oss-sec mailing list archives
Re: Re: CVE-Request: squid pinger remote DoS
From: Amos Jeffries <squid3 () treenet co nz>
Date: Tue, 16 Sep 2014 21:35:15 +1200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 16/09/2014 6:56 p.m., cve-assign () mitre org wrote:
I made a fix for squid 3.4.6 and request a CVEhttps://bugzilla.novell.com/show_bug.cgi?id=891268Regardless of the "what happens to squid itself" answer, is it known that the crash has a security impact? This message seemed to conclude with an implied request for more information, e.g., "it looks like you can," etc. An example of a security impact would be: the administrator wanted pinger to be running, and a crash means that pinger processes/threads are no longer available, and pinger is not automatically restarted. If there is a security impact, then the patch in Novell Bug 891268 would probably correspond to at least three CVE IDs, e.g., 1. "used to index into a string array" possibly corresponds to http://cwe.mitre.org/data/definitions/129.html for the modified default case after case 136, and approximately two other places in the patch 2. added "if (n <= 0)" code possibly corresponds to http://cwe.mitre.org/data/definitions/389.html 3. added "if (preply.psize) < 0" code apparently corresponds to a more general issue with missing data validation
What could happen worst-case (#1 or #3 on a proxy with logging set to level 2) is that the pinger can be used to deliver strings from heap to the Squid parent process cache.log. With #3 the size is not limited to c-string bytes terminated on first nil. There it amounts to the difference between the expected payload and received payload. A negative value in that calculation could result in a large number of bytes flooding the parent processes log, slowing the entire service down and/or exhausting log disk space, which in turn can crash the parent process. The best-case being that some HTTP servers are assigned incorrect RTT values. Which adversely affects latency based routing logics for all traffic involving that server IP. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUGARSAAoJELJo5wb/XPRj52QH/A1y8EHZvXYYReaeToydtZa7 0vlbEMnDxBaVr4vNEp3Sf9UThZ/FUPYUjmMrBLCKyZ7wMJQPYWaf0HRdc9Qo6yau 8uja0tzjzwYNrVbZ5kb83xlEbLnviytQZv3aTljbVRN7Ys1bOqhjSsUVv8mf2syS YGIzTktVgUX+k/eXXH4WoBEPhtlJvaAsnpyTL8RmtgBsVIvF/HltK/kSgFdS9t8O rWUbTdlsBHKH3QBLYVvk3opdPCByJ79kiu+c3TjKgbJyFxfktIqrWQgQPUh9kO1K o9mjhIrFwUSlpUmIzoFHAzqHWtBJnYBHfD/tZF3Iv9QjFQ5YqZUCT9MPdjA0ZP8= =frFw -----END PGP SIGNATURE-----
Current thread:
- CVE-Request: squid pinger remote DoS Sebastian Krahmer (Sep 09)
- Re: CVE-Request: squid pinger remote DoS Marcus Meissner (Sep 15)
- Re: CVE-Request: squid pinger remote DoS cve-assign (Sep 15)
- Re: CVE-Request: squid pinger remote DoS Sebastian Krahmer (Sep 16)
- Re: Re: CVE-Request: squid pinger remote DoS Amos Jeffries (Sep 16)
- Re: CVE-Request: squid pinger remote DoS cve-assign (Sep 21)