squid: [CVE-2005-3258] remote FTP buffer overflow

Automatically imported from Debian bug report #334882 http://bugs.debian.org/334882

Message-ID: <email address hidden>
Date: Thu, 20 Oct 2005 15:42:00 +0200
From: Martin Pitt <email address hidden>
To: Debian BTS Submit <email address hidden>
Subject: squid: [CVE-2005-3258] remote FTP buffer overflow

--xXmbgvnjoT4axfJE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: squid
Version: 2.5.10-6
Severity: critial
Tags: security patch

Hi Luigi!

There is a new buffer overflow in Squid:

| =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D
| Candidate: CVE-2005-3258
| URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2005-3258
| Reference: CONFIRM:http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid=
-2.5.STABLE11-rfc1738_do_escape
|=20
| The rfc1738_do_escape function in ftp.c for Squid 2.5 STABLE11 and
| earlier allows remote FTP servers to cause a denial of service
| (segmentation fault) via certain crafted responses.

(Please note the recent Mitre name change, vulnerabilities now have
the CVE prefix, not CAN any more).

In addition, I just noticed that in version 2.5.10-6 you added a
security patch 46-ntlm-scheme-assert.dpatch which is not actually
applied in 00list. Please add it. (One of the reasons why I hate
dpatch :-/ ).

Thanks,

Martin

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

--xXmbgvnjoT4axfJE
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDV56oDecnbV4Fd/IRAt/lAKDcKIyRDDqKqbZzhOMG+isnlpFSagCeIgmG
0SF7GuMuG6Dap5U62n2EDNs=
=K9Pa
-----END PGP SIGNATURE-----

--xXmbgvnjoT4axfJE--

Message-Id: <email address hidden>
Date: Fri, 21 Oct 2005 00:53:14 +0200
From: Luigi Gangitano <email address hidden>
To: <email address hidden>
Subject: Re: Bug#334882: squid: [CVE-2005-3258] remote FTP buffer overflow

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

found 334882 2.5.9-10sarge2
severity 334882 critical
tags 334882 -patch
thanks

- --
Luigi Gangitano -- <email address hidden> -- <email address hidden>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDWB/d8ZumGJJMDCYRAoJGAJsFi9ZPXhr/ZSwiPbWftkipblkmZACfRoyG
9igG3OyrRmsQMwYHDVO6q0s=
=grsR
-----END PGP SIGNATURE-----

Message-Id: <email address hidden>
Date: Fri, 21 Oct 2005 01:08:55 +0200
From: Luigi Gangitano <email address hidden>
To: Martin Pitt <email address hidden>, <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#334882: squid: [CVE-2005-3258] remote FTP buffer overflow

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

notfound 334882 2.5.10-6
notfound 334882 2.5.9-10sarge2
thanks

Hi Martin,
thanks for reporting this. Actually this bug was introduced in a
patch to squid-2.5.STABLE10 that has never been applied to a debian
package. So Debian is not affected. I did not upload any package
based on squid-2.5.STABLE11 since upstream stated that this release
is known to be badly broken.

I just fixed the missing patch for the previous bug and will upload
it shortly.

Regards,

L

Il giorno 20/ott/05, alle ore 15:42, Martin Pitt ha scritto:

> Package: squid
> Version: 2.5.10-6
> Severity: critial
> Tags: security patch
>
> Hi Luigi!
>
> There is a new buffer overflow in Squid:
>
> | ======================================================
> | Candidate: CVE-2005-3258
> | URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3258
> | Reference: CONFIRM:http://www.squid-cache.org/Versions/v2/2.5/
> bugs/#squid-2.5.STABLE11-rfc1738_do_escape
> |
> | The rfc1738_do_escape function in ftp.c for Squid 2.5 STABLE11 and
> | earlier allows remote FTP servers to cause a denial of service
> | (segmentation fault) via certain crafted responses.
>
> (Please note the recent Mitre name change, vulnerabilities now have
> the CVE prefix, not CAN any more).
>
> In addition, I just noticed that in version 2.5.10-6 you added a
> security patch 46-ntlm-scheme-assert.dpatch which is not actually
> applied in 00list. Please add it. (One of the reasons why I hate
> dpatch :-/ ).

- --
Luigi Gangitano -- <email address hidden> -- <email address hidden>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDWCOK8ZumGJJMDCYRAkl8AJ4+q4bO6tuqooGurq+jFS4atHHadwCdEj13
b1DFe5tCKz1i0OepEwxbuU8=
=VAxc
-----END PGP SIGNATURE-----

Reported by Martin Pitt, so I assume he's on top of things ;-)

Message-Id: <email address hidden>
Date: Wed, 2 Nov 2005 16:07:10 +0100
From: Luigi Gangitano <email address hidden>
To: <email address hidden>
Subject: Fwd: Bug#334882: squid: [CVE-2005-3258] remote FTP buffer overflow

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This bug does not apply to any version of squid in debian.

Inizio messaggio inoltrato:

> Rinvia-Da: Luigi Gangitano <email address hidden>
> Da: Luigi Gangitano <email address hidden>
> Data: 21 ottobre 2005 1:08:55 GMT+02:00
> Rinvia-A: <email address hidden>
> A: Martin Pitt <email address hidden>, <email address hidden>
> Rinvia-Cc: Luigi Gangitano <email address hidden>
> Cc: <email address hidden>, <email address hidden>
> Oggetto: Bug#334882: squid: [CVE-2005-3258] remote FTP buffer overflow
> Rispondi a: Luigi Gangitano <email address hidden>,
> <email address hidden>
>
> notfound 334882 2.5.10-6
> notfound 334882 2.5.9-10sarge2
> thanks
>
> Hi Martin,
> thanks for reporting this. Actually this bug was introduced in a
> patch to squid-2.5.STABLE10 that has never been applied to a debian
> package. So Debian is not affected. I did not upload any package
> based on squid-2.5.STABLE11 since upstream stated that this release
> is known to be badly broken.
>
> I just fixed the missing patch for the previous bug and will upload
> it shortly.
>
> Regards,
>
> L
>
> Il giorno 20/ott/05, alle ore 15:42, Martin Pitt ha scritto:
>
>> Package: squid
>> Version: 2.5.10-6
>> Severity: critial
>> Tags: security patch
>>
>> Hi Luigi!
>>
>> There is a new buffer overflow in Squid:
>>
>> | ======================================================
>> | Candidate: CVE-2005-3258
>> | URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3258
>> | Reference: CONFIRM:http://www.squid-cache.org/Versions/v2/2.5/
>> bugs/#squid-2.5.STABLE11-rfc1738_do_escape
>> |
>> | The rfc1738_do_escape function in ftp.c for Squid 2.5 STABLE11 and
>> | earlier allows remote FTP servers to cause a denial of service
>> | (segmentation fault) via certain crafted responses.
>>
>> (Please note the recent Mitre name change, vulnerabilities now have
>> the CVE prefix, not CAN any more).
>>
>> In addition, I just noticed that in version 2.5.10-6 you added a
>> security patch 46-ntlm-scheme-assert.dpatch which is not actually
>> applied in 00list. Please add it. (One of the reasons why I hate
>> dpatch :-/ ).

- --
Luigi Gangitano -- <email address hidden> -- <email address hidden>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDaNYh8ZumGJJMDCYRAvwfAJ9zke4n8opDb7zigz5EZQS+AwGIOgCeKPol
MQqu8KvX68PGpt9i/Sk7BDE=
=f6AS
-----END PGP SIGNATURE-----