CVE-2019-12527

NameCVE-2019-12527
DescriptionAn issue was discovered in Squid 4.0.23 through 4.7. When checking Basic Authentication with HttpHeader::getAuth, Squid uses a global buffer to store the decoded data. Squid does not check that the decoded length isn't greater than the buffer, leading to a heap-based buffer overflow with user controlled data.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
squid (PTS)buster, bullseye4.6-1vulnerable
sid4.8-1fixed
squid3 (PTS)jessie3.4.8-6+deb8u5fixed
jessie (security)3.4.8-6+deb8u8fixed
stretch (security), stretch3.5.23-5+deb9u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
squidsource(unstable)4.8-1medium
squid3source(unstable)(not affected)

Notes

- squid3 <not-affected> (Vulnerable code introduced in 4.0.23)
http://www.squid-cache.org/Advisories/SQUID-2019_5.txt
http://www.squid-cache.org/Versions/v4/changesets/squid-4-7f73e9c5d17664b882ed32590e6af310c247f320.patch
The code in squid 3.x limits the amount of input data decoded to one byte less
than the length of the target buffer, whilst in 4.x the entire input is decoded
without regard for the size of the target buffer.

Search for package or bug name: Reporting problems