ports/143451: [Maintainer] [Security] www/squid: Advisory 2010:1 - Denial of Service vulnerability

Thomas-Martin Seck tmseck at web.de
Mon Feb 1 20:10:03 UTC 2010

>Number:         143451
>Category:       ports
>Synopsis:       [Maintainer] [Security] www/squid: Advisory 2010:1 - Denial of Service vulnerability
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 01 20:10:03 UTC 2010
>Originator:     Thomas-Martin Seck
>Release:        FreeBSD 8.0-RELEASE amd64
a private site in Germany
FreeBSD ports collection as of February 1, 2010.


Squid advisory 2010:1 notes that all versions of Squid are vulnerable to
a denial of service attack via untrusted DNS servers/resolvers.

Updated versions of www/squid30 and www/squid31 do not build, unfortunately.
I have informed the upstream maintainer and will update www/squid30 and
www/squid31 as soon as I have received and tested fixes for the build errors.

Added file:

Proposed VuXML entry, note that these include the fixed 3.0.22 and versions which are not yet available as ports. Feel free to
modify these entries to show that no fix is yet available in the Ports
  <vuln vid="296ecb59-0f6b-11df-8bab-0019996bc1f7">
    <topic>squid -- Denial of Service vulnerability in DNS handling</topic>
       <body xmlns="http://www.w3.org/1999/xhtml">
         <p>Squid security advisory 2010:1 reports:</p>
         <blockquote cite="http://www.squid-cache.org/Advisories/SQUID-2010_1.txt">
           <p>Due to incorrect data validation Squid is vulnerable to a denial
  	   of service attack when processing specially crafted DNS packets.</p>
  	 <p>This problem allows any trusted client or external server who can
  	   determine the squid receiving port to perform a short-term denial
  	   of service attack on the Squid service.</p>
Apply this patch:

Index: Makefile
--- Makefile	(.../www/squid)	(Revision 1744)
+++ Makefile	(.../local/squid)	(Revision 1744)
@@ -76,7 +76,7 @@
 PORTNAME=	squid
 MASTER_SITES=	ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
 		ftp://mirrors.24-7-solutions.net/pub/squid/%SUBDIR%/ \
Index: files/patch-squid-advisory-2010:1
--- files/patch-squid-advisory-2010:1	(.../www/squid)	(Revision 0)
+++ files/patch-squid-advisory-2010:1	(.../local/squid)	(Revision 1744)
@@ -0,0 +1,38 @@
+FreeBSD-Patch for Squid-Advisory 2010:1, prepared by Thomas-Martin Seck,
+<tmseck at web.de>, 2010-02-01.
+Removed one directory level and the first hunk with CVS meta-information
+from the original patch. The original patch can be downloaded from:
+PatchSet 12597 
+Date: 2010/01/15 11:40:30
+Author: amosjeffries
+Branch: HEAD
+Tag: (none) 
+Handle DNS header-only packets as invalid.
+	lib/rfc1035.c:1.30->1.31 
+Index: lib/rfc1035.c
+RCS file: /cvsroot/squid/squid/lib/rfc1035.c,v
+retrieving revision 1.30
+retrieving revision 1.31
+diff -u -r1.30 -r1.31
+--- lib/rfc1035.c	15 Jun 2008 03:49:55 -0000	1.30
++++ lib/rfc1035.c	15 Jan 2010 11:40:30 -0000	1.31
+@@ -286,7 +286,9 @@
+     size_t len;
+     assert(ns > 0);
+     do {
+-	assert((*off) < sz);
++	if ((*off) >= sz) {
++	    return 1;
++	}
+ 	c = *(buf + (*off));
+ 	if (c > 191) {
+ 	    /* blasted compression */


More information about the freebsd-ports-bugs mailing list