CAN-2005-0718: remote DoS from aborted connections

Automatically imported from Debian bug report #305605 http://bugs.debian.org/305605

Message-Id: <email address hidden>
Date: Thu, 21 Apr 2005 12:05:39 +1000
From: "Geoff Crompton" <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: CAN-2005-0718: remote DoS from aborted connections

Package: squid
Severity: grave
Justification: user security hole

More info at http://www.securityfocus.com/bid/13166, but in summary:

> A remote denial of service vulnerability affects the Squid Proxy.
> This issue is due to a failure of the application to properly handle
> exceptional network requests. The problem presents itself when a
> remote attacker prematurely aborts a connection during a PUT or POST
> request.
> A remote attacker may leverage this issue to crash the affected Squid
> Proxy, denying service to legitimate users.

Vulnerable versions listed at that site say that 2.4.6, and 2.5.9 are
both vulnerable, suggesting that Woody, Sarge, Sid are all exposed.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)

Warty was fixed in USN-111-1. 2.5.8+ (as in Hoary and Breezy) are not affected.

Message-ID: <email address hidden>
Date: Thu, 21 Apr 2005 10:49:52 +0200
From: <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug #305605: CAN-2005-0718: remote DoS from aborted connections

tags 305605 +woody +security
thanks

As of

  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0718
  http://www.squid-cache.org/bugs/show_bug.cgi?id=3D1224

Squid 2.5.STABLE9 is not vulnerable (bug fixed in 2.5.STABLE8), so is the
package in sarge/sid.

I'm investigating the woody package.

Regards,

Luigi Gangitano

Message-ID: <email address hidden>
Date: Fri, 29 Apr 2005 14:28:10 +0200
From: Christian Hammers <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: CAN-2005-0718: remote DoS in Squid -- any progress?

Hello

The bug has been reported more than a week ago and the last status from
the same date is that the Woody package is beeing investigated.

Are there any news regarding the vulnerability status of the Woody
package or the preparation of a DSA?

bye,

-christian-

--=20
Christian Hammers WESTEND GmbH | Internet-Business-Provider
Technik CISCO Systems Partner - Authorized Reseller
                              L=FCtticher Stra=DFe 10 Tel 0241/70133=
3-11
<email address hidden> D-52064 Aachen Fax 0241/911879

Message-ID: <email address hidden>
Date: Fri, 29 Apr 2005 14:56:38 +0200
From: Martin Schulze <email address hidden>
To: Christian Hammers <email address hidden>
Cc: <email address hidden>, <email address hidden>,
 <email address hidden>
Subject: Re: CAN-2005-0718: remote DoS in Squid -- any progress?

Christian Hammers wrote:
> Hello
>
> The bug has been reported more than a week ago and the last status from
> the same date is that the Woody package is beeing investigated.
>
> Are there any news regarding the vulnerability status of the Woody
> package or the preparation of a DSA?

Luigi is taking a look. It's not yet clear whether this problem even
exists in woody. Sid and sarge are fine. If you are able to fix the
package in woody, that would help a lot.

Regards,

 Joey

--
There are lies, statistics and benchmarks.

Please always Cc to me when replying to me on the lists.

Message-ID: <email address hidden>
Date: Fri, 29 Apr 2005 16:09:51 +0200
From: Christian Hammers <email address hidden>
To: Martin Schulze <email address hidden>
Cc: <email address hidden>, <email address hidden>,
 <email address hidden>
Subject: Re: CAN-2005-0718: remote DoS in Squid -- any progress?

On Fri, Apr 29, 2005 at 02:56:38PM +0200, Martin Schulze wrote:
> > Are there any news regarding the vulnerability status of the Woody
> > package or the preparation of a DSA?
>=20
> Luigi is taking a look. It's not yet clear whether this problem even
> exists in woody. Sid and sarge are fine. If you are able to fix the
> package in woody, that would help a lot.

