cachemgr.cgi crashes after login

Bug #1194310 reported by Roel Brook on 2013-06-24
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
squid3 (Ubuntu)
High
Unassigned

Bug Description

I setup squid and the Squid cachemanager by installing squid3 and squid-cgi.

The proxy works fine. FQDN is also reported correctly and resolves correctly.

However, after opening cachemgr.cgi in a webbrowser, I'm correctly greeted with a login screen, followed by a HTTP 500. HTTPD's error.log shows the following error.

Full crash report attached.

*** Error in `/usr/lib/cgi-bin/cachemgr.cgi': free(): invalid pointer: 0x00007f9659fb06e0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x80a46)[0x7f9659012a46]
/usr/lib/cgi-bin/cachemgr.cgi(main+0x6ba)[0x7f9659da074a]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7f9658fb3ea5]
/usr/lib/cgi-bin/cachemgr.cgi(+0x3a59)[0x7f9659da0a59]
======= Memory map: ========
7f9658964000-7f965897a000 r-xp 00000000 fc:00 329 /lib/x86_64-linux-gnu/libresolv-2.17.so
7f965897a000-7f9658b7a000 ---p 00016000 fc:00 329 /lib/x86_64-linux-gnu/libresolv-2.17.so
7f9658b7a000-7f9658b7b000 r--p 00016000 fc:00 329 /lib/x86_64-linux-gnu/libresolv-2.17.so
7f9658b7b000-7f9658b7c000 rw-p 00017000 fc:00 329 /lib/x86_64-linux-gnu/libresolv-2.17.so
7f9658b7c000-7f9658b7e000 rw-p 00000000 00:00 0
7f9658b7e000-7f9658b84000 r-xp 00000000 fc:00 292 /lib/x86_64-linux-gnu/libnss_dns-2.17.so
7f9658b84000-7f9658d83000 ---p 00006000 fc:00 292 /lib/x86_64-linux-gnu/libnss_dns-2.17.so
7f9658d83000-7f9658d84000 r--p 00005000 fc:00 292 /lib/x86_64-linux-gnu/libnss_dns-2.17.so
7f9658d84000-7f9658d85000 rw-p 00006000 fc:00 292 /lib/x86_64-linux-gnu/libnss_dns-2.17.so
7f9658d85000-7f9658d91000 r-xp 00000000 fc:00 294 /lib/x86_64-linux-gnu/libnss_files-2.17.so
7f9658d91000-7f9658f90000 ---p 0000c000 fc:00 294 /lib/x86_64-linux-gnu/libnss_files-2.17.so
7f9658f90000-7f9658f91000 r--p 0000b000 fc:00 294 /lib/x86_64-linux-gnu/libnss_files-2.17.so
7f9658f91000-7f9658f92000 rw-p 0000c000 fc:00 294 /lib/x86_64-linux-gnu/libnss_files-2.17.so
7f9658f92000-7f9659150000 r-xp 00000000 fc:00 240 /lib/x86_64-linux-gnu/libc-2.17.so
7f9659150000-7f965934f000 ---p 001be000 fc:00 240 /lib/x86_64-linux-gnu/libc-2.17.so
7f965934f000-7f9659353000 r--p 001bd000 fc:00 240 /lib/x86_64-linux-gnu/libc-2.17.so
