Dziura w Squidzie

Niepoprawna obsluga skompresowanych odpowiedzi DNS moze spowodowac przepelnienie buforu…
________________________________________________________

Squid Proxy Cache Security Update Advisory SQUID-2002:2
_______________________________________________________

Advisory ID: SQUID-2002:2
Date: March 26, 2002
Affected versions: Squid-2.x up to and including 2.4.STABLE4
Reported by: zen-parse
_______________________________________________________

http://www.squid-cache.org/Advisories/SQUID-2002_2.txt
_______________________________________________________

Problem Description:
A security issue has recently been found and fixed in the Squid-2.X
releases up to and including 2.4.STABLE4.

Error and boundary conditions were not checked when handling
compressed DNS answer messages in the internal DNS code (lib/rfc1035.c). A malicous DNS server could craft a DNS reply that causes Squid to exit with a SIGSEGV.

The relevant code exists in Squid-2.3, Squid-2.4, Squid-2.5 and Squid-2.6/Squid-HEAD, and is enabled by default.

_______________________________________________________

Updated Packages:

The Squid-2.4.STABLE6 release contains fixes for all these problems. You can download the Squid-2.4.STABLE6 release from

ftp://ftp.squid-cache.org/pub/squid-2/STABLE/
http://www.squid-cache.org/Versions/v2/2.4/

or the mirrors (may take a while before all mirrors are updated). For a list of mirror sites see

http://www.squid-cache.org/Mirrors/ftp-mirrors.html
http://www.squid-cache.org/Mirrors/http-mirrors.html

Individual patches to the mentioned issues can be found from our patch archive for version Squid-2.4.STABLE4

http://www.squid-cache.org/Versions/v2/2.4/bugs/

The patches should also apply with only a minimal effort toearlier Squid 2.4 versions if required.

The Squid-2.5 and Squid-2.6/Squid-HEAD nightly snapshots contains the fixed DNS code.

_______________________________________________________

Determining if your are vulnerable:

You are vulnerable if you are running these versions of Squid with internal DNS queries:

* Squid-2.4 version up to and including Squid-2.4.STABLE4
* Squid-2.5 up to the fix date (Tuesday, March 12 2002 UTC)
* Squid-2.6 / Squid-HEAD up to the fix date (Tuesday, March 12 2002 UTC)
* Squid-2.3

Squid uses the internal DNS implementation by default, and prints a line like this in cache.log when it is in use:

DNS Socket created at 0.0.0.0, port 4345, FD 5

_______________________________________________________

Workarounds:

Squid-2.4, Squid-2.5 and Squid-2.6/Squid-HEAD can be recompiledto use the external DNS server support by running configure with the –disable-internal-dns option. There is no run-time configuration option to select between the internal/external DNS code.

We recommend that you upgrade, rather than simply switch to external DNS lookups. The external DNS implementation uses child processes and may negatively affect Squid’s performance, especially for busy caches.
I FreeBSD Security Advisories:

—–BEGIN PGP SIGNED MESSAGE—–

===================================================================
FreeBSD-SA-02:19 Security Advisory
FreeBSD, Inc.

Topic: squid heap buffer overflow in DNS handling

Category: ports
Module: squid24
Announced: 2002-03-26
Credits: zen-parse
Affects: squid port prior to version 2.4_9
Corrected: 2002-03-22 00:19:55 UTC
FreeBSD only: NO

I. Background

The Squid Internet Object Cache is a web proxy/cache.

II. Problem Description

Incorrect handling of compressed DNS responses could result in a heap buffer overflow.

The squid port is not installed by default, nor is it „part of FreeBSD” as such: it is part of the FreeBSD ports collection, which contains thousands of third- party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.5 contains this problem since it was discovered after the release.

FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports.

III. Impact

A malicious DNS server (or an attacker spoofing a DNS server) could respond to DNS requests from squid with a specially crafted answer that would trigger the heap buffer overflow bug. This could crash the squid process. This bug is not known to be exploitable.

IV. Workaround

1) Deinstall the squid port/package if you have it installed.

V. Solution

One of the following:

1) Upgrade your entire ports collection and rebuild the port.

2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories:

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/

[alpha]
Packages are not automatically generated for the alpha architecture at this time due to lack of build resources.

NOTE: It may be several days before updated packages are available.

3) Download a new port skeleton for the squid port from:

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5 current/Latest/portcheckout.tgz

VI. Correction details

The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection.

Path Revision
– ————————————————————————-
ports/www/squid24/Makefile 1.89
ports/www/squid24/distinfo 1.64
– ————————————————————————-

VII. References

http://www.squid-cache.org/Advisories/SQUID-2002_2.txt
http://www.squid-cache.org/cgi-bin/cvsweb.cgi/squid/lib/rfc1035.c#rev1.24
http://www.squid-cache.org/cgibin/cvsweb.cgi/squid/lib/rfc1035.c#rev1.23