Bug 808911 (CVE-2013-1839) - VUL-1: CVE-2013-1839: squid/squid3: denial of service via strHdrAcptLangGetItem() at errorpage.cc
Summary: VUL-1: CVE-2013-1839: squid/squid3: denial of service via strHdrAcptLangGetIt...
Status: RESOLVED INVALID
Alias: CVE-2013-1839
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Deadline: 2013-08-22
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:running:53765:moderate
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-12 14:16 UTC by Marcus Meissner
Modified: 2014-04-11 08:05 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
accept_lang_vulnerability.patch (1.37 KB, patch)
2013-03-14 10:23 UTC, Marcus Meissner 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-03-12 14:16:28 UTC 
is public, via bugtraq

CVE-2013-1839

Date: Tue, 05 Mar 2013 20:53:30 +0000
To: bugtraq@securityfocus.com
From: tytusromekiatomek@hushmail.com


################################################################
# DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc #
################################################################
#
# Authors:
#
# 22733db72ab3ed94b5f8a1ffcde850251fe6f466
# c8e74ebd8392fda4788179f9a02bb49337638e7b
# AKAT-1
#
#######################################

# Versions: 3.2.5, 3.2.7 


  This error is only triggered when squid needs to generate an error page (for example backend node is not responding etc...)
  POC (request):
  -- cut --
  GET http://127.0.0.1:1/foo HTTP/1.1
  Accept-Language: ,
  -- cut --

  e.g : curl -H "Accept-Language: ," http://localhost:3129/

  Code:

    strHdrAcptLangGetItem is called with pos equals 0, therefore first branch
    in if (316 line) is taken, because xisspace(hdr[pos]) is false, then pos++
    is not executed (because hdr[0] is ','). In 335 line statement in while is
    also false because hdr[0] = ',', so whole loop body is omited. dt = lang,
    thus after assignment in 353 line *lang == '\0', so expression in if
    statement in 357 line is false. So next execution of while body (314 line),
    has got same preconditions as previous, thus it's infinite loop.

   312  bool strHdrAcptLangGetItem(const String &hdr, char *lang, int langLen, size_t &pos)
   313  {
   314      while (pos < hdr.size()) {
   315          char *dt = lang;

   316          if (!pos) {
   317              /* skip any initial whitespace. */
   318              while (pos < hdr.size() && xisspace(hdr[pos]))
   319                  ++pos;
   320          } else {
   321              // IFF we terminated the tag on whitespace or ';' we need to skip to the next ',' or end of header.
   322              while (pos < hdr.size() && hdr[pos] != ',')
   323                  ++pos;
   324              if (hdr[pos] == ',')
   325                  ++pos;
   326          }

   327          /*
   328           * Header value format:
   329           *  - sequence of whitespace delimited tags
   330           *  - each tag may suffix with ';'.* which we can ignore.
   331           *  - IFF a tag contains only two characters we can wildcard ANY translations matching: <it> '-'? .*
   332           *    with preference given to an exact match.
   333           */
   334          bool invalid_byte = false;
   335          while (pos < hdr.size() && hdr[pos] != ';' && hdr[pos] != ',' && !xisspace(hdr[pos]) && dt < (lang + (langLen -1)) ) {
   336              if (!invalid_byte) {
   337  #if USE_HTTP_VIOLATIONS
   338                  // if accepting violations we may as well accept some broken browsers
   339                  //  which may send us the right code, wrong ISO formatting.
   340                  if (hdr[pos] == '_')
   341                      *dt = '-';
   342                  else
   343  #endif
   344                      *dt = xtolower(hdr[pos]);
   345                  // valid codes only contain A-Z, hyphen (-) and *
   346                  if (*dt != '-' && *dt != '*' && (*dt < 'a' || *dt > 'z') )
   347                      invalid_byte = true;
   348                  else
   349                      ++dt; // move to next destination byte.
   350              }
   351              ++pos;
   352          }
   353          *dt = '\0'; // nul-terminated the filename content string before system use.
   354          ++dt;

   355          debugs(4, 9, HERE << "STATE: dt='" << dt << "', lang='" << lang << "', pos=" << pos << ", buf='" << ((pos < hdr.size()) ? hdr.substr(pos,hdr.size()) : "") << "'");

   356          /* if we found anything we might use, try it. */
   357          if (*lang != '\0' && !invalid_byte)
   358              return true;
   359      }
   360      return false;
   361  }

EOF
Comment 1 Swamp Workflow Management 2013-03-12 23:00:29 UTC 
bugbot adjusting priority
Comment 2 Marcus Meissner 2013-03-14 10:23:12 UTC 
I confirm it is possible. A regression was introduced in some 3.2 parser 
alterations.
A preliminary patch is attached which restores the Squid-3.1 behaviour.

As this is triggerable by remote clients I am inclined to release an 
advisory.

Affected stable versions are Squid-3.3 up to and including 3.3.2, 
Squid-3.2 up to and including 3.2.8.

Amos Jeffries
Squid Project
Comment 3 Marcus Meissner 2013-03-14 10:23:54 UTC 
Created attachment 529675 [details]
accept_lang_vulnerability.patch

proposed patgch
Comment 4 Marcus Meissner 2013-03-14 10:25:49 UTC 
according to squid maintainer introduced in squid 3.2, meaning SLE 11 SQUID 3 is not affected.

openSUSE 12.2 squid3 is also 3.1.x

-> Only openSUSE 12.3 and newer are affected.



Perhaps CHristian?
Comment 5 Swamp Workflow Management 2013-07-25 14:28:08 UTC 
The SWAMPID for this issue is 53765.
This issue was rated as moderate.
Please submit fixed packages until 2013-08-08.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 7 Christian Wittmer 2013-08-06 13:48:35 UTC 
I'll prepare an update for 12.3 which has 3.2.6 and is affected.
Comment 8 Christian Wittmer 2013-08-06 13:55:11 UTC 
hmm, 12.3_Update has 3.2.11 which is not affected.
So everything seem to be fine.
Comment 13 Roman Drahtmueller 2013-08-30 14:08:06 UTC 
Suggesting to close this bug INVALID.
No product comes with the affected versions.
Comment 14 Marcus Meissner 2013-11-21 14:21:26 UTC 
agreed