Bug 895972 (CVE-2013-0189) - CVE-2013-0189 squid: Incomplete fix for the CVE-2012-5643 issue
Summary: CVE-2013-0189 squid: Incomplete fix for the CVE-2012-5643 issue
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2013-0189
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 895976
Blocks: 887969
TreeView+ depends on / blocked
 
Reported: 2013-01-16 12:05 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:59 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-01-17 05:18:50 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Novell 796999 None None None Never

Description Jan Lieskovsky 2013-01-16 12:05:21 UTC
Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5643 (bug #887962) to the following vulnerability:

Multiple memory leaks in tools/cachemgr.cc in cachemgr.cgi in Squid 2.x and 3.x before 3.1.22, 3.2.x before 3.2.4, and 3.3.x before 3.3.0.2 allow remote attackers to cause a denial of service (memory consumption) via (1) invalid Content-Length headers, (2) long POST requests, or (3) crafted authentication credentials.

Later it was found the upstream patch for CVE-2012-5643 issue to be incomplete, resulting in new patchset:
[1] http://bazaar.launchpad.net/~squid/squid/3.2/revision/11743
[2] http://bazaar.launchpad.net/~squid/squid/3.2/revision/11744

The CVE identifier of CVE-2013-0189 has been assigned to this new issue (and new patchset).

Comment 2 Jan Lieskovsky 2013-01-16 12:10:40 UTC
This issue did NOT affect the versions of the squid package, as shipped with Red Hat Enterprise Linux 5 and 6 as the incomplete fix for CVE-2012-5643 issue has not been released for them. For further information regarding the original CVE-2012-5643 issue and affected versions refer to:
  https://bugzilla.redhat.com/show_bug.cgi?id=887962#c5

--

This issue affects the versions of the squid package, as shipped with Fedora release of 16 and 17. Please schedule an update.

Comment 3 Jan Lieskovsky 2013-01-16 12:11:34 UTC
Created squid tracking bugs for this issue

Affects: fedora-all [bug 895976]

Comment 4 Huzaifa S. Sidhpurwala 2013-01-17 08:33:26 UTC
Statement:

Not Vulnerable. This issue does not affect the version of squid as shipped with Red Hat Enterprise Linux 5 and 6.

Comment 5 Akemi Yagi 2013-07-29 20:37:57 UTC
According to the following bug report filed at http://bugs.squid-cache.org, it is possible that squid in RHEL 6 is vulnerable:

http://bugs.squid-cache.org/show_bug.cgi?id=3881

An excerpt from comment #3:

"I can only suggest that both the RHEL team and CentOS teams explicitly re-test
their packages for the CVE-2013-0189 vulnerability (sending _any_ Basic auth
credentials to cachemgr.cgi is enough to crash it) and apply the missing
portions of the patch if necessary."

Could someone at Red Hat clarify the issue, please?

Comment 7 Tomas Hoger 2013-07-30 14:53:11 UTC
(In reply to Akemi Yagi from comment #5)
> "I can only suggest that both the RHEL team and CentOS teams explicitly
> re-test their packages for the CVE-2013-0189 vulnerability (sending _any_ 
> Basic auth credentials to cachemgr.cgi is enough to crash it) and apply the
> missing portions of the patch if necessary."

I had a look at this, and came to conclusion that our statement in comment #4 is correct.  The crash you are seeing is *not* what CVE-2013-0189 was assigned to.  However, it was introduced by the CVE-2012-5643 fix, it's one of the several problems the patch for that issue had.

For more detailed explanation, I'm going to paste here a time line currently listed in the upstream advisory:

http://www.squid-cache.org/Advisories/SQUID-2012_1.txt

Revision history:

 2012-10-29 12:47 --- Initial Detection
 2012-11-15 03:05 GMT Patches Released
 2012-12-17 06:20 GMT Advisory Released
 2012-12-18 22:17 GMT Additional flaw identified
 2012-12-21 21:38 GMT Additional flaw identified
 2013-01-01 06:50 GMT Updated patches and advisory released
 2013-01-09 02:50 GMT Updated packages released
 2013-01-21 00:00 GMT Squid-2.7 patch released
 2013-03-08 00:39 GMT Updated CVE references

The original advisory was released mid-Dec 2012.  Few days later, problems were identified with the fix.  The check that was added to limit POST data size was reversed, so it failed to the original problem.  Additionally, extra code added could theoretically lead to an infinite loop.  Those issues were fixed early Jan 2013.  CVE-2013-0189 was assigned to the bad fix (reversed size check) on Jan16 2013.

The crash you're reporting was only reported and fixed upstream on Feb22 2013:

http://bugs.squid-cache.org/show_bug.cgi?id=3790
http://bazaar.launchpad.net/~squid/squid/3.1/revision/10486

and hence can not be considered as part of previously assigned CVE-2013-0189.  I do not believe a new CVE is needed.  The problem is that code tries to free static buffer, which causes CGI application to abort.  The crash only affects request of the "attacker" and does not impact availability of the service for other users.  I do not believe there is a reason to assume worse impact than a crash here.  However, it is functional regression and hence there's separate bug 990186 now.

Note that upstream patch for 3.1 linked from the upstream advisory was updated some time after Feb22 and includes the additional fix:

http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID-2012_1.patch

There's no note of the update in the SQUID-2012:1 revision history.


Note You need to log in before you can comment on or make changes to this bug.