Bug 990186 - squid: cachemgr regression introduced in RHSA-2013:0505
Summary: squid: cachemgr regression introduced in RHSA-2013:0505
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: squid
Version: 6.4
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Pavel Šimerda (pavlix)
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 1009402
TreeView+ depends on / blocked
 
Reported: 2013-07-30 14:25 UTC by Tomas Hoger
Modified: 2013-11-14 10:36 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-14 10:36:37 UTC
Target Upstream Version:


Attachments (Terms of Use)
Upstream patch (931 bytes, patch)
2013-09-11 09:56 UTC, Michal Luscon
no flags Details | Diff

Description Tomas Hoger 2013-07-30 14:25:38 UTC
Description of problem:
A fix for CVE-2012-5643 released via RHSA-2013:0505 as part of Red Hat Enterprise Linux 6.4 introduced a regression to the cachemgr.cgi.  CGI application crashes whenever an attempt is made to make an authenticated connection to a proxy server.

Version-Release number of selected component (if applicable):
squid-3.1.10-18.el6_4

Steps to Reproduce:
1. install squid and httpd
2. open http://localhost/Squid/cgi-bin/cachemgr.cgi
3. enter arbitrary value to the password field and submit
4. see Internal Server Error and httpd error_log containing a crash backtrace starting as:

*** glibc detected *** /usr/lib/squid/cachemgr.cgi: free(): invalid pointer: 0x00ca7260 ***
======= Backtrace: =========
/lib/libc.so.6(+0x70e31)[0x26ee31]
/usr/lib/squid/cachemgr.cgi(+0x87ee)[0xc9b7ee]
/usr/lib/squid/cachemgr.cgi(main+0x7d9)[0xc971a9]
/lib/libc.so.6(__libc_start_main+0xe6)[0x214ce6]
/usr/lib/squid/cachemgr.cgi(+0x1e51)[0xc94e51]

Additional info:
The problem is in tools/cachemgr.cc make_auth_header(), which was modified by the patch to free str64 returned by base64_encode().  However, pointer returned by base64_encode() is a pointer to base64_encode()'s static result[] array, not a dynamically allocate memory (that is difference from squid 3.2 code base).

References:
http://bugs.squid-cache.org/show_bug.cgi?id=3790
http://bazaar.launchpad.net/~squid/squid/3.1/revision/10486
http://bugs.squid-cache.org/show_bug.cgi?id=3881
http://bugs.centos.org/view.php?id=6572

Comment 3 Eliezer Croitoru 2013-07-30 15:43:50 UTC
Squid now is already releasing 3.4.0.1 beta which means that RH is far being just BUG fixes but already late in distributing the latest stable which is 3.3.8.

Eliezer

Comment 5 Tomas Hoger 2013-08-01 19:22:19 UTC
(In reply to Eliezer Croitoru from comment #3)
> Squid now is already releasing 3.4.0.1 beta which means that RH is far being
> just BUG fixes but already late in distributing the latest stable which is
> 3.3.8.

This bug report is about the specific problem.  If you are interesting in other fixes or enhancements from newer upstream squid version, please consider filing separate request with details.

Comment 6 Michal Luscon 2013-09-11 09:56:46 UTC
Created attachment 796320 [details]
Upstream patch

Comment 10 Eliezer Croitoru 2013-09-20 01:31:04 UTC
(In reply to Michal Luscon from comment #6)
> Created attachment 796320 [details]
> Upstream patch

This patch was tested in the newer version of squid.
I do not know how it goes inside RH but, this patch means there is an update to the RPM?

Eliezer

Comment 11 Ondrej Vasik 2013-09-20 07:54:58 UTC
Once it gets through the internal testing, there will be an updated oficially supported rpm available.


Note You need to log in before you can comment on or make changes to this bug.