BUG: Version 3.5.27-1ubuntu1.7 breaks config using icap

Bug #1890265 reported by xavier on 2020-08-04
30
This bug affects 4 people
Affects Status Importance Assigned to Milestone
squid3 (Debian)
New
Unknown
squid3 (Ubuntu)
Undecided
Unassigned
Xenial
High
Marc Deslauriers
Bionic
High
Marc Deslauriers

Bug Description

Using ubuntu 18.04

I had a squid config using c-icap to scan requests/responses using ClamAV.

It was working OK since long time ago.

Today, squid has (security)updated to 3.5.27-1ubuntu1.7 and now, connection to icap is broken.

That is the error at squid-cache.log

    2020/08/04 09:44:08 kid1| essential ICAP service is down after an options fetch failure: icap://127.0.0.1:1344/virus_scan [down,!opt]

After downgrading to 3.5.27-1ubuntu1.6 it starts working again.

The icap service is working fine, tested with `c-icap-client -i 127.0.0.1 -p 1344 -s virus_scan`

Thanks.

CVE References

Changed in squid3 (Ubuntu Bionic):
status: New → Confirmed
Changed in squid3 (Ubuntu):
status: New → Triaged
Changed in squid3 (Ubuntu Bionic):
importance: Undecided → High

I was about to read code for latest 2 included patches and @ahasenack warned me about:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965012

with current status:

"""
Hello Andreas,

thanks for your patience. I believe I have found the underlying problem.
It is a parsing issue in src/adaptation/icap/ModXact.cc and HttpMsg.cc.

2020/07/28 09:55:14.614 kid1| 58,3| HttpMsg.cc(184) parse:
HttpMsg::parse: cannot parse isolated headers in 'OPTIONS
icap://127.0.0.1:1344/virus_scan ICAP/1.0

To fix CVE-2019-12523 the urlParse function had to be updated to use the
new SBuf API for better access checks. However at one point in time
upstream did no longer used this function to parse icap headers and
simply copied an already known url. I have attached the
CVE-2019-12523.patch. You can just replace it with the old one. If
everything works as expected I will upload this change as +deb9u3 shortly.

Regards,

Markus
"""

Changed in squid3 (Ubuntu Xenial):
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in squid3 (Ubuntu Bionic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in squid3 (Debian):
status: Unknown → New
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squid3 - 3.5.12-1ubuntu7.13

---------------
squid3 (3.5.12-1ubuntu7.13) xenial-security; urgency=medium

  * SECURITY REGRESSION: regression when parsing icap and ecap protocols
    (LP: #1890265)
    - debian/patches/CVE-2019-12523-bug965012.patch
  * Thanks to Markus Koschany for the regression fix!

 -- Marc Deslauriers <email address hidden> Wed, 26 Aug 2020 06:46:39 -0400

Changed in squid3 (Ubuntu Xenial):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squid3 - 3.5.27-1ubuntu1.8

---------------
squid3 (3.5.27-1ubuntu1.8) bionic-security; urgency=medium

  * SECURITY REGRESSION: regression when parsing icap and ecap protocols
    (LP: #1890265)
    - debian/patches/CVE-2019-12523-bug965012.patch
  * Thanks to Markus Koschany for the regression fix!

 -- Marc Deslauriers <email address hidden> Tue, 25 Aug 2020 13:12:13 -0400

Changed in squid3 (Ubuntu Bionic):
status: Confirmed → Fix Released
Changed in squid3 (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.