Date: 1 Feb 2010 20:08:57 -0000 From: Thomas-Martin Seck <tmseck@web.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: ports-security@FreeBSD.org Subject: ports/143451: [Maintainer] [Security] www/squid: Advisory 2010:1 - Denial of Service vulnerability Message-ID: <20100201200857.38567.qmail@wcfields.tmseck.homedns.org> Resent-Message-ID: <201002012010.o11KA3tC052507@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 143451
>Category: ports
>Synopsis: [Maintainer] [Security] www/squid: Advisory 2010:1 - Denial of Service vulnerability
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Mon Feb 01 20:10:03 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Thomas-Martin Seck
>Release: FreeBSD 8.0-RELEASE amd64
>Organization:
a private site in Germany
>Environment:
FreeBSD ports collection as of February 1, 2010.
>Description:
Squid advisory 2010:1 notes that all versions of Squid are vulnerable to
a denial of service attack via untrusted DNS servers/resolvers.
Updated versions of www/squid30 and www/squid31 do not build, unfortunately.
I have informed the upstream maintainer and will update www/squid30 and
www/squid31 as soon as I have received and tested fixes for the build errors.
Added file:
files/patch-squid-advisory-2010:1
Proposed VuXML entry, note that these include the fixed 3.0.22 and
3.1.0.16 versions which are not yet available as ports. Feel free to
modify these entries to show that no fix is yet available in the Ports
Collection:
<vuln vid="296ecb59-0f6b-11df-8bab-0019996bc1f7">
<topic>squid -- Denial of Service vulnerability in DNS handling</topic>
<affects>
<package>
<name>squid</name>
<range><ge>2.7.1</ge><lt>2.7.7_3</lt></range>
<range><ge>3.0.1</ge><lt>3.0.22</lt></range>
<range><ge>3.1.0.1</ge><lt>3.1.0.16</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">;
<p>Squid security advisory 2010:1 reports:</p>
<blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2010_1.txt">;
<p>Due to incorrect data validation Squid is vulnerable to a denial
of service attack when processing specially crafted DNS packets.</p>
<p>This problem allows any trusted client or external server who can
determine the squid receiving port to perform a short-term denial
of service attack on the Squid service.</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.squid-cache.org/Advisories/SQUID-2010_1.txt</url>;
</references>
<dates>
<discovery>2010-01-14</discovery>
</dates>
</vuln>
>How-To-Repeat:
>Fix:
Apply this patch:
Index: Makefile
===================================================================
--- Makefile (.../www/squid) (Revision 1744)
+++ Makefile (.../local/squid) (Revision 1744)
@@ -76,7 +76,7 @@
PORTNAME= squid
PORTVERSION= 2.7.${SQUID_STABLE_VER}
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= www
MASTER_SITES= ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
ftp://mirrors.24-7-solutions.net/pub/squid/%SUBDIR%/ \
Index: files/patch-squid-advisory-2010:1
===================================================================
--- files/patch-squid-advisory-2010:1 (.../www/squid) (Revision 0)
+++ files/patch-squid-advisory-2010:1 (.../local/squid) (Revision 1744)
@@ -0,0 +1,38 @@
+FreeBSD-Patch for Squid-Advisory 2010:1, prepared by Thomas-Martin Seck,
+<tmseck@web.de>, 2010-02-01.
+
+Removed one directory level and the first hunk with CVS meta-information
+from the original patch. The original patch can be downloaded from:
+http://www.squid-cache.org/Versions/v2/HEAD/changesets/12597.patch
+
+---------------------
+PatchSet 12597
+Date: 2010/01/15 11:40:30
+Author: amosjeffries
+Branch: HEAD
+Tag: (none)
+Log:
+Handle DNS header-only packets as invalid.
+
+Members:
+ lib/rfc1035.c:1.30->1.31
+
+Index: lib/rfc1035.c
+===================================================================
+RCS file: /cvsroot/squid/squid/lib/rfc1035.c,v
+retrieving revision 1.30
+retrieving revision 1.31
+diff -u -r1.30 -r1.31
+--- lib/rfc1035.c 15 Jun 2008 03:49:55 -0000 1.30
++++ lib/rfc1035.c 15 Jan 2010 11:40:30 -0000 1.31
+@@ -286,7 +286,9 @@
+ size_t len;
+ assert(ns > 0);
+ do {
+- assert((*off) < sz);
++ if ((*off) >= sz) {
++ return 1;
++ }
+ c = *(buf + (*off));
+ if (c > 191) {
+ /* blasted compression */
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100201200857.38567.qmail>