| Name | CVE-2019-12522 |
| Description | An issue was discovered in Squid through 4.7. When Squid is run as root, it spawns its child processes as a lesser user, by default the user nobody. This is done via the leave_suid call. leave_suid leaves the Saved UID as 0. This makes it trivial for an attacker who has compromised the child process to escalate their privileges back to root. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| squid (PTS) | buster (security), buster, buster (lts) | 4.6-1+deb10u10 | vulnerable |
| bullseye (security), bullseye | 4.13-10+deb11u3 | vulnerable |
| bookworm (security), bookworm | 5.7-2+deb12u2 | vulnerable |
| sid, trixie | 6.12-1 | vulnerable |
| squid3 (PTS) | jessie, jessie (lts) | 3.5.23-5+deb8u7 | vulnerable |
| stretch (security) | 3.5.23-5+deb9u7 | vulnerable |
| stretch (lts), stretch | 3.5.23-5+deb9u10 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| squid | source | (unstable) | (unfixed) | unimportant | | |
| squid3 | source | (unstable) | (unfixed) | unimportant | | |
Notes
Only causes problems if some other vulnerability is used to compromise the proxy.
There is no upstream plan to fix the issue. The issue here is that some child
processes run as low-privilege but stay in a state where they can resume root
privileges. That is needed for reconfigure still. Architectural changes are needed
to resolve it without breaking some installations.