[squid-users] [ADVISORY] SQUID-2011:3 Buffer overflow in Gopher reply parser

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 29 Aug 2011 04:58:09 +1200


       Squid Proxy Cache Security Update Advisory SQUID-2011:3

Advisory ID: SQUID-2011:3
Date: August 28, 2011
Summary: Buffer overflow in Gopher reply parser
Affected versions: Squid 3.0 -> 3.0.STABLE25
                         Squid 3.1 -> 3.1.14
                         Squid 3.2 ->
Fixed in Version: Squid 3.0.STABLE26, 3.1.15,


Problem Description:

  A bug exists in the code that parses responses from Gopher servers.
  The bug results in a buffer overflow if a Gopher server returns a
  line longer than 4096 bytes. The overflow results in memory
  corruption and usually crashes Squid.

  This is an extension of SQUID-2005:1 which has been opened in the
  Squid 3.x version code due to increased packet read sizes.



  A malicious user may set up a fake Gopher server and forward
  requests to it through Squid. Specially crafted responses from
  that server may cause Squid to restart.


Updated Packages:

  This bug is fixed by Squid versions, 3.1.15, and

  In addition, patches addressing this problem can be found in our
  patch archives.




  If you are using a prepackaged version of Squid then please refer
  to the package vendor for availability information on updated


Determining if your version is vulnerable:

  All Squid-2.x versions are not vulnerable. This problem is
  limited to Squid-3.x versions with large read buffer sizes.

  Unpatched Squid-3.0 releases up to and including 3.0.STABLE25
  are vulnerable.

  Unpatched Squid-3.1 releases up to and including 3.1.14 are

  Unpatched Squid-3.2 releases up to and including are



  Since real Gopher servers are extremely rare these days, there is
  almost no reason for Squid to contact a Gopher server. You can
  add a simple access control rule to deny all Gopher requests to

     acl Gopher proto Gopher
     http_access deny Gopher

  Restart or reconfigure Squid after editing squid.conf. Test your
  access controls with a simple request:

     % squidclient gopher://

  You should see an "Access Denied" message.


Contact details for the Squid project:

  For installation / upgrade support on binary packaged versions
  of Squid: Your first point of contact should be your binary
  package vendor.

  If your install and build Squid from the original Squid sources
  then the squid-users_at_squid-cache.org mailing list is your primary
  support point. For subscription details see

  For reporting of non-security bugs in the latest STABLE release
  the squid bugzilla database should be used

  For reporting of security sensitive bugs send an email to the
  squid-bugs_at_squid-cache.org mailing list. It's a closed list
  (though anyone can post) and security related bug reports are
  treated in confidence until the impact has been established.



  The vulnerability was found by Ben Hawkes, Google Security Team


Revision history:

  2011-08-28 12:29 GMT Initial release of this document
Received on Sun Aug 28 2011 - 16:58:25 MDT

This archive was generated by hypermail 2.2.0 : Mon Aug 29 2011 - 12:00:02 MDT