[VIM] old Squid clientAbortBody issue - NOT an overflow?

Steven M. Christey coley at mitre.org
Thu Feb 23 21:02:40 EST 2006


There's an old Squid clientAbortBody issue that was claimed to be a
buffer overflow, but the original report seems to be erroneous.

Refs:

  MISC:http://www.securitylab.ru/47881.html
  OSVDB:9801
  SECTRACK:1011214

These sources claim a buffer overflow in clientAbortBody() in
client_side.c in Squid before 2.6 STABLE6 (actually, some say STABLE5,
which is understandable because the original researcher claims both.)

The key here is the following Squid bug report:

  MISC:http://www.squid-cache.org/bugs/show_bug.cgi?id=972

Here is my reconstruction of what happened:

(1) Original bug report to vendor shows null dereference in
clientAbortBody; original claim is null deref, and patch shows null
deref.

(2) Separate researcher claims overflow in clientAbortBody() for
STABLE6 (SECTRACK:1011214), saying "I am still experiencing this
problem in STABLE6."

(3) Various vuln DBs reported this issue as an overflow (including
OSVDB:9801).

(4) Later in the bug report, the vendor asks the researcher for more
information about the STABLE6 problem.

(5) The researcher then retracts the original claim, saying "the
release I thought was STABLE6 was a mis-labled version of Stable5..."


I'll be creating a CVE for the issue, calling it a null dereference in
STABLE5.  Not sure where the "overflow" claim even came from, but
there might be some long fields in the stack trace in message 2 of the
bug report (or maybe it's just zeroed memory).

FYI, SECUNIA:12508 is based on the original clientAbortBody null
dereference report.

- Steve

P.S.  Why yes, figuring this out DID kinda suck.


More information about the VIM mailing list