Bug#685281: denial of service via many headers
Hi Thijs On Sun, Sep 30, 2012 at 09:33:46AM +0200, Thijs Kinkhorst wrote: > Hi Salvatore, > > On Sat, September 29, 2012 19:15, Salvatore Bonaccorso wrote: > > On Sun, Aug 19, 2012 at 01:23:38PM +0200, Jordi Mallach wrote: > >> On Sun, Aug 19, 2012 at 11:42:57AM +0200, Thijs Kinkhorst wrote: > >> > A Denial of Service attack has been reported against tinyproxy: > >> > https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985 > >> > https://banu.com/bugzilla/show_bug.cgi?id=110#c2 > >> > > >> > Can you please see to it that this gets addressed in unstable > >> > (and by extension wheezy)? > >> > > >> > Please use CVE-2012-3505 to refer to this issue. > >> > >> Will try to get something done ASAP. > >> > >> Should I do something about stable too? The codebase should be really > >> similar. > > > > I looked at the current prepared version for unstable in the tinyproxy > > subversion repository, attached is the debdiff to the current version > > in unstable. > > > > Are you fine if I upload this as it is to unstable? > > > > @SecurityTeam: I'm not Maintainer of the package but tinyproxy > > appeared on the radar for RC bugs for wheezy, so noticed this one. > > Thanks for your work. It looks good. The changelog does have some quirks: > your version number is not NMU-style but maintianer-style, you're not > Jordi Mallach and you added a dot in an unrelated stanza. If you fix these > small items up, please upload this. I actually haven't done the 'real' work. All the real work was already prepared by Jordi Mallach who pushed his work to the svn repository. I know he would not be able to upload the package itself in next month, so I had a look what he did, and builded his version. He asked if someone can upload this for him. I'm sorry if I was not clear about this. Regards, Salvatore signature.asc Description: Digital signature
Bug#685281: denial of service via many headers
Hi Salvatore, On Sat, September 29, 2012 19:15, Salvatore Bonaccorso wrote: > On Sun, Aug 19, 2012 at 01:23:38PM +0200, Jordi Mallach wrote: >> On Sun, Aug 19, 2012 at 11:42:57AM +0200, Thijs Kinkhorst wrote: >> > A Denial of Service attack has been reported against tinyproxy: >> > https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985 >> > https://banu.com/bugzilla/show_bug.cgi?id=110#c2 >> > >> > Can you please see to it that this gets addressed in unstable >> > (and by extension wheezy)? >> > >> > Please use CVE-2012-3505 to refer to this issue. >> >> Will try to get something done ASAP. >> >> Should I do something about stable too? The codebase should be really >> similar. > > I looked at the current prepared version for unstable in the tinyproxy > subversion repository, attached is the debdiff to the current version > in unstable. > > Are you fine if I upload this as it is to unstable? > > @SecurityTeam: I'm not Maintainer of the package but tinyproxy > appeared on the radar for RC bugs for wheezy, so noticed this one. Thanks for your work. It looks good. The changelog does have some quirks: your version number is not NMU-style but maintianer-style, you're not Jordi Mallach and you added a dot in an unrelated stanza. If you fix these small items up, please upload this. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#685281: denial of service via many headers
