CVE-2019-12529

An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checking its table. The length is then used to start decoding the string. There are no checks to ensure that the length it calculates isn't greater than the input buffer. This leads to adjacent memory being decoded as well. An attacker would not be able to retrieve the decoded data unless the Squid maintainer had configured the display of usernames on error pages.
References
Link Resource
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html Mailing List Third Party Advisory
http://www.squid-cache.org/Versions/v4/changesets/ Vendor Advisory
http://www.squid-cache.org/Versions/v4/changesets/squid-4-dd46b5417809647f561d8a5e0e74c3aacd235258.patch Patch Vendor Advisory
https://github.com/squid-cache/squid/commits/v4 Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/07/msg00018.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/
https://seclists.org/bugtraq/2019/Aug/42 Mailing List Third Party Advisory
https://usn.ubuntu.com/4065-1/ Third Party Advisory
https://usn.ubuntu.com/4065-2/ Third Party Advisory
https://www.debian.org/security/2019/dsa-4507 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html Mailing List Third Party Advisory
http://www.squid-cache.org/Versions/v4/changesets/ Vendor Advisory
http://www.squid-cache.org/Versions/v4/changesets/squid-4-dd46b5417809647f561d8a5e0e74c3aacd235258.patch Patch Vendor Advisory
https://github.com/squid-cache/squid/commits/v4 Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/07/msg00018.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/
https://seclists.org/bugtraq/2019/Aug/42 Mailing List Third Party Advisory
https://usn.ubuntu.com/4065-1/ Third Party Advisory
https://usn.ubuntu.com/4065-2/ Third Party Advisory
https://www.debian.org/security/2019/dsa-4507 Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7:stable1:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7:stable2:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7:stable3:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7:stable4:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7:stable5:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7:stable6:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7:stable7:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7:stable8:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7:stable9:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 5 (hide)

OR cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*

History

21 Nov 2024, 04:23

Type Values Removed Values Added
References () http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html - Mailing List, Third Party Advisory () http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html - Mailing List, Third Party Advisory
References () http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html - Mailing List, Third Party Advisory () http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html - Mailing List, Third Party Advisory
References () http://www.squid-cache.org/Versions/v4/changesets/ - Vendor Advisory () http://www.squid-cache.org/Versions/v4/changesets/ - Vendor Advisory
References () http://www.squid-cache.org/Versions/v4/changesets/squid-4-dd46b5417809647f561d8a5e0e74c3aacd235258.patch - Patch, Vendor Advisory () http://www.squid-cache.org/Versions/v4/changesets/squid-4-dd46b5417809647f561d8a5e0e74c3aacd235258.patch - Patch, Vendor Advisory
References () https://github.com/squid-cache/squid/commits/v4 - Patch, Third Party Advisory () https://github.com/squid-cache/squid/commits/v4 - Patch, Third Party Advisory
References () https://lists.debian.org/debian-lts-announce/2019/07/msg00018.html - Mailing List, Third Party Advisory () https://lists.debian.org/debian-lts-announce/2019/07/msg00018.html - Mailing List, Third Party Advisory
References () https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html - Mailing List, Third Party Advisory () https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html - Mailing List, Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/ -
References () https://seclists.org/bugtraq/2019/Aug/42 - Mailing List, Third Party Advisory () https://seclists.org/bugtraq/2019/Aug/42 - Mailing List, Third Party Advisory
References () https://usn.ubuntu.com/4065-1/ - Third Party Advisory () https://usn.ubuntu.com/4065-1/ - Third Party Advisory
References () https://usn.ubuntu.com/4065-2/ - Third Party Advisory () https://usn.ubuntu.com/4065-2/ - Third Party Advisory
References () https://www.debian.org/security/2019/dsa-4507 - Third Party Advisory () https://www.debian.org/security/2019/dsa-4507 - Third Party Advisory

26 Apr 2022, 20:22

Type Values Removed Values Added
References (MLIST) https://lists.debian.org/debian-lts-announce/2019/07/msg00018.html - (MLIST) https://lists.debian.org/debian-lts-announce/2019/07/msg00018.html - Mailing List, Third Party Advisory
References (UBUNTU) https://usn.ubuntu.com/4065-2/ - (UBUNTU) https://usn.ubuntu.com/4065-2/ - Third Party Advisory
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/ - Mailing List, Third Party Advisory
References (UBUNTU) https://usn.ubuntu.com/4065-1/ - (UBUNTU) https://usn.ubuntu.com/4065-1/ - Third Party Advisory
References (DEBIAN) https://www.debian.org/security/2019/dsa-4507 - (DEBIAN) https://www.debian.org/security/2019/dsa-4507 - Third Party Advisory
References (BUGTRAQ) https://seclists.org/bugtraq/2019/Aug/42 - (BUGTRAQ) https://seclists.org/bugtraq/2019/Aug/42 - Mailing List, Third Party Advisory
References (MLIST) https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html - (MLIST) https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html - Mailing List, Third Party Advisory
References (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html - (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html - Mailing List, Third Party Advisory
References (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html - (SUSE) http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html - Mailing List, Third Party Advisory
CPE cpe:2.3:a:squid-cache:squid:2.7.stable9:*:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7.stable2:*:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7.stable8:*:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7.stable1:*:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7.stable3:*:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7.stable4:*:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7.stable7:*:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7.stable6:*:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7.stable5:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7:stable9:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:a:squid-cache:squid:2.7:stable5:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7:stable8:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
cpe:2.3:a:squid-cache:squid:2.7:stable2:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7:stable6:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7:stable4:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7:stable1:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7:stable3:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:2.7:stable7:*:*:*:*:*:*
CWE CWE-200 CWE-125

Information

Published : 2019-07-11 19:15

Updated : 2024-11-21 04:23


NVD link : CVE-2019-12529

Mitre link : CVE-2019-12529

CVE.ORG link : CVE-2019-12529


JSON object : View

Products Affected

canonical

  • ubuntu_linux

fedoraproject

  • fedora

debian

  • debian_linux

opensuse

  • leap

squid-cache

  • squid
CWE
CWE-125

Out-of-bounds Read