Bug 76173 - [Maintainer/Security] www/squid: fix two security issues
Summary: [Maintainer/Security] www/squid: fix two security issues
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Simon L. B. Nielsen
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-01-12 19:30 UTC by Thomas-Martin Seck
Modified: 2005-01-12 22:58 UTC (History)
1 user (show)

See Also:

Attachments
file.diff (2.80 KB, patch)
2005-01-12 19:30 UTC, Thomas-Martin Seck 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas-Martin Seck 2005-01-12 19:30:26 UTC 
- Integrate vendor patches as published on
  <http://www.squid-cache.org/Versions/v2/2.5/bugs/> for the following
  issues (security-team CC'ed):
  + prevent a possible denial of service attack via WCCP messages (squid bug
    #1190), classified as security issue by the vendor
  + fix a buffer overflow in the Gopher to HTML conversion routine (squid bug
    #1189), classified as security issue by the vendor
  + fix a null pointer access and plug memory leaks in the fake_auth NTLM
    helper (squid bug #1183) (this helper app is not installed by default by
    the port)
  + stop closing open filedescriptors beyond stdin, stdout and stderr on
    startup (squid bug #1177)

- unbreak the port on NO_NIS systems (thanks to "Alexander <freebsd AT
  nagilum.de>" for reporting this)

Proposed VuXML information for the two security issues, entry dates left to be
filled in:

<vuln vid=5fe7e27a-64cb-11d9-9e1e-c296ac722cb3>
	<topic>squid -- Denial Of Service With Forged WCCP Messages</topic>
	<affects>
		<package>
			<name>squid</squid>
			<range><lt>2.5.7_6</lt></range>
		</package>
	</affects>
	<description>
		<body xmlns="http://www.w3.org/1999/xhtml">
		<p>The squid patches page notes:</p>
		<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth">
		<p>WCCP_I_SEE_YOU messages contain a 'number of caches' field
		which should be between 1 and 32. Values outside that range may
		crash Squid if WCCP is enabled, and if an attacker can spoof
		UDP packets with the WCCP router's IP address.</p>
		</blockquote>
		<p>Note: the WCCP protocol is not enabled by default in squid's
		FreeBSD port.</p>
	</description>
	<references>
		<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth</url>
	</references>
	<dates>
		<discovery>2005-01-11</discovery>
		<entry>YYYY-MM-DD</entry>
	</dates>
</vuln>

<vuln vid=184ab9e0-64cd-11d9-9e1e-c296ac722cb3>
	<topic>squid -- Buffer Overflow Bug in gopherToHTML</topic>
	<affects>
		<package>
			<name>squid</squid>
			<range><lt>2.5.7_6</lt></range>
		</package>
	</affects>
	<description>
		<body xmlns="http://www.w3.org/1999/xhtml">
		<p>The squid patches page notes:</p>
		<blockquote cite="http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-gopher_html_parsing">
		<p>A malicious gopher server may return a response with very
		long lines that cause a buffer overflow in Squid.</p>
		<p>workaround: Since gopher is very obscure these days, do not
		allow Squid to any gopher servers. Use an ACL rule like:</p>
		<pre>
    acl Gopher proto gopher
    http_access deny Gopher
		</pre>
		</blockquote>
	</description>
	<references>
		<url>http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-gopher_html_parsing</url>
	</references>
	<dates>
		<discovery>2005-01-11</discovery>
		<entry>YYYY-MM-DD</entry>
	</dates>
</vuln>

Fix: Apply this patch:
Comment 1 Simon L. B. Nielsen freebsd_committer freebsd_triage 2005-01-12 20:54:00 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->simon

I will take this one.
Comment 2 Simon L. B. Nielsen freebsd_committer freebsd_triage 2005-01-12 22:57:36 UTC 
State Changed
From-To: open->closed

Committed, thanks!