SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Squid Vendors:   Squid-cache.org
Squid Null Pointer Dereference in clientAbortBody() Lets Remote Users Crash the Proxy
SecurityTracker Alert ID:  1011214
SecurityTracker URL:  http://securitytracker.com/id/1011214
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Feb 24 2006
Original Entry Date:  Sep 11 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.5.STABLE5 and prior versions
Description:   d3thStaR reported a vulnerability in Squid. A remote user can cause the proxy to crash.

It is reported that a remote user can trigger a segmentation fault due to a null pointer dereference in the clientAbortBody() function in 'client_side.c'.

The bug was originally reported to the vendor by M.A.Young.

Impact:   A remote user can cause the target proxy service to crash.
Solution:   The vendor has issued a fixed version (2.5.STABLE6, 3.0).
Vendor URL:  www.squid-cache.org/bugs/show_bug.cgi?id=972 (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 16 2004 (Fedora Issues Fix for FC2) Squid Overflow in clientAbortBody() Lets Remote Users Crash the Proxy
Fedora has released a fix for Fedora Core 2.



 Source Message Contents

Subject:  Squid-Cache Buffer Overflow Vulnerablility


==========================================
Squid-Cache Buffer Overflow Vulnerablility
==========================================
Dicovered by- d3thStaR [!SUI] <d3thStaR /at/ rootthief.com>
Greets: !SUI Crew, Atomix, mGrD, e0r, rootthief.com.
Sources:  Bug #972
Confirmed products effected- squid-2.5.STABLE6 and earlier

=======Description of Problem=======
The function clientAbortBody can cause a segmentation fault.

if (!conn->body.callback || conn->body.request != request)
return;
buf = conn->body.buf;

This was a problem supposed to be address in STABLE5 by changing:


if (!conn->body.callback || conn->body.request != request)
to
if (conn == NULL || !conn->body.callback || conn->body.request != request)

The problem still exists and still can crash the program.

=======Product Description=======
Squid is...
- a full-featured Web proxy cache
- designed to run on Unix systems
- free, open-source software
- the result of many contributions by unpaid (and paid) volunteers

Squid supports...
- proxying and caching of HTTP, FTP, and other URLs
- proxying for SSL
- cache hierarchies
- ICP, HTCP, CARP, Cache Digests
- transparent caching
- WCCP (Squid v2.3 and above)
- extensive access controls
- HTTP server acceleration
- SNMP
- caching of DNS lookups

Vendor- squid-cache.org
Notified- 9/10/2004_8:00pm/Central

d3thStaR
<d3thStaR at rootthief.com>
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC