Bug 8794 - squid new security issue: incomplete fix for CVE-2012-5643 (CVE-2013-0189)
Summary: squid new security issue: incomplete fix for CVE-2012-5643 (CVE-2013-0189)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/535428/
Whiteboard: has_procedure mga2-64-OK mga2-32-ok
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-01-23 17:08 CET by Oden Eriksson
Modified: 2013-02-06 23:03 CET (History)
3 users (show)

See Also:
Source RPM: squid-3.1.19-4.1.mga2.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Oden Eriksson 2013-01-23 17:08:14 CET 
https://bugzilla.redhat.com/show_bug.cgi?id=895972

"Jan Lieskovsky 2013-01-16 07:05:21 EST

Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5643 (bug #887962) to the following vulnerability:

Multiple memory leaks in tools/cachemgr.cc in cachemgr.cgi in Squid 2.x and 3.x before 3.1.22, 3.2.x before 3.2.4, and 3.3.x before 3.3.0.2 allow remote attackers to cause a denial of service (memory consumption) via (1) invalid Content-Length headers, (2) long POST requests, or (3) crafted authentication credentials.

Later it was found the upstream patch for CVE-2012-5643 issue to be incomplete, resulting in new patchset:
[1] http://bazaar.launchpad.net/~squid/squid/3.2/revision/11743
[2] http://bazaar.launchpad.net/~squid/squid/3.2/revision/11744

The CVE identifier of CVE-2013-0189 has been assigned to this new issue (and new patchset)."
Comment 1 Oden Eriksson 2013-01-23 17:09:10 CET 
fixed in r391672 (mga2, updates_testing, squid-3.1.19-4.2.mga2)
Comment 2 Oden Eriksson 2013-01-23 17:14:00 CET 
squid-3.2.6 in cauldron is unaffected.
Comment 3 David Walser 2013-01-31 21:22:44 CET 
Ubuntu has issued an advisory on January 30:
http://www.ubuntu.com/usn/usn-1713-1/

Advisory:
========================

Updated squid packages fix security vulnerability:

It was discovered that the patch for CVE-2012-5643 was incorrect. A
remote attacker could exploit this flaw to perform a denial of service
attack (CVE-2013-0189).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0189
http://www.ubuntu.com/usn/usn-1713-1/
========================

Updated packages in core/updates_testing:
========================
squid-3.1.19-4.2.mga2
squid-cachemgr-3.1.19-4.2.mga2

from squid-3.1.19-4.2.mga2.src.rpm

URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0189 => http://lwn.net/Vulnerabilities/535428/
CC: (none) => luigiwalser
Assignee: bugsquad => qa-bugs

David Walser 2013-01-31 21:25:07 CET

Summary: CVE-2013-0189: squid - incomplete fix for CVE-2012-5643 => squid new security issue: incomplete fix for CVE-2012-5643 (CVE-2013-0189)
Severity: normal => major

Comment 4 claire robinson 2013-02-01 14:24:38 CET 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=2778#c2

Whiteboard: (none) => has_procedure

Comment 5 claire robinson 2013-02-01 14:28:25 CET 
No PoC so just testing it works.

Testing mga2 64
Comment 6 claire robinson 2013-02-01 16:31:22 CET 
Testing complete mga2 64

Whiteboard: has_procedure => has_procedure mga2-64-OK

Comment 7 claire robinson 2013-02-01 17:45:07 CET 
Testing complete mga2 32

Validating

Advisory & SRPM in comment 3

Can sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK mga2-32-ok

Comment 8 David Walser 2013-02-05 20:40:00 CET 
Forgot to mention, patch checked into Mageia 1 SVN.
Comment 9 Thomas Backlund 2013-02-06 23:03:35 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0029

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.