CVE-2012-5643: cachemgr.cgi denial of service

Debian Bug report logs - #696187
CVE-2012-5643: cachemgr.cgi denial of service

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Subject: CVE-2012-5643: cachemgr.cgi denial of service

Date: Mon, 17 Dec 2012 21:36:27 +0200

Package: squid-cgi
Version: 3.1.20-2
Severity: important
Tags: security

http://www.squid-cache.org/Advisories/SQUID-2012_1.txt
http://www.openwall.com/lists/oss-security/2012/12/17/3

Problem Description:
 Due to missing input validation Squid cachemgr.cgi tool is
 vulnerable to a denial of service attack when processing
 specially crafted requests.

- Henri Salo

Message #10 received at 696187@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: 696187@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: CVE-2012-5643: cachemgr.cgi denial of service

Date: Tue, 22 Jan 2013 17:37:10 +0100

severity grave 696187 
thanks

On Mon, Dec 17, 2012 at 09:36:27PM +0200, Henri Salo wrote:
> Package: squid-cgi
> Version: 3.1.20-2
> Severity: important
> Tags: security
> 
> http://www.squid-cache.org/Advisories/SQUID-2012_1.txt
> http://www.openwall.com/lists/oss-security/2012/12/17/3
> 
> Problem Description:
>  Due to missing input validation Squid cachemgr.cgi tool is
>  vulnerable to a denial of service attack when processing
>  specially crafted requests.

Note that the initial fix was incorrect:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0189

Cheers,
        Moritz

Message #17 received at 696187@bugs.debian.org (full text, mbox, reply):

From: Michael Stapelberg <stapelberg@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 696187@bugs.debian.org

Subject: Re: CVE-2012-5643: cachemgr.cgi denial of service

Date: Tue, 5 Feb 2013 23:22:22 +0100

On Tue, 22 Jan 2013 17:37:10 +0100
Moritz Muehlenhoff <jmm@inutil.org> wrote:
> Note that the initial fix was incorrect:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0189
I have integrated this upstream patch (which adresses
CVE-2012-5643 and CVE-2013-0189):
http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID-2012_1.patch

Because the maintainer has not reacted to this bugreport at all for
nearly 2 months, I have directly NMUed the package.

-- 
Best regards,
Michael

Message #22 received at 696187-close@bugs.debian.org (full text, mbox, reply):

