Bug 7898 - tinyproxy new security issue CVE-2012-3505
Summary: tinyproxy new security issue CVE-2012-3505
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/520972/
Whiteboard: mga2-32-OK mga2-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-10-24 22:43 CEST by David Walser
Modified: 2012-11-06 20:30 CET (History)
4 users (show)

See Also:
Source RPM: tinyproxy-1.8.3-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-10-24 22:43:44 CEST
Debian has issued an advisory on October 23:
http://www.debian.org/security/2012/dsa-2564

Patched packages uploaded for Mageia 2 and Cauldron.

Advisory:
========================

Updated tinyproxy package fixes security vulnerability:

tinyproxy 1.8.3 allows remote attackers to cause a denial of service (CPU and
memory consumption) via (1) a large number of headers or (2) a large number of
forged headers that are hashed into the same bucket (CVE-2012-3505).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3505
http://www.debian.org/security/2012/dsa-2564
========================

Updated packages in core/updates_testing:
========================
tinyproxy-1.8.3-1.1.mga2

from tinyproxy-1.8.3-1.1.mga2.src.rpm
Comment 1 claire robinson 2012-10-30 17:16:21 CET
Testing Mga2 i586

Before
------

# service tinyproxy start
Starting tinyproxy (via systemctl):  Job failed. See system journal and 'systemctl status' for details.
                                                                  [FAILED]

# tail /var/log/syslog

tinyproxy[25127]: chgrp: invalid group: `nobody'
tinyproxy[25127]: chgrp: invalid group: `nobody'
tinyproxy[25127]: Starting tinyproxy: [  OK  ]
systemd[1]: PID file /var/run/tinyproxy.pid not readable (yet?) after start.
systemd[1]: Unit tinyproxy.service entered failed state.

# nano /etc/tinyproxy/tinyproxy.conf

Changed the group it runs as to 'nogroup', we don't have group 'nobody' in Mageia.

# service tinyproxy start
Starting tinyproxy (via systemctl):  ^C

Interrupted with ctrl-c as it presumably can't find the pid file and didn't return.

# service tinyproxy status

Shows it has loaded but there is some error in the init script or conflict with systemd.


I can't reproduce the DOS.

$ curl -x http://localhost:8888 http://78.230.4.96/hashes.asis

It uses 2% cpu and 0.1% memory with or without the proxy.


After
-----
Same issue with the default conf set to use a non existent user.
Same issue with the init script not completing the start.

No difference noticed in use.

Do you want to look at these two now or shall I create some new bugs?
Comment 2 claire robinson 2012-10-30 17:19:25 CET
Additionally

#service tinyproxy stop

Although it says OK it appears to leave all the tinyproxy processes running

# service tinyproxy stop
Stopping tinyproxy (via systemctl):                         [  OK  ]

# ps aux | grep tiny
nobody   29286  0.0  0.1   4032  2528 ?        S    16:11   0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
nobody   29292  0.0  0.1   4164  2568 ?        S    16:11   0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
nobody   29293  0.0  0.0   4032  1920 ?        S    16:11   0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
nobody   29294  0.0  0.0   4032  1920 ?        S    16:11   0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
nobody   29295  0.0  0.0   4032  1920 ?        S    16:11   0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
nobody   29296  0.0  0.0   4032  1920 ?        S    16:11   0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
nobody   29297  0.0  0.0   4032  1920 ?        S    16:11   0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
nobody   29298  0.0  0.0   4032  1920 ?        S    16:11   0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
nobody   29299  0.0  0.0   4032  1920 ?        S    16:11   0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
nobody   29300  0.0  0.0   4032  1920 ?        S    16:11   0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
nobody   29301  0.0  0.0   4032  1920 ?        S    16:11   0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
root     29558  0.0  0.0   5856   744 pts/1    S+   16:16   0:00 grep --color tiny
claire robinson 2012-10-30 17:24:58 CET

Whiteboard: (none) => feedback

Comment 3 David Walser 2012-10-30 17:28:47 CET
Another misc package :o(

I'll ask on the -dev list if anyone is interested in fixing this, otherwise it should be dropped.

Thanks for testing.

