CVE-2019-12522

NameCVE-2019-12522
DescriptionAn issue was discovered in Squid through 4.7. When Squid is run as root, it spawns its child processes as a lesser user, by default the user nobody. This is done via the leave_suid call. leave_suid leaves the Saved UID as 0. This makes it trivial for an attacker who has compromised the child process to escalate their privileges back to root.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
squid (PTS)buster4.6-1+deb10u7vulnerable
buster (security)4.6-1+deb10u10vulnerable
bullseye4.13-10+deb11u2vulnerable
bullseye (security)4.13-10+deb11u3vulnerable
bookworm5.7-2vulnerable
bookworm (security)5.7-2+deb12u1vulnerable
trixie6.6-1vulnerable
sid6.8-1vulnerable
squid3 (PTS)jessie, jessie (lts)3.5.23-5+deb8u7vulnerable
stretch (security)3.5.23-5+deb9u7vulnerable
stretch (lts), stretch3.5.23-5+deb9u10vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
squidsource(unstable)(unfixed)unimportant
squid3source(unstable)(unfixed)unimportant

Notes

Only causes problems if some other vulnerability is used to compromise the proxy.
There is no upstream plan to fix the issue. The issue here is that some child
processes run as low-privilege but stay in a state where they can resume root
privileges. That is needed for reconfigure still. Architectural changes are needed
to resolve it without breaking some installations.

Search for package or bug name: Reporting problems