Red Hat Bugzilla – Bug 895972
CVE-2013-0189 squid: Incomplete fix for the CVE-2012-5643 issue
Last modified: 2013-07-30 10:53:11 EDT
Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5643 (bug #887962) to the following vulnerability:
Multiple memory leaks in tools/cachemgr.cc in cachemgr.cgi in Squid 2.x and 3.x before 3.1.22, 3.2.x before 3.2.4, and 3.3.x before 188.8.131.52 allow remote attackers to cause a denial of service (memory consumption) via (1) invalid Content-Length headers, (2) long POST requests, or (3) crafted authentication credentials.
Later it was found the upstream patch for CVE-2012-5643 issue to be incomplete, resulting in new patchset:
The CVE identifier of CVE-2013-0189 has been assigned to this new issue (and new patchset).
Complete information about the updated patchset (from https://bugzilla.redhat.com/show_bug.cgi?id=887962#c9):
Individual commits (including commits for the initial fix):
This issue did NOT affect the versions of the squid package, as shipped with Red Hat Enterprise Linux 5 and 6 as the incomplete fix for CVE-2012-5643 issue has not been released for them. For further information regarding the original CVE-2012-5643 issue and affected versions refer to:
This issue affects the versions of the squid package, as shipped with Fedora release of 16 and 17. Please schedule an update.
Created squid tracking bugs for this issue
Affects: fedora-all [bug 895976]
Not Vulnerable. This issue does not affect the version of squid as shipped with Red Hat Enterprise Linux 5 and 6.
According to the following bug report filed at http://bugs.squid-cache.org, it is possible that squid in RHEL 6 is vulnerable:
An excerpt from comment #3:
"I can only suggest that both the RHEL team and CentOS teams explicitly re-test
their packages for the CVE-2013-0189 vulnerability (sending _any_ Basic auth
credentials to cachemgr.cgi is enough to crash it) and apply the missing
portions of the patch if necessary."
Could someone at Red Hat clarify the issue, please?
(In reply to Akemi Yagi from comment #5)
> "I can only suggest that both the RHEL team and CentOS teams explicitly
> re-test their packages for the CVE-2013-0189 vulnerability (sending _any_
> Basic auth credentials to cachemgr.cgi is enough to crash it) and apply the
> missing portions of the patch if necessary."
I had a look at this, and came to conclusion that our statement in comment #4 is correct. The crash you are seeing is *not* what CVE-2013-0189 was assigned to. However, it was introduced by the CVE-2012-5643 fix, it's one of the several problems the patch for that issue had.
For more detailed explanation, I'm going to paste here a time line currently listed in the upstream advisory:
2012-10-29 12:47 --- Initial Detection
2012-11-15 03:05 GMT Patches Released
2012-12-17 06:20 GMT Advisory Released
2012-12-18 22:17 GMT Additional flaw identified
2012-12-21 21:38 GMT Additional flaw identified
2013-01-01 06:50 GMT Updated patches and advisory released
2013-01-09 02:50 GMT Updated packages released
2013-01-21 00:00 GMT Squid-2.7 patch released
2013-03-08 00:39 GMT Updated CVE references
The original advisory was released mid-Dec 2012. Few days later, problems were identified with the fix. The check that was added to limit POST data size was reversed, so it failed to the original problem. Additionally, extra code added could theoretically lead to an infinite loop. Those issues were fixed early Jan 2013. CVE-2013-0189 was assigned to the bad fix (reversed size check) on Jan16 2013.
The crash you're reporting was only reported and fixed upstream on Feb22 2013:
and hence can not be considered as part of previously assigned CVE-2013-0189. I do not believe a new CVE is needed. The problem is that code tries to free static buffer, which causes CGI application to abort. The crash only affects request of the "attacker" and does not impact availability of the service for other users. I do not believe there is a reason to assume worse impact than a crash here. However, it is functional regression and hence there's separate bug 990186 now.
Note that upstream patch for 3.1 linked from the upstream advisory was updated some time after Feb22 and includes the additional fix:
There's no note of the update in the SQUID-2012:1 revision history.