Name | CVE-2019-12527 |
Description | An issue was discovered in Squid 4.0.23 through 4.7. When checking Basic Authentication with HttpHeader::getAuth, Squid uses a global buffer to store the decoded data. Squid does not check that the decoded length isn't greater than the buffer, leading to a heap-based buffer overflow with user controlled data. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DSA-4507-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
squid (PTS) | buster (security), buster, buster (lts) | 4.6-1+deb10u10 | fixed |
| bullseye (security), bullseye | 4.13-10+deb11u3 | fixed |
| bookworm (security), bookworm | 5.7-2+deb12u2 | fixed |
| sid, trixie | 6.12-1 | fixed |
squid3 (PTS) | jessie, jessie (lts) | 3.5.23-5+deb8u7 | fixed |
| stretch (security) | 3.5.23-5+deb9u7 | fixed |
| stretch (lts), stretch | 3.5.23-5+deb9u10 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|
squid | source | wheezy | (unfixed) | end-of-life | | |
squid | source | buster | 4.6-1+deb10u1 | | DSA-4507-1 | |
squid | source | (unstable) | 4.8-1 | | | |
squid3 | source | wheezy | (unfixed) | end-of-life | | |
squid3 | source | (unstable) | (not affected) | | | |
Notes
- squid3 <not-affected> (Vulnerable code introduced in 4.0.23)
http://www.squid-cache.org/Advisories/SQUID-2019_5.txt
http://www.squid-cache.org/Versions/v4/changesets/squid-4-7f73e9c5d17664b882ed32590e6af310c247f320.patch
The code in squid 3.x limits the amount of input data decoded to one byte less
than the length of the target buffer, whilst in 4.x the entire input is decoded
without regard for the size of the target buffer.