Bug 895773 (CVE-2014-6270) - VUL-1: CVE-2014-6270: squid: off by one in snmp subsystem
Summary: VUL-1: CVE-2014-6270: squid: off by one in snmp subsystem
Status: RESOLVED FIXED
Alias: CVE-2014-6270
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Deadline: 2015-10-23
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:NVD:CVE-2014-6270:6.8:(AV:N/AC...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-09 12:01 UTC by Sebastian Krahmer
Modified: 2016-12-19 10:22 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
squid-snmp-off-by-one.patch (632 bytes, patch)
2014-09-09 12:02 UTC, Sebastian Krahmer 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2014-09-09 12:01:10 UTC 
There is an off by one on the heap inside snmpHandleUdp() function:

[...]

    len = recvfrom(sock,
        buf,
        SNMP_REQUEST_SIZE,
        0,
        (struct sockaddr *) &from,
        &from_len);

    if (len > 0) {
        buf[len] = '\0';
[...]

The last valid idx for buf is len-1. the LOCAL_ARRAY() macro declares
buf as static, so the off-by-one happens on the heap.
Comment 1 Sebastian Krahmer 2014-09-09 12:02:01 UTC 
Created attachment 605545 [details]
squid-snmp-off-by-one.patch

squid-snmp-off-by-one.patch
Comment 2 Marcus Meissner 2014-09-09 13:28:07 UTC 
is this squid 3 or also squid 2?
Comment 3 Sebastian Krahmer 2014-09-09 13:33:12 UTC 
In both. Dont know when they introduced it. Probably when they first introduced
SNMP.
Comment 4 Marcus Meissner 2014-09-09 15:51:40 UTC 
in sle10 squid 2.5 already.
Comment 5 SMASH SMASH 2014-09-09 15:55:13 UTC 
Affected packages:

SLE-10-SP3-TERADATA: squid
SLE-11-SP3: squid, squid3
SLE-11-SP3-PRODUCTS: squid, squid3
SLE-11-SP3-UPTU: squid, squid3
Comment 6 Swamp Workflow Management 2014-09-09 22:00:13 UTC 
bugbot adjusting priority
Comment 7 Sebastian Krahmer 2014-09-10 06:12:31 UTC 
CVE-2014-6270
Comment 11 Swamp Workflow Management 2015-01-12 14:04:54 UTC 
SUSE-SU-2015:0028-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 895773
CVE References: CVE-2014-6270
Sources used:
SUSE Linux Enterprise Server 12 (src):    squid-3.3.13-4.2
Comment 12 Swamp Workflow Management 2015-03-20 15:36:13 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-04-03.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61243
Comment 13 Glen D'Souza 2015-06-02 07:29:41 UTC 
Is this available for squid on sles11sp3?
Comment 14 Sebastian Krahmer 2015-06-02 07:47:48 UTC 
This fix should have been included in the next regular squid update (hence VUL-1),
but the SWAMP workflow has been canceled. Its still VUL-1, so
whenever the next squid update for sp3 is done, this issue
should be included. (Its severity does not demand an update on its own).
Comment 21 Jochen Keil 2015-10-07 13:51:13 UTC 
Fixed by https://build.suse.de/request/show/69070
Comment 23 Swamp Workflow Management 2015-10-16 14:01:11 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-10-23.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62312
Comment 29 Swamp Workflow Management 2015-11-13 12:11:04 UTC 
SUSE-SU-2015:1983-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 895773,949942
CVE References: CVE-2014-6270,CVE-2014-9749
Sources used:
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    squid-2.7.STABLE5-2.12.24.2
SUSE Linux Enterprise Server 11-SP4 (src):    squid-2.7.STABLE5-2.12.24.2
SUSE Linux Enterprise Server 11-SP3 (src):    squid-2.7.STABLE5-2.12.24.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    squid-2.7.STABLE5-2.12.24.2
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    squid-2.7.STABLE5-2.12.24.2
Comment 32 Swamp Workflow Management 2016-08-09 15:12:35 UTC 
SUSE-SU-2016:1996-1: An update that fixes 25 vulnerabilities is now available.

Category: security (important)
Bug References: 895773,902197,938715,963539,967011,968392,968393,968394,968395,973782,973783,976553,976556,976708,979008,979009,979010,979011
CVE References: CVE-2011-3205,CVE-2011-4096,CVE-2012-5643,CVE-2013-0188,CVE-2013-4115,CVE-2014-0128,CVE-2014-6270,CVE-2014-7141,CVE-2014-7142,CVE-2015-5400,CVE-2016-2390,CVE-2016-2569,CVE-2016-2570,CVE-2016-2571,CVE-2016-2572,CVE-2016-3947,CVE-2016-3948,CVE-2016-4051,CVE-2016-4052,CVE-2016-4053,CVE-2016-4054,CVE-2016-4553,CVE-2016-4554,CVE-2016-4555,CVE-2016-4556
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    squid3-3.1.23-8.16.27.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    squid3-3.1.23-8.16.27.1
Comment 33 Swamp Workflow Management 2016-08-16 16:09:03 UTC 
SUSE-SU-2016:2089-1: An update that fixes 25 vulnerabilities is now available.

Category: security (important)
Bug References: 895773,902197,938715,963539,967011,968392,968393,968394,968395,973782,973783,976553,976556,976708,979008,979009,979010,979011,993299
CVE References: CVE-2011-3205,CVE-2011-4096,CVE-2012-5643,CVE-2013-0188,CVE-2013-4115,CVE-2014-0128,CVE-2014-6270,CVE-2014-7141,CVE-2014-7142,CVE-2015-5400,CVE-2016-2390,CVE-2016-2569,CVE-2016-2570,CVE-2016-2571,CVE-2016-2572,CVE-2016-3947,CVE-2016-3948,CVE-2016-4051,CVE-2016-4052,CVE-2016-4053,CVE-2016-4054,CVE-2016-4553,CVE-2016-4554,CVE-2016-4555,CVE-2016-4556
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    squid3-3.1.23-8.16.30.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    squid3-3.1.23-8.16.30.1
Comment 34 Marcus Meissner 2016-12-19 10:22:28 UTC 
all fixed