Bug 8794

Summary: squid new security issue: incomplete fix for CVE-2012-5643 (CVE-2013-0189)
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: luigiwalser, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/535428/
Whiteboard: has_procedure mga2-64-OK mga2-32-ok
Source RPM: squid-3.1.19-4.1.mga2.src.rpm CVE:
Status comment:

Description Oden Eriksson 2013-01-23 17:08:14 CET 
https://bugzilla.redhat.com/show_bug.cgi?id=895972

"Jan Lieskovsky 2013-01-16 07:05:21 EST

Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5643 (bug #887962) to the following vulnerability:

Multiple memory leaks in tools/cachemgr.cc in cachemgr.cgi in Squid 2.x and 3.x before 3.1.22, 3.2.x before 3.2.4, and 3.3.x before 3.3.0.2 allow remote attackers to cause a denial of service (memory consumption) via (1) invalid Content-Length headers, (2) long POST requests, or (3) crafted authentication credentials.

Later it was found the upstream patch for CVE-2012-5643 issue to be incomplete, resulting in new patchset:
[1] http://bazaar.launchpad.net/~squid/squid/3.2/revision/11743
[2] http://bazaar.launchpad.net/~squid/squid/3.2/revision/11744

The CVE identifier of CVE-2013-0189 has been assigned to this new issue (and new patchset)."
Comment 1 Oden Eriksson 2013-01-23 17:09:10 CET 
fixed in r391672 (mga2, updates_testing, squid-3.1.19-4.2.mga2)
Comment 2 Oden Eriksson 2013-01-23 17:14:00 CET 
squid-3.2.6 in cauldron is unaffected.
Comment 3 David Walser 2013-01-31 21:22:44 CET 
Ubuntu has issued an advisory on January 30:
http://www.ubuntu.com/usn/usn-1713-1/

Advisory:
========================

Updated squid packages fix security vulnerability:

It was discovered that the patch for CVE-2012-5643 was incorrect. A
remote attacker could exploit this flaw to perform a denial of service
attack (CVE-2013-0189).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0189
http://www.ubuntu.com/usn/usn-1713-1/
========================

Updated packages in core/updates_testing:
========================
squid-3.1.19-4.2.mga2
squid-cachemgr-3.1.19-4.2.mga2

from squid-3.1.19-4.2.mga2.src.rpm

URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0189 => http://lwn.net/Vulnerabilities/535428/
CC: (none) => luigiwalser
Assignee: bugsquad => qa-bugs

David Walser 2013-01-31 21:25:07 CET

Summary: CVE-2013-0189: squid - incomplete fix for CVE-2012-5643 => squid new security issue: incomplete fix for CVE-2012-5643 (CVE-2013-0189)
Severity: normal => major

Comment 4 claire robinson 2013-02-01 14:24:38 CET 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=2778#c2

Whiteboard: (none) => has_procedure

Comment 5 claire robinson 2013-02-01 14:28:25 CET 
No PoC so just testing it works.

Testing mga2 64
Comment 6 claire robinson 2013-02-01 16:31:22 CET 
Testing complete mga2 64

Whiteboard: has_procedure => has_procedure mga2-64-OK

Comment 7 claire robinson 2013-02-01 17:45:07 CET 
Testing complete mga2 32

Validating

Advisory & SRPM in comment 3

Can sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK mga2-32-ok

Comment 8 David Walser 2013-02-05 20:40:00 CET 
Forgot to mention, patch checked into Mageia 1 SVN.
Comment 9 Thomas Backlund 2013-02-06 23:03:35 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0029

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED