjacent memory blocks, and thus just leads to a crash while processing.

Comment 1 Marian Rehak 2020-04-24 08:16:40 UTC

Upstream Issue:

https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12521.txt

Comment 3 Stefan Cornelius 2020-04-24 11:54:09 UTC

Patch:
http://www.squid-cache.org/Versions/v4/changesets/squid-4-fdd4123629320aa1ee4c3481bb392437c90d188d.patch

Comment 4 Stefan Cornelius 2020-04-24 11:54:12 UTC

External References:

http://www.squid-cache.org/Advisories/SQUID-2019_12.txt

Comment 6 Product Security DevOps Team 2020-11-04 02:25:04 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-12521

Comment 7 errata-xmlrpc 2020-11-04 03:32:01 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4743 https://access.redhat.com/errata/RHSA-2020:4743

Note You need to log in before you can comment on or make changes to this bug.