Squid gopherToHTML() Buffer Overflow Has Unspecified Impact
|
|
SecurityTracker Alert ID: 1012883
|
|
SecurityTracker URL: http://securitytracker.com/id?1012883
|
|
CVE Reference: CAN-2005-0094
(Links to External Site)
|
|
OSVDB Reference: 12887
(Links to External Site)
|
|
Nessus Reference: 16190
(Links to External Site)
|
Updated: Jan 19 2005
|
Original Entry Date: Jan 13 2005
|
Impact: Not specified
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 2.5
|
Description: A buffer overflow vulnerability was reported in Squid in the processing of the Gopher protocol. The impact was not specified.
The vendor reported a buffer overflow in the gopherToHTML() function. A remote gopher server can return a specially crafted response with very long lines to trigger the buffer overflow.
|
Impact: The impact was not specified.
|
Solution: A patch (squid-2.5.STABLE7-gopher_html_parsing.patch) is available at:
http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-gopher_html_parsing.patch
As
a workaround, the vendor indicates that you can restrict access to gopher servers with the following type of ACL rule:
acl
Gopher proto gopher
http_access deny Gopher
|
Vendor URL: www.squid-cache.org/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 12 Jan 2005 23:30:17 -0500
Subject: [none]
|
> buffer overflow bug in gopherToHTML()
> A malicious gopher server may return a response with very long lines that cause a
> buffer overflow in Squid.
> versions Squid-2.5 and earlier
A patch (squid-2.5.STABLE7-gopher_html_parsing.patch) is available at:
http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-gopher_html_parsing.patch
As a workaround, the vendor indicates that you can restrict access to gopher servers
with the following type of ACL rule:
acl Gopher proto gopher
http_access deny Gopher
|
|
