Bug 895972 - (CVE-2013-0189) CVE-2013-0189 squid: Incomplete fix for the CVE-2012-5643 issue
CVE-2013-0189 squid: Incomplete fix for the CVE-2012-5643 issue
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130101,repor...
: Security
Depends On: 895976
Blocks: 887969
  Show dependency treegraph
 
Reported: 2013-01-16 07:05 EST by Jan Lieskovsky
Modified: 2013-07-30 10:53 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-17 00:18:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Novell 796999 None None None Never

  None (edit)
Description Jan Lieskovsky 2013-01-16 07:05:21 EST
Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5643 (bug #887962) to the following vulnerability:

Multiple memory leaks in tools/cachemgr.cc in cachemgr.cgi in Squid 2.x and 3.x before 3.1.22, 3.2.x before 3.2.4, and 3.3.x before 3.3.0.2 allow remote attackers to cause a denial of service (memory consumption) via (1) invalid Content-Length headers, (2) long POST requests, or (3) crafted authentication credentials.

Later it was found the upstream patch for CVE-2012-5643 issue to be incomplete, resulting in new patchset:
[1] http://bazaar.launchpad.net/~squid/squid/3.2/revision/11743
[2] http://bazaar.launchpad.net/~squid/squid/3.2/revision/11744

The CVE identifier of CVE-2013-0189 has been assigned to this new issue (and new patchset).
Comment 2 Jan Lieskovsky 2013-01-16 07:10:40 EST
This issue did NOT affect the versions of the squid package, as shipped with Red Hat Enterprise Linux 5 and 6 as the incomplete fix for CVE-2012-5643 issue has not been released for them. For further information regarding the original CVE-2012-5643 issue and affected versions refer to:
  https://bugzilla.redhat.com/show_bug.cgi?id=887962#c5

--

This issue affects the versions of the squid package, as shipped with Fedora release of 16 and 17. Please schedule an update.
Comment 3 Jan Lieskovsky 2013-01-16 07:11:34 EST
Created squid tracking bugs for this issue

Affects: fedora-all [bug 895976]
Comment 4 Huzaifa S. Sidhpurwala 2013-01-17 03:33:26 EST
Statement:

Not Vulnerable. This issue does not affect the version of squid as shipped with Red Hat Enterprise Linux 5 and 6.
Comment 5 Akemi Yagi 2013-07-29 16:37:57 EDT
According to the following bug report filed at http://bugs.squid-cache.org, it is possible that squid in RHEL 6 is vulnerable:

http://bugs.squid-cache.org/show_bug.cgi?id=3881

An excerpt from comment #3:

"I can only suggest that both the RHEL team and CentOS teams explicitly re-test
their packages for the CVE-2013-0189 vulnerability (sending _any_ Basic auth
credentials to cachemgr.cgi is enough to crash it) and apply the missing
portions of the patch if necessary."

Could someone at Red Hat clarify the issue, please?
Comment 7 Tomas Hoger 2013-07-30 10:53:11 EDT
(In reply to Akemi Yagi from comment #5)
> "I can only suggest that both the RHEL team and CentOS teams explicitly
> re-test their packages for the CVE-2013-0189 vulnerability (sending _any_ 
> Basic auth credentials to cachemgr.cgi is enough to crash it) and apply the
> missing portions of the patch if necessary."

I had a look at this, and came to conclusion that our statement in comment #4 is correct.  The crash you are seeing is *not* what CVE-2013-0189 was assigned to.  However, it was introduced by the CVE-2012-5643 fix, it's one of the several problems the patch for that issue had.

For more detailed explanation, I'm going to paste here a time line currently listed in the upstream advisory:

http://www.squid-cache.org/Advisories/SQUID-2012_1.txt

Revision history:

 2012-10-29 12:47 --- Initial Detection
 2012-11-15 03:05 GMT Patches Released
 2012-12-17 06:20 GMT Advisory Released
 2012-12-18 22:17 GMT Additional flaw identified
 2012-12-21 21:38 GMT Additional flaw identified
 2013-01-01 06:50 GMT Updated patches and advisory released
 2013-01-09 02:50 GMT Updated packages released
 2013-01-21 00:00 GMT Squid-2.7 patch released
 2013-03-08 00:39 GMT Updated CVE references

The original advisory was released mid-Dec 2012.  Few days later, problems were identified with the fix.  The check that was added to limit POST data size was reversed, so it failed to the original problem.  Additionally, extra code added could theoretically lead to an infinite loop.  Those issues were fixed early Jan 2013.  CVE-2013-0189 was assigned to the bad fix (reversed size check) on Jan16 2013.

The crash you're reporting was only reported and fixed upstream on Feb22 2013:

http://bugs.squid-cache.org/show_bug.cgi?id=3790
http://bazaar.launchpad.net/~squid/squid/3.1/revision/10486

and hence can not be considered as part of previously assigned CVE-2013-0189.  I do not believe a new CVE is needed.  The problem is that code tries to free static buffer, which causes CGI application to abort.  The crash only affects request of the "attacker" and does not impact availability of the service for other users.  I do not believe there is a reason to assume worse impact than a crash here.  However, it is functional regression and hence there's separate bug 990186 now.

Note that upstream patch for 3.1 linked from the upstream advisory was updated some time after Feb22 and includes the additional fix:

http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID-2012_1.patch

There's no note of the update in the SQUID-2012:1 revision history.

Note You need to log in before you can comment on or make changes to this bug.