Bug 990186 - squid: cachemgr regression introduced in RHSA-2013:0505
squid: cachemgr regression introduced in RHSA-2013:0505
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: squid (Show other bugs)
6.4
Unspecified Unspecified
high Severity unspecified
: rc
: ---
Assigned To: Pavel Šimerda (pavlix)
BaseOS QE Security Team
: Regression, ZStream
Depends On:
Blocks: 1009402
  Show dependency treegraph
 
Reported: 2013-07-30 10:25 EDT by Tomas Hoger
Modified: 2013-11-14 05:36 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-14 05:36:37 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Upstream patch (931 bytes, patch)
2013-09-11 05:56 EDT, Michal Luscon
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2013-07-30 10:25:38 EDT
Description of problem:
A fix for CVE-2012-5643 released via RHSA-2013:0505 as part of Red Hat Enterprise Linux 6.4 introduced a regression to the cachemgr.cgi.  CGI application crashes whenever an attempt is made to make an authenticated connection to a proxy server.

Version-Release number of selected component (if applicable):
squid-3.1.10-18.el6_4

Steps to Reproduce:
1. install squid and httpd
2. open http://localhost/Squid/cgi-bin/cachemgr.cgi
3. enter arbitrary value to the password field and submit
4. see Internal Server Error and httpd error_log containing a crash backtrace starting as:

*** glibc detected *** /usr/lib/squid/cachemgr.cgi: free(): invalid pointer: 0x00ca7260 ***
======= Backtrace: =========
/lib/libc.so.6(+0x70e31)[0x26ee31]
/usr/lib/squid/cachemgr.cgi(+0x87ee)[0xc9b7ee]
/usr/lib/squid/cachemgr.cgi(main+0x7d9)[0xc971a9]
/lib/libc.so.6(__libc_start_main+0xe6)[0x214ce6]
/usr/lib/squid/cachemgr.cgi(+0x1e51)[0xc94e51]

Additional info:
The problem is in tools/cachemgr.cc make_auth_header(), which was modified by the patch to free str64 returned by base64_encode().  However, pointer returned by base64_encode() is a pointer to base64_encode()'s static result[] array, not a dynamically allocate memory (that is difference from squid 3.2 code base).

References:
http://bugs.squid-cache.org/show_bug.cgi?id=3790
http://bazaar.launchpad.net/~squid/squid/3.1/revision/10486
http://bugs.squid-cache.org/show_bug.cgi?id=3881
http://bugs.centos.org/view.php?id=6572
Comment 3 Eliezer Croitoru 2013-07-30 11:43:50 EDT
Squid now is already releasing 3.4.0.1 beta which means that RH is far being just BUG fixes but already late in distributing the latest stable which is 3.3.8.

Eliezer
Comment 5 Tomas Hoger 2013-08-01 15:22:19 EDT
(In reply to Eliezer Croitoru from comment #3)
> Squid now is already releasing 3.4.0.1 beta which means that RH is far being
> just BUG fixes but already late in distributing the latest stable which is
> 3.3.8.

This bug report is about the specific problem.  If you are interesting in other fixes or enhancements from newer upstream squid version, please consider filing separate request with details.
Comment 6 Michal Luscon 2013-09-11 05:56:46 EDT
Created attachment 796320 [details]
Upstream patch
Comment 10 Eliezer Croitoru 2013-09-19 21:31:04 EDT
(In reply to Michal Luscon from comment #6)
> Created attachment 796320 [details]
> Upstream patch

This patch was tested in the newer version of squid.
I do not know how it goes inside RH but, this patch means there is an update to the RPM?

Eliezer
Comment 11 Ondrej Vasik 2013-09-20 03:54:58 EDT
Once it gets through the internal testing, there will be an updated oficially supported rpm available.

Note You need to log in before you can comment on or make changes to this bug.