PS - not sure if makes a difference here, but AFAIK proxy definitions usually require a / at the end, so might be worth a quick check in your PoC command.
Comment 4 claire robinson 2012-10-30 17:33:54 CET
I tried with firefox too after setting to use http proxy at localhost:8888 so confident it works once 'started'.
Comment 5 David Walser 2012-10-30 17:35:04 CET
OK thanks, so the issue can't be reproduced via that URL.  I guess that's good.
Comment 6 Dave Hodgins 2012-11-02 03:06:27 CET
From htop ...
          ââ /bin/bash /sbin/service tinyproxy start
          â  ââ /bin/bash /etc/init.d/tinyproxy start
          â     ââ /bin/systemctl start tinyproxy.service
          â        ââ /bin/systemd-tty-ask-password-agent --watch

Why is systemctl asking for a password?  There's no dialog opening up
to enter one.

[root@i2v bacula]# SYSTEMCTL_SKIP_REDIRECT=1 bash /etc/init.d/tinyproxy start
Starting tinyproxy:                                                        [  OK  ]
[root@i2v bacula]# ps aux | grep tiny
nobody    5446  0.0  0.1   4032  2544 ?        S    21:26   0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
nobody    5452  0.0  0.0   4032  1920 ?        S    21:26   0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
nobody    5453  0.0  0.0   4032  1920 ?        S    21:26   0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
nobody    5454  0.0  0.0   4032  1920 ?        S    21:26   0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
nobody    5455  0.0  0.0   4032  1920 ?        S    21:26   0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
nobody    5456  0.0  0.0   4032  1920 ?        S    21:26   0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
nobody    5457  0.0  0.0   4032  1920 ?        S    21:26   0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
nobody    5458  0.0  0.0   4032  1920 ?        S    21:26   0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
nobody    5459  0.0  0.0   4032  1920 ?        S    21:26   0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
nobody    5460  0.0  0.0   4032  1920 ?        S    21:26   0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
nobody    5461  0.0  0.0   4032  1920 ?        S    21:26   0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
root      5480  0.0  0.0   5608   760 pts/2    S+   21:27   0:00 grep --color tiny
[root@i2v bacula]# SYSTEMCTL_SKIP_REDIRECT=1 bash /etc/init.d/tinyproxy stop
Stopping tinyproxy:                                                        [  OK  ]
[root@i2v bacula]# ps aux | grep tiny
root      5515  0.0  0.0   5608   760 pts/2    S+   21:27   0:00 grep --color tiny

The start and stop scripts are working, if systemd is bypassed.
So it looks like this bug has demonstrated a bug in systemd.

CC: (none) => davidwhodgins

Comment 7 David Walser 2012-11-02 03:16:52 CET
We better let Colin get a look at it then.

In fairness to systemd, it looks like whoever wrote this init script was trying to win an obfuscated code contest.

CC: (none) => mageia

Comment 8 Dave Hodgins 2012-11-02 03:17:48 CET
Figured out the cause of the problem.

In /etc/init.d/tinyproxy, in the chkconfig headers, it has ...
# pidfile: /var/run/tinyproxy.pid

While it should have
# pidfile: /var/run/tinyproxy/tinyproxy.pid

While trying to start the service, systemd cannot find the pid file, so
it hangs.

While trying to stop the service, since systemd cannot find the pid file,
it ignores the stop request.

Fixing the path to the pid file in the init script corrects the problems.
Comment 9 claire robinson 2012-11-02 09:53:06 CET
Good spot Dave, even with bad eyes! I had compared those aswell and didn't register a difference :\
Comment 10 David Walser 2012-11-02 13:20:32 CET
Fixed package uploaded.  Works for me now.

Advisory:
========================

Updated tinyproxy package fixes security vulnerability:

tinyproxy 1.8.3 allows remote attackers to cause a denial of service (CPU and
memory consumption) via (1) a large number of headers or (2) a large number of
forged headers that are hashed into the same bucket (CVE-2012-3505).

Additionally, this fixes errors in the init script and main configuration
file that prevented it from starting.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3505
http://www.debian.org/security/2012/dsa-2564
========================

Updated packages in core/updates_testing:
========================
tinyproxy-1.8.3-1.2.mga2

from tinyproxy-1.8.3-1.2.mga2.src.rpm

Whiteboard: feedback => (none)

Comment 11 claire robinson 2012-11-02 15:13:38 CET
Fixed mga2 32

Whiteboard: (none) => mga2-32-OK

Comment 12 claire robinson 2012-11-02 15:22:45 CET
Tested ok x86_64

Validating

Advisory and srpm in comment 10

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: mga2-32-OK => mga2-32-OK mga2-64-OK

Comment 13 Thomas Backlund 2012-11-06 20:30:06 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0323

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.