Bug 8794 - squid new security issue: incomplete fix for CVE-2012-5643 (CVE-2013-0189)
Summary: squid new security issue: incomplete fix for CVE-2012-5643 (CVE-2013-0189)
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/535428/
Whiteboard: has_procedure mga2-64-OK mga2-32-ok
Keywords: validated_update
Depends on:
Reported: 2013-01-23 17:08 CET by Oden Eriksson
Modified: 2013-02-06 23:03 CET (History)
3 users (show)

See Also:
Source RPM: squid-3.1.19-4.1.mga2.src.rpm
Status comment:


Description Oden Eriksson 2013-01-23 17:08:14 CET

"Jan Lieskovsky 2013-01-16 07:05:21 EST

Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5643 (bug #887962) to the following vulnerability:

Multiple memory leaks in tools/cachemgr.cc in cachemgr.cgi in Squid 2.x and 3.x before 3.1.22, 3.2.x before 3.2.4, and 3.3.x before allow remote attackers to cause a denial of service (memory consumption) via (1) invalid Content-Length headers, (2) long POST requests, or (3) crafted authentication credentials.

Later it was found the upstream patch for CVE-2012-5643 issue to be incomplete, resulting in new patchset:
[1] http://bazaar.launchpad.net/~squid/squid/3.2/revision/11743
[2] http://bazaar.launchpad.net/~squid/squid/3.2/revision/11744

The CVE identifier of CVE-2013-0189 has been assigned to this new issue (and new patchset)."
Comment 1 Oden Eriksson 2013-01-23 17:09:10 CET
fixed in r391672 (mga2, updates_testing, squid-3.1.19-4.2.mga2)
Comment 2 Oden Eriksson 2013-01-23 17:14:00 CET
squid-3.2.6 in cauldron is unaffected.
Comment 3 David Walser 2013-01-31 21:22:44 CET
Ubuntu has issued an advisory on January 30:


Updated squid packages fix security vulnerability:

It was discovered that the patch for CVE-2012-5643 was incorrect. A
remote attacker could exploit this flaw to perform a denial of service
attack (CVE-2013-0189).


Updated packages in core/updates_testing:

from squid-3.1.19-4.2.mga2.src.rpm

URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0189 => http://lwn.net/Vulnerabilities/535428/
CC: (none) => luigiwalser
Assignee: bugsquad => qa-bugs

David Walser 2013-01-31 21:25:07 CET

Summary: CVE-2013-0189: squid - incomplete fix for CVE-2012-5643 => squid new security issue: incomplete fix for CVE-2012-5643 (CVE-2013-0189)
Severity: normal => major

Comment 4 claire robinson 2013-02-01 14:24:38 CET
Procedure: https://bugs.mageia.org/show_bug.cgi?id=2778#c2

Whiteboard: (none) => has_procedure

Comment 5 claire robinson 2013-02-01 14:28:25 CET
No PoC so just testing it works.

Testing mga2 64
Comment 6 claire robinson 2013-02-01 16:31:22 CET
Testing complete mga2 64

Whiteboard: has_procedure => has_procedure mga2-64-OK

Comment 7 claire robinson 2013-02-01 17:45:07 CET
Testing complete mga2 32


Advisory & SRPM in comment 3

Can sysadmin please push from core/updates_testing to core/updates


Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK mga2-32-ok

Comment 8 David Walser 2013-02-05 20:40:00 CET
Forgot to mention, patch checked into Mageia 1 SVN.
Comment 9 Thomas Backlund 2013-02-06 23:03:35 CET
Update pushed:

CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.