From: Michael Stapelberg <stapelberg@debian.org>

To: 696187-close@bugs.debian.org

Subject: Bug#696187: fixed in squid3 3.1.20-2.1

Date: Tue, 05 Feb 2013 22:33:04 +0000

Source: squid3
Source-Version: 3.1.20-2.1

We believe that the bug you reported is fixed in the latest version of
squid3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 696187@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Stapelberg <stapelberg@debian.org> (supplier of updated squid3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 Feb 2013 23:16:27 +0100
Source: squid3
Binary: squid3 squid3-dbg squid3-common squidclient squid-cgi
Architecture: source all amd64
Version: 3.1.20-2.1
Distribution: unstable
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Michael Stapelberg <stapelberg@debian.org>
Description: 
 squid-cgi  - Full featured Web Proxy cache (HTTP proxy) - control CGI
 squid3     - Full featured Web Proxy cache (HTTP proxy)
 squid3-common - Full featured Web Proxy cache (HTTP proxy) - common files
 squid3-dbg - Full featured Web Proxy cache (HTTP proxy) - Debug symbols
 squidclient - Full featured Web Proxy cache (HTTP proxy) - control utility
Closes: 696187
Changes: 
 squid3 (3.1.20-2.1) unstable; urgency=high
 .
   * Non-maintainer upload
 .
   * Urgency high due to security fixes
 .
   * debian/patches/30-CVE-2012-5643-CVE-2013-0189.patch
     - Added upstream fix for squid-cgi (cachemgr) memory leaks and denial of
       service vulnerability (Closes: #696187)
Checksums-Sha1: 
 a0ca698b161413fee7fe9c01aa28abd95dd9c629 2076 squid3_3.1.20-2.1.dsc
 ae6b931a399d398eaa37963a26f6ffc5c9f37f75 21881 squid3_3.1.20-2.1.debian.tar.gz
 a3e1806b1fc5f64f55c55bbd011f481cc477ce3a 200848 squid3-common_3.1.20-2.1_all.deb
 3bdc5a1242dd21ab0b2ef9ae456bc5aeffcd4bfa 1638958 squid3_3.1.20-2.1_amd64.deb
 87290672bf086fc3243bf31c97f48a763b8fe480 6960658 squid3-dbg_3.1.20-2.1_amd64.deb
 73445f2b5e101478ce93ecfaecae058c93f2d3e2 111962 squidclient_3.1.20-2.1_amd64.deb
 b0dcc1f2701aef5086740f6286b1b2b959fdc494 115278 squid-cgi_3.1.20-2.1_amd64.deb
Checksums-Sha256: 
 24d4937a3342d0cb6d4bcc21736f524974407ac813adff854190bf141b848f04 2076 squid3_3.1.20-2.1.dsc
 6747e5c286a3f9735341ecfeee6a12d97cf327bf212029fd9fc0667417e2394b 21881 squid3_3.1.20-2.1.debian.tar.gz
 037cd592139835d86014ede0d0af28b0ae95c55fb8ee26d99bed8ca1b9e4dd70 200848 squid3-common_3.1.20-2.1_all.deb
 b3eb3929183845f5da7490c93b3efc465c0cec4ce1cf504ae47aa2c08ee50e22 1638958 squid3_3.1.20-2.1_amd64.deb
 324aee09f4cbbeed2cf6fea6ab98b1c28484a83aad92a77d74531a7b9fa9641d 6960658 squid3-dbg_3.1.20-2.1_amd64.deb
 368eea78e5487c49b1fab06983e18deda9b8ae9650623a44ab19abef1468b254 111962 squidclient_3.1.20-2.1_amd64.deb
 7e6123e334b79ff974e2a8548065c57630b6f55cf13b38eb5618f149b9d8d95f 115278 squid-cgi_3.1.20-2.1_amd64.deb
Files: 
 8ebbfd2ee551c8480b40676bbe8a89d7 2076 web optional squid3_3.1.20-2.1.dsc
 5c6cf0fbc64d59b2e79e056ab2376fa9 21881 web optional squid3_3.1.20-2.1.debian.tar.gz
 5bb3503b67f93669181392bcf0e98527 200848 web optional squid3-common_3.1.20-2.1_all.deb
 2516daa160e779a5ca87c6e812e9da13 1638958 web optional squid3_3.1.20-2.1_amd64.deb
 03384d282ac70a02b704f8498e624621 6960658 debug extra squid3-dbg_3.1.20-2.1_amd64.deb
 15167fcb596253441814ccdbd7411e69 111962 web optional squidclient_3.1.20-2.1_amd64.deb
 f1b0c8be7957d8edcf741a097efb5918 115278 web optional squid-cgi_3.1.20-2.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJREYUsAAoJEE5xYO1KyO4dS+kP/2lpUH4IlcZ4G8vkoJzM6qgP
2kTdhWsYVeS48ckBDZObXwVz4pcWqHdXUaMTc/Sz6bDVVoEUTdBPAbyuGCOFeePr
RJ34vnzihxCzcAQsr/iltebRSJAaFJMWAvMDrR5ZmHr8vKKoKIB0Erv5ascYzxbF
Vogx0qghExzK3hMUbs9KlXqtzKxmH4Cq2ET9agphLHHqS05D7tCiEskL4mmNf0YY
vt1Wxl4qsGxj9vx1YJttwHpPhXYNS9iN45SS/wbnHpl2fa72mV3qJNc1KK+2sFjt
nq43cBF1+65IBC+bi3YJOdQ3THMnJRSBpmZZSMJQnUkjST5sneBpR2dlEu/ZNl4d
lDfyOSuA+G70+ZVe/2gqVXLgFzhfKZ353yZ11owKsPKZSjWSvC2BGY51mYz+Nk7D
qwImJPhAOp5qjwjlvrNuf0MP2iE+281pk4C3xvyKRby5+H0hrAOuthm1IjhfkkBl
iufAtzSk3i21yS5WCK1sPx7N7mH1AKKVBh4Y5Di+hETj70LmvLFbO7WonDHe1O1x
Vdsvx+MTYZ79zkapGZRJSGEP5pOpcXqF0i32eA5SlkqGP8d4uFVHtCdTpd5kOV1V
v4rH+CbdVJuNgkZTfxKGVeQt4yyArfXBcajqjwQ0O6HntqHMiIgeYmcFtofKWCb9
bdceOvwssoOTk5jD1XcO
=cid9
-----END PGP SIGNATURE-----

