Re: Re: CVE Request -- Polipo -- Assertion failure by processing certain HTTP POST / PUT requests

[Vincent Danen <vdanen () redhat com>]

* [2011-10-06 18:37:01 +0200] Juliusz Chroboczek wrote:

> >   a denial of service flaw was found in the way Polipo, a lightweight
> > caching web proxy, processed certain HTTP POST / PUT requests. If
> > polipo was configured to allow remote client connections and particular
> > host was allowed to connect to polipo server instance, a remote
> > attacker could use this flaw to cause denial of service (polipo daemon
> > abort due to assertion failure) via specially-crafted HTTP POST / PUT
> > request.
>
> Yes, this is a known bug with Polipo 1.0.4 and 1.0.4.1.  I believe that
> it is fixed in the Git trunk, which is unfortunately not ready to be
> released (and might never be unless a maintainer is found).

Do you have a link to the commit, or a commit id?  I can't see anything
on github that looks relevant or recent.

We do ship this in Fedora, so it would be nice to have the patch that we
could apply to what we are already shipping if no releases are
forthcoming.

Thanks.

> At any rate, I do not recommend running Polipo as a publicly accessible
> proxy.  While I have made reasonable efforts to ensure that this is
> safe, Polipo was not designed for that.

--
Vincent Danen / Red Hat Security Response Team