Bug 10516 - squid new security issues CVE-2013-4115 and CVE-2013-4123
: squid new security issues CVE-2013-4115 and CVE-2013-4123
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/560027/
: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64...
: Triaged, validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-06-13 10:48 CEST by Denis Chupau
Modified: 2013-07-22 19:35 CEST (History)
5 users (show)

See Also:
Source RPM: squid-3.2.10-1.mga3
CVE:
Status comment:


Attachments

Description Denis Chupau 2013-06-13 10:48:07 CEST
Description of problem:
Trying to make squid search LDAP for user groups to make filtering based on user groups (stored in LDAP).
Until now I was using /usr/lib/squid/squid_ldap_group.
But it's unavailable for MGA3.

Version-Release number of selected component (if applicable):
3.2.10-1.mga3

How reproducible:
Always : component is missing

Steps to Reproduce:
1. install squid (urpmi squid)
2. configure squid to use external_acl_type ldapGroup %LOGIN /usr/lib/squid/squid_ldap_group ...
3. there is no such file in /usr/lib/squid


In case of a filename change, I checked if there were some files that could match the "squid_ldap_group" helper, but couldn't find any.


It seems that it may have been dropped here :
http://svnweb.mageia.org/packages/cauldron/squid/current/SPECS/squid.spec?view=markup&pathrev=289632


regards
Dag

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-06-30 16:26:33 CEST
Since we selectively enable helpers and several of the helper names were changed in Squid 3.2 upstream:
ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.2/squid-3.2.0.9-RELEASENOTES.html#toc2.4

we lost some of them.  I'm working on getting them enabled again.

Once they are, there may be some configuration changes required, I'm not sure.  Documentation for the helpers is available here:
http://www.squid-cache.org/Doc/man/
Comment 2 David Walser 2013-06-30 18:21:26 CEST
Corrected packages uploaded for Mageia 3 and Cauldron.

Here's the changes in the SPEC file for Mageia 3:
http://svnweb.mageia.org/packages/updates/3/squid/current/SPECS/squid.spec?r1=419736&r2=448559

Unfortunately for Cauldron there is a problem with perl's pod2man command, which has caused the DB auth helper and DB log daemon to get disabled for now.  This has been reported as Bug 10663.

Advisory
--------

Due to being renamed in Squid 3.2, the Squid external acl helpers for
matching against IP addresses and LDAP groups were not selected to be built
in the squid package for Mageia 3.

This has been corrected and these helpers are now included.  Additionally,
the helpers for eDirectory IP address lookups and matching LDAP groups using
Kerberos credentials have also been included.

References:
ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.2/squid-3.2.0.9-RELEASENOTES.html#ss2.4
http://www.squid-cache.org/Doc/man/
-----------------------------------

Packages in core/updates_testing:
-----------------------------------
squid-3.2.10-1.1.mga3
squid-cachemgr-3.2.10-1.1.mga3

from squid-3.2.10-1.1.mga3.src.rpm
Comment 3 claire robinson 2013-07-08 10:52:04 CEST
Denis can you please test the update candidate in core updates testing to make sure the bug is fixed and let us know which architecture you tested with (i586 or x86_64).

Thanks.
Comment 4 Denis Chupau 2013-07-10 11:39:03 CEST
Hi,

I'm on i586.

- I tried to install the package from (as "testing" is not enabled on my test-server) :
wget Mageia/distrib/3/i586/media/core/updates_testing/squid-3.2.10-1.1.mga3.i586.rpm


- Installing :
urpmi ./squid-3.2.10-1.1.mga3.i586.rpm 
Le paquetage demandé ne peut pas être installé :
squid-3.2.10-1.1.mga3.i586 (car /bin/ksh est non satisfait)
Désirez-vous tout de même continuer ? (O/n) o


- Translated into english :
The package can't be installed :
squid-3.2.10-1.1.mga3.i586 (because /bin/ksh is not satisfied)
Would you like to continue anyway ? (Y/n) y

- verification :
rpm -qa | grep squid
squid-3.2.10-1.mga3

- what provides /bin/ksh ?
urpmf /bin/ksh
kshowmail:/usr/bin/kshowmail
kshutdown:/usr/bin/kshutdown
pdksh:/usr/bin/ksh
kshisen:/usr/bin/kshisen
kdelibs4-core:/usr/bin/kshell4