7f9659353000-7f9659355000 rw-p 001c1000 fc:00 240 /lib/x86_64-linux-gnu/libc-2.17.so
7f9659355000-7f965935a000 rw-p 00000000 00:00 0
7f965935a000-7f965936e000 r-xp 00000000 fc:00 262 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f965936e000-7f965956e000 ---p 00014000 fc:00 262 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f965956e000-7f965956f000 r--p 00014000 fc:00 262 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f965956f000-7f9659570000 rw-p 00015000 fc:00 262 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f9659570000-7f9659673000 r-xp 00000000 fc:00 273 /lib/x86_64-linux-gnu/libm-2.17.so
7f9659673000-7f9659873000 ---p 00103000 fc:00 273 /lib/x86_64-linux-gnu/libm-2.17.so
7f9659873000-7f9659874000 r--p 00103000 fc:00 273 /lib/x86_64-linux-gnu/libm-2.17.so
7f9659874000-7f9659875000 rw-p 00104000 fc:00 273 /lib/x86_64-linux-gnu/libm-2.17.so
7f9659875000-7f965995a000 r-xp 00000000 fc:00 393234 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.17
7f965995a000-7f9659b59000 ---p 000e5000 fc:00 393234 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.17
7f9659b59000-7f9659b61000 r--p 000e4000 fc:00 393234 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.17
7f9659b61000-7f9659b63000 rw-p 000ec000 fc:00 393234 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.17
7f9659b63000-7f9659b78000 rw-p 00000000 00:00 0
7f9659b78000-7f9659b9b000 r-xp 00000000 fc:00 220 /lib/x86_64-linux-gnu/ld-2.17.so
7f9659d8d000-7f9659d92000 rw-p 00000000 00:00 0
7f9659d96000-7f9659d9a000 rw-p 00000000 00:00 0
7f9659d9a000-7f9659d9b000 r--p 00022000 fc:00 220 /lib/x86_64-linux-gnu/ld-2.17.so
7f9659d9b000-7f9659d9d000 rw-p 00023000 fc:00 220 /lib/x86_64-linux-gnu/ld-2.17.so
7f9659d9d000-7f9659da9000 r-xp 00000000 fc:00 422156 /usr/lib/cgi-bin/cachemgr.cgi
7f9659fa8000-7f9659fa9000 r--p 0000b000 fc:00 422156 /usr/lib/cgi-bin/cachemgr.cgi
7f9659fa9000-7f9659faa000 rw-p 0000c000 fc:00 422156 /usr/lib/cgi-bin/cachemgr.cgi
7f9659faa000-7f9659fb7000 rw-p 00000000 00:00 0
7f965b46e000-7f965b48f000 rw-p 00000000 00:00 0 [heap]
7fffaa945000-7fffaa966000 rw-p 00000000 00:00 0 [stack]
7fffaa9b3000-7fffaa9b5000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
[Tue Jun 25 00:44:32 2013] [error] [client 192.168.43.128] Premature end of script headers: cachemgr.cgi, referer: http://squid.dok.lan/cgi-bin/cachemgr.cgi