Mandriva has fixed the bug in 2.4.STABLE7 (we have 2.4.STABLE6 in Woody)
and released an advisory today:

 http://www.mandriva.com/security/advisories?name=3DMDKSA-2005:078

Sadly I was just not able to find the following soruce package which
probably includes the patch. Does anybody know where they hide their
download server?

 corporate/2.1/SRPMS/squid-2.4.STABLE7-2.6.C21mdk.src.rpm
 md5sum: 715494248752557eb0b718f2a4dd34c9=20

bye,

-christian-

--=20
Christian Hammers WESTEND GmbH | Internet-Business-Provider
Technik CISCO Systems Partner - Authorized Reseller
                              L=FCtticher Stra=DFe 10 Tel 0241/70133=
3-11
<email address hidden> D-52064 Aachen Fax 0241/911879

Message-ID: <email address hidden>
Date: Fri, 29 Apr 2005 16:22:13 +0200
From: Martin Schulze <email address hidden>
To: Christian Hammers <email address hidden>
Cc: <email address hidden>, <email address hidden>,
 <email address hidden>
Subject: Re: CAN-2005-0718: remote DoS in Squid -- any progress?

Christian Hammers wrote:
> On Fri, Apr 29, 2005 at 02:56:38PM +0200, Martin Schulze wrote:
> > > Are there any news regarding the vulnerability status of the Woody
> > > package or the preparation of a DSA?
> >
> > Luigi is taking a look. It's not yet clear whether this problem even
> > exists in woody. Sid and sarge are fine. If you are able to fix the
> > package in woody, that would help a lot.
>
> Mandriva has fixed the bug in 2.4.STABLE7 (we have 2.4.STABLE6 in Woody)
> and released an advisory today:
>
> http://www.mandriva.com/security/advisories?name=MDKSA-2005:078
>
> Sadly I was just not able to find the following soruce package which
> probably includes the patch. Does anybody know where they hide their
> download server?
>
> corporate/2.1/SRPMS/squid-2.4.STABLE7-2.6.C21mdk.src.rpm
> md5sum: 715494248752557eb0b718f2a4dd34c9

ftp://ftp.gwdg.de/pub/linux/mandrake/official/updates/corporate/2.1/SRPMS/squid-2.4.STABLE7-2.6.C21mdk.src.rpm

Regards,

 Joey

--
There are lies, statistics and benchmarks.

Please always Cc to me when replying to me on the lists.

Message-ID: <email address hidden>
Date: Fri, 29 Apr 2005 16:52:02 +0200
From: Luigi Gangitano <email address hidden>
To: Martin Schulze <email address hidden>
Cc: Christian Hammers <email address hidden>, <email address hidden>,
 <email address hidden>
Subject: Re: CAN-2005-0718: remote DoS in Squid -- any progress?

>> corporate/2.1/SRPMS/squid-2.4.STABLE7-2.6.C21mdk.src.rpm
>> md5sum: 715494248752557eb0b718f2a4dd34c9
>
> ftp://ftp.gwdg.de/pub/linux/mandrake/official/updates/corporate/2.1/SRPMS/squid-2.4.STABLE7-2.6.C21mdk.src.rpm

Great! They didn't fix it (no post patch in it) and added the setcookie patch
that is not needed prior to 2.5.STABLE7.

Still looking for a proof o concept to test the woody package.

Regards,

L

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Message-ID: <email address hidden>
Date: Fri, 29 Apr 2005 19:50:25 +0200
From: Christian Hammers <email address hidden>
To: Luigi Gangitano <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: CAN-2005-0718: remote DoS in Squid -- any progress?

Hello

On 2005-04-29 Luigi Gangitano wrote:
> >> corporate/2.1/SRPMS/squid-2.4.STABLE7-2.6.C21mdk.src.rpm
> >> md5sum: 715494248752557eb0b718f2a4dd34c9
> >
> > ftp://ftp.gwdg.de/pub/linux/mandrake/official/updates/corporate/2.1/SRPMS/squid-2.4.STABLE7-2.6.C21mdk.src.rpm
>
> Great! They didn't fix it (no post patch in it) and added the setcookie
> patch that is not needed prior to 2.5.STABLE7.
>
> Still looking for a proof o concept to test the woody package.