=> no /bin/ksh



So there may be a problem in the RPM :
- there is no such file or directory in the "stable" repositories (core, non-free, contrib)
- does it really need to depend on ksh ?



redargs,
Dag
Comment 5 David Walser 2013-07-10 12:51:14 CEST
Hmm, this happened because it's now installing a script from one of the newly enabled helpers that starts with #!/bin/ksh:
squid-3.2.9/helpers/external_acl/kerberos_ldap_group/cert_tool

Looking at the script it's not immediately obvious why it uses ksh or that it needs to.  Probably the easiest solution would be to remove the #!/bin/ksh from the top of it, or change it to bash.  In fact I just ran it by hand with bash and it seemed to work.  OK, I'm patching it to change it to bash.

Someone should really change the pdksh package to provide /bin/ksh as well...

Thanks for the report.  Should be a new update candidate available soon.

Advisory
--------

Due to being renamed in Squid 3.2, the Squid external acl helpers for
matching against IP addresses and LDAP groups were not selected to be built
in the squid package for Mageia 3.

This has been corrected and these helpers are now included.  Additionally,
the helpers for eDirectory IP address lookups and matching LDAP groups using
Kerberos credentials have also been included.

References:
ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.2/squid-3.2.0.9-RELEASENOTES.html#ss2.4
http://www.squid-cache.org/Doc/man/
-----------------------------------

Packages in core/updates_testing:
-----------------------------------
squid-3.2.10-1.2.mga3
squid-cachemgr-3.2.10-1.2.mga3

from squid-3.2.10-1.2.mga3.src.rpm
Comment 6 David Walser 2013-07-11 14:54:23 CEST
Upstream has released Squid 3.3.7 and 3.2.12 to fix a buffer overflow:
http://www.squid-cache.org/Advisories/SQUID-2013_2.txt

A patch for Squid 3.1 is also available.  Everything is checked into SVN for Mageia 2, Mageia 3, and Cauldron.  Updated builds are in progress.
Comment 7 David Walser 2013-07-11 15:17:45 CEST
Updated package uploaded for Cauldron.

Patched packages uploaded for Mageia 2 and Mageia 3.

Advisory:
========================

Updated squid packages fix security vulnerability:

Due to incorrect data validation Squid is vulnerable to a buffer overflow
attack when processing specially crafted HTTP requests. This problem allows
any trusted client or client script who can generate HTTP requests to trigger
a buffer overflow in Squid, resulting in a termination of the Squid service
(SQUID-2013:2).

Also, due to being renamed in Squid 3.2, the Squid external acl helpers for
matching against IP addresses and LDAP groups were not selected to be built
in the squid package for Mageia 3.

This has been corrected and these helpers are now included.  Additionally,
the helpers for eDirectory IP address lookups and matching LDAP groups using
Kerberos credentials have also been included.

References:
http://www.squid-cache.org/Advisories/SQUID-2013_2.txt
ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.2/squid-3.2.0.9-RELEASENOTES.html#ss2.4
http://www.squid-cache.org/Doc/man/
========================

Updated packages in core/updates_testing:
========================
squid-3.1.19-4.4.mga2
squid-cachemgr-3.1.19-4.4.mga2
squid-3.2.10-1.3.mga3
squid-cachemgr-3.2.10-1.3.mga3

from SRPMS:
squid-3.1.19-4.4.mga2.src.rpm
squid-3.2.10-1.3.mga3.src.rpm
Comment 8 David Walser 2013-07-11 17:55:46 CEST
FYI, a CVE has been requested for this security issue:
http://openwall.com/lists/oss-security/2013/07/11/2

I'll update the advisory once the CVE is assigned.
Comment 9 David Walser 2013-07-12 00:57:47 CEST
The CVE has been assigned:
http://openwall.com/lists/oss-security/2013/07/11/8

Advisory:
========================

Updated squid packages fix security vulnerability:

Due to incorrect data validation Squid is vulnerable to a buffer overflow
attack when processing specially crafted HTTP requests. This problem allows
any trusted client or client script who can generate HTTP requests to trigger
a buffer overflow in Squid, resulting in a termination of the Squid service
(CVE-2013-4115).

Also, due to being renamed in Squid 3.2, the Squid external acl helpers for
matching against IP addresses and LDAP groups were not selected to be built
in the squid package for Mageia 3.

