Bug 626927 (CVE-2010-2951) - CVE-2010-2951 squid: child assertion failure when processing large DNS replies with no IPv6 resolver present
Summary: CVE-2010-2951 squid: child assertion failure when processing large DNS replie...
Alias: CVE-2010-2951
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
: 649543 (view as bug list)
Depends On: 626933
TreeView+ depends on / blocked
Reported: 2010-08-24 17:25 UTC by Jan Lieskovsky
Modified: 2021-03-26 15:08 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-08-25 13:03:30 UTC

Attachments (Terms of Use)

Description Jan Lieskovsky 2010-08-24 17:25:28 UTC
A buffer overread flaw was found in the way Squid proxy caching server
processed large DNS replies in cases, when no IPv6 resolver was present.
A remote attacker could provide DNS reply with large amount of data,
leading to denial of service (squid server crash).

Upstream bug report:
  [1] http://bugs.squid-cache.org/show_bug.cgi?id=3021

Relevant upstream changeset:
  [2] http://bazaar.launchpad.net/~squid/squid/3.1/revision/10072

  [3] http://marc.info/?l=squid-users&m=128263555724981&w=2
  [4] http://bugs.gentoo.org/show_bug.cgi?id=334263

CVE Request:
  [5] http://www.openwall.com/lists/oss-security/2010/08/24/6

Comment 1 Jan Lieskovsky 2010-08-24 17:27:34 UTC
This issue did NOT affect the versions of the squid package, as shipped
with Red Hat Enterprise Linux 3, 4, or 5.


This issue affects the versions of the squid package, as shipped with
Fedora release of 12 and 13.

Please fix.

Comment 2 Jan Lieskovsky 2010-08-24 17:39:46 UTC
Created squid tracking bugs for this issue

Affects: fedora-all [bug 626933]

Comment 3 Henrik Nordström 2010-08-24 17:58:45 UTC
This affects the 3.1.6 version in Fedora updates-testing only. Issue got introduced in Squid- Latest stable release pushed for Fedora is 3.1.4 which do not have this issue.

It's a stability issue where Squid due to a coding error automatically restarts if not able to talk to a resolver over IPv6 and needing to retry the DNS query over TCP.

It's not really something I would grade as a security issue.

Comment 4 Henrik Nordström 2010-08-24 18:03:44 UTC
And no, it's not a buffer overflow. Just a plain assertion failed crash/abort due to trying to use a unset socket filedescriptor (-1) for talking to the resolver.

Comment 5 Tomas Hoger 2010-08-25 13:03:30 UTC
Henrik, thank you for clarifications!

Comment 6 Vincent Danen 2010-11-03 23:45:36 UTC
*** Bug 649543 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.