Debian has issued an advisory on October 23: http://www.debian.org/security/2012/dsa-2564 Patched packages uploaded for Mageia 2 and Cauldron. Advisory: ======================== Updated tinyproxy package fixes security vulnerability: tinyproxy 1.8.3 allows remote attackers to cause a denial of service (CPU and memory consumption) via (1) a large number of headers or (2) a large number of forged headers that are hashed into the same bucket (CVE-2012-3505). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3505 http://www.debian.org/security/2012/dsa-2564 ======================== Updated packages in core/updates_testing: ======================== tinyproxy-1.8.3-1.1.mga2 from tinyproxy-1.8.3-1.1.mga2.src.rpm
Testing Mga2 i586 Before ------ # service tinyproxy start Starting tinyproxy (via systemctl): Job failed. See system journal and 'systemctl status' for details. [FAILED] # tail /var/log/syslog tinyproxy[25127]: chgrp: invalid group: `nobody' tinyproxy[25127]: chgrp: invalid group: `nobody' tinyproxy[25127]: Starting tinyproxy: [ OK ] systemd[1]: PID file /var/run/tinyproxy.pid not readable (yet?) after start. systemd[1]: Unit tinyproxy.service entered failed state. # nano /etc/tinyproxy/tinyproxy.conf Changed the group it runs as to 'nogroup', we don't have group 'nobody' in Mageia. # service tinyproxy start Starting tinyproxy (via systemctl): ^C Interrupted with ctrl-c as it presumably can't find the pid file and didn't return. # service tinyproxy status Shows it has loaded but there is some error in the init script or conflict with systemd. I can't reproduce the DOS. $ curl -x http://localhost:8888 http://78.230.4.96/hashes.asis It uses 2% cpu and 0.1% memory with or without the proxy. After ----- Same issue with the default conf set to use a non existent user. Same issue with the init script not completing the start. No difference noticed in use. Do you want to look at these two now or shall I create some new bugs?
Additionally #service tinyproxy stop Although it says OK it appears to leave all the tinyproxy processes running # service tinyproxy stop Stopping tinyproxy (via systemctl): [ OK ] # ps aux | grep tiny nobody 29286 0.0 0.1 4032 2528 ? S 16:11 0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf nobody 29292 0.0 0.1 4164 2568 ? S 16:11 0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf nobody 29293 0.0 0.0 4032 1920 ? S 16:11 0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf nobody 29294 0.0 0.0 4032 1920 ? S 16:11 0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf nobody 29295 0.0 0.0 4032 1920 ? S 16:11 0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf nobody 29296 0.0 0.0 4032 1920 ? S 16:11 0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf nobody 29297 0.0 0.0 4032 1920 ? S 16:11 0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf nobody 29298 0.0 0.0 4032 1920 ? S 16:11 0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf nobody 29299 0.0 0.0 4032 1920 ? S 16:11 0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf nobody 29300 0.0 0.0 4032 1920 ? S 16:11 0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf nobody 29301 0.0 0.0 4032 1920 ? S 16:11 0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf root 29558 0.0 0.0 5856 744 pts/1 S+ 16:16 0:00 grep --color tiny
Whiteboard: (none) => feedback
Another misc package :o( I'll ask on the -dev list if anyone is interested in fixing this, otherwise it should be dropped. Thanks for testing. PS - not sure if makes a difference here, but AFAIK proxy definitions usually require a / at the end, so might be worth a quick check in your PoC command.
I tried with firefox too after setting to use http proxy at localhost:8888 so confident it works once 'started'.
OK thanks, so the issue can't be reproduced via that URL. I guess that's good.
From htop ... ââ /bin/bash /sbin/service tinyproxy start â ââ /bin/bash /etc/init.d/tinyproxy start â ââ /bin/systemctl start tinyproxy.service â ââ /bin/systemd-tty-ask-password-agent --watch Why is systemctl asking for a password? There's no dialog opening up to enter one. [root@i2v bacula]# SYSTEMCTL_SKIP_REDIRECT=1 bash /etc/init.d/tinyproxy start Starting tinyproxy: [ OK ] [root@i2v bacula]# ps aux | grep tiny nobody 5446 0.0 0.1 4032 2544 ? S 21:26 0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf nobody 5452 0.0 0.0 4032 1920 ? S 21:26 0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf nobody 5453 0.0 0.0 4032 1920 ? S 21:26 0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf nobody 5454 0.0 0.0 4032 1920 ? S 21:26 0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf nobody 5455 0.0 0.0 4032 1920 ? S 21:26 0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf nobody 5456 0.0 0.0 4032 1920 ? S 21:26 0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf nobody 5457 0.0 0.0 4032 1920 ? S 21:26 0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf nobody 5458 0.0 0.0 4032 1920 ? S 21:26 0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf nobody 5459 0.0 0.0 4032 1920 ? S 21:26 0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf nobody 5460 0.0 0.0 4032 1920 ? S 21:26 0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf nobody 5461 0.0 0.0 4032 1920 ? S 21:26 0:00 /usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf root 5480 0.0 0.0 5608 760 pts/2 S+ 21:27 0:00 grep --color tiny [root@i2v bacula]# SYSTEMCTL_SKIP_REDIRECT=1 bash /etc/init.d/tinyproxy stop Stopping tinyproxy: [ OK ] [root@i2v bacula]# ps aux | grep tiny root 5515 0.0 0.0 5608 760 pts/2 S+ 21:27 0:00 grep --color tiny The start and stop scripts are working, if systemd is bypassed. So it looks like this bug has demonstrated a bug in systemd.
CC: (none) => davidwhodgins
We better let Colin get a look at it then. In fairness to systemd, it looks like whoever wrote this init script was trying to win an obfuscated code contest.
CC: (none) => mageia
Figured out the cause of the problem. In /etc/init.d/tinyproxy, in the chkconfig headers, it has ... # pidfile: /var/run/tinyproxy.pid While it should have # pidfile: /var/run/tinyproxy/tinyproxy.pid While trying to start the service, systemd cannot find the pid file, so it hangs. While trying to stop the service, since systemd cannot find the pid file, it ignores the stop request. Fixing the path to the pid file in the init script corrects the problems.
Good spot Dave, even with bad eyes! I had compared those aswell and didn't register a difference :\
Fixed package uploaded. Works for me now. Advisory: ======================== Updated tinyproxy package fixes security vulnerability: tinyproxy 1.8.3 allows remote attackers to cause a denial of service (CPU and memory consumption) via (1) a large number of headers or (2) a large number of forged headers that are hashed into the same bucket (CVE-2012-3505). Additionally, this fixes errors in the init script and main configuration file that prevented it from starting. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3505 http://www.debian.org/security/2012/dsa-2564 ======================== Updated packages in core/updates_testing: ======================== tinyproxy-1.8.3-1.2.mga2 from tinyproxy-1.8.3-1.2.mga2.src.rpm
Whiteboard: feedback => (none)
Fixed mga2 32
Whiteboard: (none) => mga2-32-OK
Tested ok x86_64 Validating Advisory and srpm in comment 10 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: mga2-32-OK => mga2-32-OK mga2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0323
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED