A denial of service flaw was found in the way Squid used to process certain external ACL helper HTTP-Header fields (%{header:<delimiter>member}), where <delimiter> is not a comma. Remote attacker could use this flaw to cause an excessive CPU use by issuing such a request to the Squid server. Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2855 to this vulnerability: ------------------------------------------------------------------------------ The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function. References: ----------- [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2855 [2] http://www.openwall.com/lists/oss-security/2009/07/20/10 [3] http://www.openwall.com/lists/oss-security/2009/08/03/3 [4] http://www.openwall.com/lists/oss-security/2009/08/04/6 [5] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=31;filename=diff;att=1;bug=534982 [6] http://www.squid-cache.org/bugs/show_bug.cgi?id=2704 [7] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534982 Note: The proposed patch from Debian [6] isn't the upstream one. Please wait, while upstream confirms it or comes with another one. Upstream bug report: -------------------- http://www.squid-cache.org/bugs/show_bug.cgi?id=2541
Upstream resport updated. Correction to description: It's not related to auth but the use of external_acl_type %{header:<delimiter>member} where <delimiter> is not a comma. This is most often used for extracting cookie details for use in access controls. The debian proposed patch is not correct, and was never reported upstream. But there is another patch reported upstream which is on the right track.
(In reply to comment #1) > Upstream resport updated. Hello Henrik, thank you for your prompt reaction. > > Correction to description: It's not related to auth but the use of > external_acl_type %{header:<delimiter>member} where <delimiter> is not a comma. > This is most often used for extracting cookie details for use in access > controls. Ok, will find out more background details from the relevant, affected code and change it. > > The debian proposed patch is not correct, and was never reported upstream. But > there is another patch reported upstream which is on the right track. Which of the two patches is considered to be applied by upstream?: http://www.squid-cache.org/bugs/attachment.cgi?id=1854 or the second one: http://www.squid-cache.org/bugs/show_bug.cgi?id=2541#c1 Both of them don't seem to affect not only Squid 2.7 (as mentioned in the CVE description), but also older versions (found same relevant code parts also in squid-2.5.STABLE3, squid-2.5.STABLE14 and also squid-2.6.STABLE21) -- could you confirm? Also -- is the comma as separator the only problematic case, or should we consider also handling of "?,", "\", "\\" cases within the patch? Thanks, Jan.
Thanks for the reminder. I hadn't noticed the debian bug report, and the other report with a patch that is on the right track had a bad subject which made it go unnoticed as well.. As already commented by Alex the suggestion by Amos is not correct. The attachment is more in line with the needed changes. I have not yet studied the code to say if that patch is fine as it is or need cleanup before commit. The issue affects most Squid versions sine that format was introduced in external_acl_type, 2.6 is quite likely affected as well.
*** Bug 509895 has been marked as a duplicate of this bug. ***
A fix for this is available in Squid-2.HEAD since some days. Should backport easily to earlier releases, and will get backported to 2.7 and maybe 2.6 in the next upstream maintenance round. http://www.squid-cache.org/Versions/v2/HEAD/changesets/12541.patch A sample test case is as follows: -- test-helper.sh (executable) --- #!/bin/sh while read line; do echo OK done -- end test-helper.sh -- squid.conf (before where access is normally allowed) -- external_acl_type test %{Test:;test} /path/to/test-helper.sh acl test external test http_access deny !test -- end squid.conf -- -- test command -- /usr/bin/squidclient -H "Test: a, b, test=test\n" http://www.squid-cache.org/ -- end test command -- Regards Henrik
This issue does NOT affect the versions of the Squid package, as shipped with Red Hat Enterprise Linux 3 and 4. This issue affects the version of the Squid package, as shipped with Red Hat Enterprise Linux 5. This issue does NOT affect the versions of the Squid package, as shipped with Fedora releases of 10 and 11.
Official statement from Red Hat Security Response Team regarding this issue: ---------------------------------------------------------------------------- The Red Hat Security Response Team has rated this issue as having low security impact, a future Squid package update may address this flaw in Red Hat Enterprise Linux 5. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0221 https://rhn.redhat.com/errata/RHSA-2010-0221.html