Message #27 received at 696187@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 696187@bugs.debian.org, Luigi Gangitano <luigi@debian.org>

Subject: Re: Bug#696187: CVE-2012-5643: cachemgr.cgi denial of service

Date: Mon, 18 Feb 2013 19:56:55 +0100

Hi Luigi

squid3 in stable is still affected by #696187: cachemgr.cgi denial of
service.

Could you prepare an upload for CVE-2012-5643 and subsequent
CVE-2013-0189 targeting stable-security for a DSA?

Note that the initial patch was incomplete and the full fix is at [1].

 [1]: http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID-2012_1.patch

Regards,
Salvatore

Message #32 received at 696187@bugs.debian.org (full text, mbox, reply):

From: Luigi Gangitano <luigi@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 696187@bugs.debian.org

Subject: Re: Bug#696187: CVE-2012-5643: cachemgr.cgi denial of service

Date: Sat, 23 Feb 2013 16:41:51 +0100

Ciao Salvatore,

Thanks a lot for your NMU. I really appreciate your help.

Regards,

L

Il giorno 18/feb/2013, alle ore 19:56, Salvatore Bonaccorso <carnil@debian.org> ha scritto:

> Hi Luigi
> 
> squid3 in stable is still affected by #696187: cachemgr.cgi denial of
> service.
> 
> Could you prepare an upload for CVE-2012-5643 and subsequent
> CVE-2013-0189 targeting stable-security for a DSA?
> 
> Note that the initial patch was incomplete and the full fix is at [1].
> 
> [1]: http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID-2012_1.patch
> 
> Regards,
> Salvatore
> 

--
Luigi Gangitano -- <luigi@debian.org> -- <gangitano@lugroma3.org>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972  C24A F19B A618 924C 0C26
GPG: 4096R/2BA97CED: 8D48 5A35 FF1E 6EB7 90E5  0F6D 0284 F20C 2BA9 7CED

Message #37 received at 696187@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Luigi Gangitano <luigi@debian.org>

Cc: 696187@bugs.debian.org

Subject: Re: Bug#696187: CVE-2012-5643: cachemgr.cgi denial of service

Date: Sat, 23 Feb 2013 17:25:33 +0100

Ciao Luigi

On Sat, Feb 23, 2013 at 04:41:51PM +0100, Luigi Gangitano wrote:
> Ciao Salvatore,
> 
> Thanks a lot for your NMU. I really appreciate your help.

Thank you for your feedback! I now also would have the package ready
targeting stable-security.

Regards,
Salvatore

Message #42 received at 696187@bugs.debian.org (full text, mbox, reply):

From: Luigi Gangitano <luigi@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 696187@bugs.debian.org

Subject: Re: Bug#696187: CVE-2012-5643: cachemgr.cgi denial of service

Date: Sat, 23 Feb 2013 17:28:37 +0100

Please go ahead and submit it to debian-security.