CVE References

Roel Brook (rainmaker52) wrote :
affects: squid (Ubuntu) → squid3 (Ubuntu)
Changed in squid3 (Ubuntu):
importance: Undecided → High
Ruben Cheng (rcheng) wrote :

I'm having the same issue with Ubuntu 12.04 LTS x86

*** glibc detected *** /usr/lib/cgi-bin/cachemgr.cgi: free(): invalid pointer: 0xb77e8780 ***
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x75ee2)[0xb753aee2]
/usr/lib/cgi-bin/cachemgr.cgi(+0xac9b)[0xb77dac9b]
/usr/lib/cgi-bin/cachemgr.cgi(main+0x7b2)[0xb77d2e52]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb74de4d3]
/usr/lib/cgi-bin/cachemgr.cgi(+0x3225)[0xb77d3225]
======= Memory map: ========
b74c3000-b74c5000 rw-p 00000000 00:00 0
b74c5000-b7668000 r-xp 00000000 08:01 16253243 /lib/i386-linux-gnu/libc-2.15.so
b7668000-b766a000 r--p 001a3000 08:01 16253243 /lib/i386-linux-gnu/libc-2.15.so
b766a000-b766b000 rw-p 001a5000 08:01 16253243 /lib/i386-linux-gnu/libc-2.15.so
b766b000-b766e000 rw-p 00000000 00:00 0
b766e000-b768a000 r-xp 00000000 08:01 16252972 /lib/i386-linux-gnu/libgcc_s.so.1
b768a000-b768b000 r--p 0001b000 08:01 16252972 /lib/i386-linux-gnu/libgcc_s.so.1
b768b000-b768c000 rw-p 0001c000 08:01 16252972 /lib/i386-linux-gnu/libgcc_s.so.1
b768c000-b768d000 rw-p 00000000 00:00 0
b768d000-b76b7000 r-xp 00000000 08:01 16256599 /lib/i386-linux-gnu/libm-2.15.so
b76b7000-b76b8000 r--p 00029000 08:01 16256599 /lib/i386-linux-gnu/libm-2.15.so
b76b8000-b76b9000 rw-p 0002a000 08:01 16256599 /lib/i386-linux-gnu/libm-2.15.so
b76b9000-b7791000 r-xp 00000000 08:01 13374316 /usr/lib/i386-linux-gnu/libstdc++.so.6.0.16
b7791000-b7792000 ---p 000d8000 08:01 13374316 /usr/lib/i386-linux-gnu/libstdc++.so.6.0.16
b7792000-b7796000 r--p 000d8000 08:01 13374316 /usr/lib/i386-linux-gnu/libstdc++.so.6.0.16
b7796000-b7797000 rw-p 000dc000 08:01 13374316 /usr/lib/i386-linux-gnu/libstdc++.so.6.0.16
b7797000-b779e000 rw-p 00000000 00:00 0
b77a9000-b77ad000 rw-p 00000000 00:00 0
b77ad000-b77ae000 r-xp 00000000 00:00 0 [vdso]
b77ae000-b77ce000 r-xp 00000000 08:01 16256600 /lib/i386-linux-gnu/ld-2.15.so
b77ce000-b77cf000 r--p 0001f000 08:01 16256600 /lib/i386-linux-gnu/ld-2.15.so
b77cf000-b77d0000 rw-p 00020000 08:01 16256600 /lib/i386-linux-gnu/ld-2.15.so
b77d0000-b77e0000 r-xp 00000000 08:01 13762683 /usr/lib/cgi-bin/cachemgr.cgi
b77e0000-b77e1000 r--p 0000f000 08:01 13762683 /usr/lib/cgi-bin/cachemgr.cgi
b77e1000-b77e2000 rw-p 00010000 08:01 13762683 /usr/lib/cgi-bin/cachemgr.cgi
b77e2000-b77ef000 rw-p 00000000 00:00 0
b8f37000-b8f58000 rw-p 00000000 00:00 0 [heap]
bfe70000-bfe91000 rw-p 00000000 00:00 0 [stack]
Premature end of script headers: cachemgr.cgi

Troy Dack (troy-d) wrote :

This appears to have been fixed in Debian nearly six months ago ... http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701123

The fix is at: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10486.patch

Here's the patch, applies cleanly against squid3-3.1.20-1ubuntu3

--- a/tools/cachemgr.cc
+++ b/tools/cachemgr.cc
@@ -1162,7 +1162,6 @@
 {
     static char buf[1024];
     size_t stringLength = 0;
- const char *str64;

     if (!req->passwd)
         return "";
@@ -1171,15 +1170,12 @@
              req->user_name ? req->user_name : "",
              req->passwd);

- str64 = base64_encode(buf);
-
- stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", str64);
+ stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", base64_encode(buf));

     assert(stringLength < sizeof(buf));

- snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", str64);
+ snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", base64_encode(buf));

- xxfree(str64);
     return buf;
 }

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in squid3 (Ubuntu):
status: New → Confirmed
Idler (idler-pcinhk) on 2013-10-06
description: updated
Tiago Stürmer Daitx (tdaitx) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. We are sorry that we do not always have the capacity to look at all reported bugs in a timely manner. There have been many changes in Ubuntu since that time you reported the bug and your problem may have been fixed with some of the updates. It would help us a lot if you could test it on a currently supported Ubuntu version. When you test it and it is still an issue, kindly upload the updated logs by running apport-collect 1194310 and any other logs that are relevant for this particular issue.

tags: added: precise
Changed in squid3 (Ubuntu):
status: Confirmed → Incomplete
Amos Jeffries (yadi) wrote :

Sorry, just read comment #3, that makes it confirmed as CVE-2013-0189

Amos Jeffries (yadi) wrote :

Sorry, just read comment 3, that makes it confirmed as CVE-2013-0189

Robie Basak (racb) wrote :

Thanks Amos. http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0189.html suggests to me that this is fixed in Ubuntu, if that's the only issue here. That page says that this CVE was fixed upstream in 3.2.7 and Wily is on 3.3.8. Thus can this be closed as fixed, or is there something still outstanding?

Robie Basak (racb) wrote :

I'll close for now. Please reopen if I'm mistaken.

Changed in squid3 (Ubuntu):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.