This has been corrected and these helpers are now included.  Additionally,
the helpers for eDirectory IP address lookups and matching LDAP groups using
Kerberos credentials have also been included.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4115
http://www.squid-cache.org/Advisories/SQUID-2013_2.txt
ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.2/squid-3.2.0.9-RELEASENOTES.html#ss2.4
http://www.squid-cache.org/Doc/man/
========================

Updated packages in core/updates_testing:
========================
squid-3.1.19-4.4.mga2
squid-cachemgr-3.1.19-4.4.mga2
squid-3.2.10-1.3.mga3
squid-cachemgr-3.2.10-1.3.mga3

from SRPMS:
squid-3.1.19-4.4.mga2.src.rpm
squid-3.2.10-1.3.mga3.src.rpm
Comment 10 claire robinson 2013-07-15 20:12:29 CEST
Maybe another one to do David. I noticed this on debian bug tracker.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=716743#12
http://www.squid-cache.org/Advisories/SQUID-2013_3.txt
Comment 11 David Walser 2013-07-15 23:57:58 CEST
Thanks Claire.  The new security advisory doesn't affect Squid 3.1 in Mageia 2.

Here's a new advisory to use for Mageia 2.  I'll post the Mageia 3 advisory next.

Advisory (Mageia 2):
========================

Updated squid packages fix security vulnerability:

Due to incorrect data validation Squid is vulnerable to a buffer overflow
attack when processing specially crafted HTTP requests. This problem allows
any trusted client or client script who can generate HTTP requests to trigger
a buffer overflow in Squid, resulting in a termination of the Squid service
(CVE-2013-4115).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4115
http://www.squid-cache.org/Advisories/SQUID-2013_2.txt
========================

Updated packages in core/updates_testing:
========================
squid-3.1.19-4.4.mga2
squid-cachemgr-3.1.19-4.4.mga2

from squid-3.1.19-4.4.mga2.src.rpm
Comment 12 David Walser 2013-07-16 00:01:04 CEST
Updated package uploaded for Cauldron for SQUID-2013:3.

Patched package uploaded for Mageia 3 for SQUID-2013:3.

Advisory (Mageia 3):
========================

Updated squid packages fix security vulnerabilities:

Due to incorrect data validation Squid is vulnerable to a buffer overflow
attack when processing specially crafted HTTP requests. This problem allows
any trusted client or client script who can generate HTTP requests to trigger
a buffer overflow in Squid, resulting in a termination of the Squid service
(CVE-2013-4115).

Due to incorrect data validation Squid is vulnerable to a denial of service
attack when processing specially crafted HTTP requests. This problem allows
any client who can generate HTTP requests to perform a denial of service
attack on the Squid service (CVE-2013-4123).

Also, due to being renamed in Squid 3.2, the Squid external acl helpers for
matching against IP addresses and LDAP groups were not selected to be built
in the squid package for Mageia 3.

This has been corrected and these helpers are now included.  Additionally,
the helpers for eDirectory IP address lookups and matching LDAP groups using
Kerberos credentials have also been included.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4115
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4123
http://www.squid-cache.org/Advisories/SQUID-2013_2.txt
http://www.squid-cache.org/Advisories/SQUID-2013_3.txt
ftp://ftp.fu-berlin.de/unix/www/squid/archive/3.2/squid-3.2.0.9-RELEASENOTES.html#ss2.4
http://www.squid-cache.org/Doc/man/
========================

Updated packages in core/updates_testing:
========================
squid-3.2.10-1.4.mga3
squid-cachemgr-3.2.10-1.4.mga3

from squid-3.2.10-1.4.mga3.src.rpm
Comment 13 Dave Hodgins 2013-07-19 04:48:57 CEST
10516.mga2.adv and 10516.mga3.adv uploaded.
Comment 14 Dave Hodgins 2013-07-21 20:58:06 CEST
Testing complete for squid using drakguard on both arches/releases.

Could someone from the sysadmin team push 10516.mga2.adv and 10516.mga3.adv
to updates.
Comment 15 Thomas Backlund 2013-07-21 22:20:06 CEST
mga2 update pushed:
http://advisories.mageia.org/MGASA-2013-0227.html

mga3 update pushed:
http://advisories.mageia.org/MGASA-2013-0228.html
Comment 16 David Walser 2013-07-22 19:35:19 CEST
LWN references posted.

CVE-2013-4115: http://lwn.net/Vulnerabilities/560027/

CVE-2013-4123: http://lwn.net/Vulnerabilities/560028/

Note You need to log in before you can comment on or make changes to this bug.