[35204] in bugtraq
TSSA-2004-010 - squid
daemon@ATHENA.MIT.EDU (tinysofa Security Team)
Wed Jun 9 15:07:12 2004
Date: Wed, 9 Jun 2004 21:34:07 +1000
From: tinysofa Security Team <security@tinysofa.org>
To: bugtraq@securityfocus.com
Message-ID: <20040609113407.GA24568@tinysofa.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="u3/rZRmxL6MmkK24"
Content-Disposition: inline
--u3/rZRmxL6MmkK24
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
_ =20
|_ . _ _ _ (_ _ =20
|_ | | ) \/ _) (_) | (_|=20
/ =20
Security Advisory #2004-010
Package name: squid
Summary: Arbitary Code Execution
Advisory ID: TSSA-2004-010
Date: 2004-06-09
Affected versions: tinysofa enterprise server 1.0
tinysofa enterprise server 1.0-U1
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
Security Fixes
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=20
Description
-----------
squid:
* Remote exploitation of a buffer overflow vulnerability in Squid Web
Proxy Cache [0] could allow a remote attacker to execute arbitrary code.
Squid Web Proxy Cache supports Basic, Digest and NTLM authentication.
The vulnerability specifically exists within the NTLM authentication
helper routine, ntlm_check_auth(), located in
helpers/ntlm_auth/SMB/libntlmssp.c:
char *ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
{
int rv;
char pass[25] /*, encrypted_pass[40] */;
char *domain =3D credentials;
...
memcpy(pass, tmp.str, tmp.l);
...
The function contains a buffer overflow vulnerability due to a lack of
bounds checking on the values copied to the 'pass' variable. Both the
'tmp.str' and 'tmp.l' variables used in the memcpy() call contain
user-supplied data.
This problem has been assigned the name CAN-2004-0541 [1] by the=20
Common Vulnerabilities and Exposures (CVE) project.
This problem was first reported by iDEFENSE [2].=20
References
----------
[0] http://http://www.squid-cache.org/
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-0541
[2] http://www.idefense.com/application/poi/display?id=3D107
Recommended Action
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
We recommend that all systems with these packages installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location
=3D=3D=3D=3D=3D=3D=3D=3D
All tinysofa updates are available from
<URI:http://http.tinysofa.org/pub/tinysofa/updates/>
<URI:ftp://ftp.tinysofa.org/pub/tinysofa/updates/>
Automatic Updates
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Questions?
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Check out our mailing lists:
<URI:http://www.tinysofa.org/support/>
Verification
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
This advisory is signed with the tinysofa security sign key.
This key is available from:
<URI:http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xAEDCBB4B>
All tinysofa packages are signed with the tinysofa stable sign key.
This key is available from:
<URI:http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x0F1240A2>
The advisory is available from the tinysofa errata database at
<URI:http://www.tinysofa.org/support/errata/>
or directly at
<URI:http://www.tinysofa.org/support/errata/2004/010.html>
MD5sums Of The Packages
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
1fc7bd552435e8c6605d1cdd064d2edc squid-2.5.STABLE5-6ts.i586.rpm
--
tinysofa Security Team <security at tinysofa dot org>
--u3/rZRmxL6MmkK24
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAxvWt6VF9/q7cu0sRAt2/AJ4jc2iNfGxqTnbZlhNDxA3Pi/Of+wCcDO+Y
J2kk9VrDs4JPZsgaooOyx1E=
=r1NL
-----END PGP SIGNATURE-----
--u3/rZRmxL6MmkK24--