Regards,

L

Il giorno 23/feb/2013, alle ore 17:25, Salvatore Bonaccorso <carnil@debian.org> ha scritto:

> Ciao Luigi
> 
> On Sat, Feb 23, 2013 at 04:41:51PM +0100, Luigi Gangitano wrote:
>> Ciao Salvatore,
>> 
>> Thanks a lot for your NMU. I really appreciate your help.
> 
> Thank you for your feedback! I now also would have the package ready
> targeting stable-security.
> 
> Regards,
> Salvatore
> 

--
Luigi Gangitano -- <luigi@debian.org> -- <gangitano@lugroma3.org>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972  C24A F19B A618 924C 0C26
GPG: 4096R/2BA97CED: 8D48 5A35 FF1E 6EB7 90E5  0F6D 0284 F20C 2BA9 7CED

Message #47 received at 696187-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 696187-close@bugs.debian.org

Subject: Bug#696187: fixed in squid3 3.1.6-1.2+squeeze3

Date: Tue, 26 Feb 2013 11:47:04 +0000

Source: squid3
Source-Version: 3.1.6-1.2+squeeze3

We believe that the bug you reported is fixed in the latest version of
squid3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 696187@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated squid3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 23 Feb 2013 14:08:15 +0100
Source: squid3
Binary: squid3 squid3-dbg squid3-common squidclient squid-cgi
Architecture: source all amd64
Version: 3.1.6-1.2+squeeze3
Distribution: stable-security
Urgency: high
Maintainer: Luigi Gangitano <luigi@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 squid-cgi  - A full featured Web Proxy cache (HTTP proxy) - control CGI
 squid3     - A full featured Web Proxy cache (HTTP proxy)
 squid3-common - A full featured Web Proxy cache (HTTP proxy) - common files
 squid3-dbg - A full featured Web Proxy cache (HTTP proxy) - Debug symbols
 squidclient - A full featured Web Proxy cache (HTTP proxy) - control utility
Closes: 696187
Changes: 
 squid3 (3.1.6-1.2+squeeze3) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add CVE-2012-5643-CVE-2013-0189.dpatch patch.
     Fix squid-cgi (cachemgr) memory leaks and denial of service
     vulnerability: remote attackers could cause a denial of service (memory
     consumption) via (1) invalid Content-Length headers, (2) long POST
     requests, or (3) crafted authentication credentials. CVE-2012-5643 and
     CVE-2013-0189. (Closes: #696187)
Checksums-Sha1: 
 c5f6749082a7f2fb4e2f040b2bc0cecfef97e81a 1945 squid3_3.1.6-1.2+squeeze3.dsc
 b2208a200998e98a02596d3c8f4dad6763746c53 23044 squid3_3.1.6-1.2+squeeze3.diff.gz
 6380ea78d9eadc573d8e51cccaaf113e092544cf 196062 squid3-common_3.1.6-1.2+squeeze3_all.deb
