Re: Fw: [Full-Disclosure] bufferoverflow in client shipped with squid-2.5.STABLE1.tar.gz (latest) and below

It was sent to squid-bugs.

This is a user-level buffer overflow due to user supplied arguments in a
program intended to be used interactively for debugging/analysis
purposes only (squidclient) or controlled administative actions from
cron jobs such as automated collection of cachemgr information.

My classification of the bug:
  Security risk: none/very low
  Bug class: trivial/cosmetic

The buffer overflow is not present in Squid as such, only in the
squidclient administration/debug program.

Duane fixed the problem in the current CVS sources shortly after the
notive was received to make sure it does not annoy anyone else. The fix
is in the Squid-2.5 and Squid-2 CVS trees and will be brought over to
Squid-3 in next synchronization.

To my knowledge there is no planned announcement except for maybe a
changelog entry, unless there is another third party announcement which
overstates the severity of this bug.

Regards
Henrik

ons 2003-01-08 klockan 14.55 skrev David Luyer:
> Forwarding since I don't remember seeing it here.
>
> David.
> --
> David Luyer Phone: +61 3 9674 7525
> Network Development Manager P A C I F I C Fax: +61 3 9699 8693
> Pacific Internet (Australia) I N T E R N E T Mobile: +61 4 1111 BYTE
> http://www.pacific.net.au/ NASDAQ: PCNTF
>
> ----- Original Message -----
> From: mr elite
> To: full-disclosure@lists.netsys.com
> Sent: Wednesday, January 08, 2003 7:46 PM
> Subject: [Full-Disclosure] bufferoverflow in client shipped with
> squid-2.5.STABLE1.tar.gz (latest) and below
>
>
> Hello,
> While testing various binarys on Redhat 8.0 i came
> across a buffer overflow in the /usr/sbin/client
> program that ships with squid. Redhat 8.0 ships with
> squid-2.4.STABLE7-4.src.rpm i also looked at client.c
> source for latest version which has same problem. The
> problem is when suppling 8229 or more characters when
> running /usr/sbin/client eg.
> [fault@b0f fault]$ /usr/sbin/client `perl -e 'print
> "A"x8229'`
> Segmentation fault (core dumped)
> [fault@b0f fault]$
> after a quick look at code it seems to be overflowing
> at the strcpy call.
> <snips from code>
>
> #define BUFSIZ 8192
>
> char url[BUFSIZ], msg[BUFSIZ], buf[BUFSIZ];
>
> else if (argc >= 2) {
> strcpy(url, argv[argc - 1]);
> if (url[0] == '-')
> usage(argv[0]);
>
> </snips from code>
>
> FIX
> -=-=-
>
> - strcpy(url, argv[argc - 1]);
>
> + strncpy(url, argv[argc - 1], sizeof(BUFSIZ));
> NOT A SECURITY ISSUE , JUST ANOTHER DUMB SEGFAULT
>
> EOF
>
> Alan M
> (faulty)
> www.b0f.net
>
>
>
>
>
> With Yahoo! Mail you can get a bigger mailbox -- choose a size that fits
> your needs
Received on Wed Jan 08 2003 - 09:22:03 MST