Re: squid DoS in external auth header parser

[Vincent Danen <vdanen () redhat com>]

* [2009-08-04 12:13:29 +0200] Nico Golde wrote:

> * Vincent Danen <vdanen () redhat com> [2009-07-20 19:48]:
> > I noticed this on Debian's bts [1] and also on upstream's bugzilla [2]
> > but no CVE has been assigned (not sure if one has been requested or not,
> > but I've not seen a request come through here).
> >
> > By the initial looks of things, it seems to be a fairly low severity
> > issue and may not be easy to duplicate/trigger.  The reporter didn't really
> > provide much in the way of a reproducer or relevant configs (and the
> > reference to zope auths makes me not even want to touch it).
> >
> > Has anyone taken a look at this or has a CVE been requested for it?
>
> CVE-2009-2622
> CVE-2009-2621

Are you sure?

According to MITRE's descriptions, CVE-2009-2621 deals with a lack of
enforcing "buffer limites and related bound checks", and CVE-2009-2622
deals with malformed requests.  When I was looking, it didn't seem like
either of these were the issue noted in the Debian bug.  Bug #2704 on
the squid site is still UNCONFIRMED with no additional comments made to
it, so I don't think this is fixed in the latest upstream release (and
wouldn't fall under one of these CVE's).

I don't think a CVE has been assigned to this issue, and I don't think
it has been fixed.

--
Vincent Danen / Red Hat Security Response Team