 8d55afc54170c79003164e6efaebd24f5d3992c2 1503786 squid3_3.1.6-1.2+squeeze3_amd64.deb
 2405080e5f4af1146660e022f3f6c5cb6e0d9b58 5630368 squid3-dbg_3.1.6-1.2+squeeze3_amd64.deb
 d65ed2ccc4ad390a9b090f301a748c04a9bd2337 106596 squidclient_3.1.6-1.2+squeeze3_amd64.deb
 cfaf934f65485e93dd42c680e56345e65f7592aa 109162 squid-cgi_3.1.6-1.2+squeeze3_amd64.deb
Checksums-Sha256: 
 4e240bc5b701735fd66f8a4f6c9be1b81cd427810f9f4836e3fa6ce33ab20e70 1945 squid3_3.1.6-1.2+squeeze3.dsc
 edf23b6e2a9773e4aedb9e87f281b5cf59574db7171a15d634ab5d32e8bac82c 23044 squid3_3.1.6-1.2+squeeze3.diff.gz
 cf066c363753e37d32acebb3c4b6b9e0a28cbbd743a1ad6d58ce2036f70ff313 196062 squid3-common_3.1.6-1.2+squeeze3_all.deb
 6221b0bb02cf7d4acc855e119660c0e8e5c6d463ae40ba51939b03437003db76 1503786 squid3_3.1.6-1.2+squeeze3_amd64.deb
 866d213ed26f42c62752a56c2007ebf41377ef459367f7da5ae1b4ccc8c0af11 5630368 squid3-dbg_3.1.6-1.2+squeeze3_amd64.deb
 4d30058966703e44bf7f93a57213294814706de00e8ab57735e8e5662e2d2d6b 106596 squidclient_3.1.6-1.2+squeeze3_amd64.deb
 dd991d13eaa5e17d8c1c3d93b2cfa9ef98571417348a357582ccd160238ad037 109162 squid-cgi_3.1.6-1.2+squeeze3_amd64.deb
Files: 
 c7754aa210a9bec4b70cffe5e76162e4 1945 web optional squid3_3.1.6-1.2+squeeze3.dsc
 1e5c47a57390e3687ef07af9a54f9807 23044 web optional squid3_3.1.6-1.2+squeeze3.diff.gz
 25c25ea08cff7d1564f43781118367d1 196062 web optional squid3-common_3.1.6-1.2+squeeze3_all.deb
 b232b0475053ee02b141cbd1a0868d92 1503786 web optional squid3_3.1.6-1.2+squeeze3_amd64.deb
 a692f9ebb0fe2b40f25f84b4fee1a61e 5630368 debug extra squid3-dbg_3.1.6-1.2+squeeze3_amd64.deb
 5d043aec9d7ab49fa38cb391c5592acd 106596 web optional squidclient_3.1.6-1.2+squeeze3_amd64.deb
 1fe4e32221676902f7f55f16ff50b3fe 109162 web optional squid-cgi_3.1.6-1.2+squeeze3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRKOr3AAoJEHidbwV/2GP+tMcQAMWU9vk02JoPV5guWGLTPUzp
hvH78ARaDvVwwgfghLm3PtJNNJrQiuYmTTQ5lXiSzMgagvMewtlKCSZ5CW6psoXN
oRN0pK3zBMvTKQb89eGmqFu572uZ+6VZVYOAwuIzaD4Ogf3u6Yss68x3ldTkBUk4
xCUkTVQfK/KwOuUA5nV9yJ9xbSit2Ss2SSPMpJeLUjhy1iiM8wUqmzFzu1qfZO0q
tG4PH6ycPehkD6sTubZ5FXArLavlIAcLOyItGrxRxehY2e2IUnmvSpLNlbUPTRzk
oe1ySXd1kGjLv1lBTDkZpxZvOjF5m/bNqgfkl2G5wk/NDp1msVfFewv4X0qR87FI
+P7P7Q/Hp4LecbU7k++zX3kfqb6cWtHnoSTa0bMhHmBH29KpqYgXaUVwdL1HkL+K
iScDh4hKCbqSO5RGCdpLyUK+BCl2u+k0rPnu8yt2jFQRnFIg50gI1N0OWhd+11EX
AhpE9QBi5/o8SmwnvVLwnAwIB5p9wuogxZSKMc85wCihflVkvaBZElY4lywhI62H
1vTJTkZb3WFka7iYVGeHnLORa+3y0AnlTdnRzTSqMXvqWukVzRLwpJnmgsXqb49B
hk6hUvoiypZdkg2yGWMxofvNPy3Nc0sPRUwo4wIfvBxCQmwdpveMk72MaZ48qEQc
ym5P/6RzFY3lMjHIffCA
=/EFi
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.