I found the following sentence in the last changelog entry of the Mandriva
package and think it's interesting for those watching this bug:

  * Wed Apr 27 2005 Stew Benedict <email address hidden>
    2.4.STABLE7-2.6.C21mdk
    - CAN-2005-0718 - patch not relevant, segfault occurs in an unprotected
      call to clientProcessBody, which isn't used in 2.4.STABLE7

In this case I can sleep better although it would be nice if you could get
this confirmed by the Squid developers. If you kindly ask they will probably
even test their PoC exploit against a Debian server even if they do not want
to release it to the public.

bye,

-christian-

Message-Id: <1114991594.17190.24.camel@willis>
Date: Mon, 02 May 2005 01:53:13 +0200
From: Luigi Gangitano <email address hidden>
To: <email address hidden>
Subject: Wrong bug...

--=-HdRZ9FMxsr9PDS6EYZ9U
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

tags 305605 - fixed pending
tags 307132 + woody fixed pending
thanks

--=20
 Luigi Gangitano -- <email address hidden> -- <email address hidden>
 GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26

--=-HdRZ9FMxsr9PDS6EYZ9U
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQBCdWvp8ZumGJJMDCYRAsLQAJwOLnNFZ+oEVTs9eYJUb/eMprGqSwCcCk52
Z+2sRl6AuSigZn730qfQw/A=
=nnIj
-----END PGP SIGNATURE-----

--=-HdRZ9FMxsr9PDS6EYZ9U--

Message-Id: <1115408844.8476.1.camel@willis>
Date: Fri, 06 May 2005 21:47:23 +0200
From: Luigi Gangitano <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#305605: CAN-2005-0718: remote DoS from aborted connections

--=-rIq8SsiEVNFbCFZGAj58
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

severity 305605 important
thanks

I'm downgrading severity of this bug from RC to important because (if it
exists at all), it only applies to woody, so is not 'release critical'
for sarge.

Regards,

--=20
 Luigi Gangitano -- <email address hidden> -- <email address hidden>
 GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26

--=-rIq8SsiEVNFbCFZGAj58
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQBCe8nL8ZumGJJMDCYRAi12AJ4zDWqmwXGehlpeAFLxrEdyCYG9UQCdHKA6
vw7sot3lLTzvHvaPWEv9+Z0=
=HDer
-----END PGP SIGNATURE-----

--=-rIq8SsiEVNFbCFZGAj58--

Message-ID: <email address hidden>
Date: Sat, 7 May 2005 00:10:43 +0200
From: Frank Lichtenheld <email address hidden>
To: Luigi Gangitano <email address hidden>, <email address hidden>
Subject: Re: Bug#305605: CAN-2005-0718: remote DoS from aborted connections

severity 305605 grave
thanks

On Fri, May 06, 2005 at 09:47:23PM +0200, Luigi Gangitano wrote:
> I'm downgrading severity of this bug from RC to important because (if it
> exists at all), it only applies to woody, so is not 'release critical'
> for sarge.

Hi.

Sorry, but please leave grave bugs that only affect woody at grave severity
and only tag them woody. That is exactly what the distribution tags are for.

Gruesse,
--
Frank Lichtenheld <email address hidden>
www: http://www.djpig.de/

Message-Id: <1121814436.4432.10.camel@willis>
Date: Wed, 20 Jul 2005 01:07:16 +0200
From: Luigi Gangitano <email address hidden>
To: <email address hidden>
Subject: BTS clean-up with new features

--=-rP5TixRHlNC6PJux7GBh
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

found 305605 2.4.6-2woody1
close 305605 2.5.8-1
found 309504 2.4.6-2woody1
close 309504 2.5.9-9
close 309504 2.4.6-2woody9
thanks

--=20
 Luigi Gangitano -- <email address hidden> -- <email address hidden>
 GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26

--=-rP5TixRHlNC6PJux7GBh
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQBC3Yek8ZumGJJMDCYRAhBVAJ4qLQY+wt9pOjCKvnE+tZ6oC6LUNACfVhGC
iIDshAN16+DdOKXTjPC/GKE=
=cczK
-----END PGP SIGNATURE-----

--=-rP5TixRHlNC6PJux7GBh--