Hi Thijs and Jordi On Sun, Aug 19, 2012 at 01:23:38PM +0200, Jordi Mallach wrote: > On Sun, Aug 19, 2012 at 11:42:57AM +0200, Thijs Kinkhorst wrote: > > A Denial of Service attack has been reported against tinyproxy: > > https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985 > > https://banu.com/bugzilla/show_bug.cgi?id=110#c2 > > > > Can you please see to it that this gets addressed in unstable > > (and by extension wheezy)? > > > > Please use CVE-2012-3505 to refer to this issue. > > Will try to get something done ASAP. > > Should I do something about stable too? The codebase should be really > similar. I looked at the current prepared version for unstable in the tinyproxy subversion repository, attached is the debdiff to the current version in unstable. Are you fine if I upload this as it is to unstable? @SecurityTeam: I'm not Maintainer of the package but tinyproxy appeared on the radar for RC bugs for wheezy, so noticed this one. Regards, Salvatore diff -Nru tinyproxy-1.8.3/debian/changelog tinyproxy-1.8.3/debian/changelog --- tinyproxy-1.8.3/debian/changelog 2012-01-23 12:10:36.0 +0100 +++ tinyproxy-1.8.3/debian/changelog 2012-09-29 13:49:33.0 +0200 @@ -1,3 +1,15 @@ +tinyproxy (1.8.3-3) unstable; urgency=high + + * Add patches for CVE-2012-3505 (closes: #685281): +- CVE-2012-3505-tinyproxy-limit-headers.patch: Limit the number of + headers to prevent DoS attacks. +- CVE-2012-3505-tinyproxy-randomized-hashmaps.patch: Randomize hashmaps + in order to avoid fake headers getting included in the same bucket, + allowing for DoS attacks. +Bug reported and patches contributed by gpernot. + + -- Jordi Mallach Mon, 24 Sep 2012 21:05:41 +0200 + tinyproxy (1.8.3-2) unstable; urgency=low * Update Homepage again: webpage is served over https. @@ -5,7 +17,7 @@ LDFLAGS. Enable dh_autoreconf support. * Switch to debhelper v9 to take advantage of automatic dpkg-buildflags setting and enable hardened build flags (closes: #655870). - * Bump Build-Deps to debhelper (>= 8.9.4) + * Bump Build-Deps to debhelper (>= 8.9.4). -- Jordi Mallach Mon, 23 Jan 2012 12:10:34 +0100 diff -Nru tinyproxy-1.8.3/debian/patches/CVE-2012-3505-tiniproxy-randomized-hashmaps.patch tinyproxy-1.8.3/debian/patches/CVE-2012-3505-tiniproxy-randomized-hashmaps.patch --- tinyproxy-1.8.3/debian/patches/CVE-2012-3505-tiniproxy-randomized-hashmaps.patch 1970-01-01 01:00:00.0 +0100 +++ tinyproxy-1.8.3/debian/patches/CVE-2012-3505-tiniproxy-randomized-hashmaps.patch 2012-09-29 13:49:33.0 +0200 @@ -0,0 +1,101 @@ +--- a/src/child.c a/src/child.c +@@ -20,6 +20,9 @@ + * processing incoming connections. + */ + ++#include ++#include ++ + #include "main.h" + + #include "child.h" +@@ -196,6 +200,7 @@ static void child_main (struct child_s *ptr) + } + + ptr->connects = 0; ++ srand(time(NULL)); + + while (!config.quit) { + ptr->status = T_WAITING; +--- a/src/hashmap.c a/src/hashmap.c +@@ -25,6 +25,8 @@ + * don't try to free the data, or realloc the memory. :) + */ + ++#include ++ + #include "main.h" + + #include "hashmap.h" +@@ -50,6 +52,7 @@ struct hashbucket_s { + }; + + struct hashmap_s { ++uint32_t seed; + unsigned int size; + hashmap_iter end_iterator; + +@@ -65,7 +68,7 @@ struct hashmap_s { + * + * If any of the arguments are invalid a negative number is returned. + */ +-static int hashfunc (const char *key, unsigned int size) ++static int hashfunc (const char *key, unsigned int size, uint32_t seed) + { + uint32_t hash; + +@@ -74,7 +77,7 @@ static int hashfunc (const char *key, unsigned int size) + if (size == 0) + return -ERANGE; + +-for (hash = tolower (*key++); *key != '\0'; key++) { ++for (hash = seed; *key != '\0'; key++) { + uint32_t bit = (hash & 1) ? (1 << (sizeof (uint32_t) - 1)) : 0; + + hash >>= 1; +@@ -104,6 +107,7 @@ hashmap_t hashmap_create (unsigned int nbuckets) + if (!ptr) + return NULL; + ++ ptr->seed = (uint32_t)rand(); + ptr->size = nbuckets; + ptr->buckets = (struct hashbucket_s *) safecalloc (nbuckets, +sizeof (struct +@@ -201,7 +205,7 @@ hashmap_insert (hashmap_t map, const char *key, const void *data, size_t len) + if (!data || len < 1) + return -ERANGE; + +-hash = hashfunc (key, map->size); ++hash = hashfunc (key, map->size, map->seed); + if (hash < 0) + return hash; + +@@ -382,7 +386,7 @@ ssize_t hashmap_search (hashmap_t map, const char *key) + if (map == NULL || key == NULL) + return -EINVAL; + +-hash = hashfunc (key, map->size); ++hash = hashfunc (key, map->size, map->seed); + if (hash < 0) + return hash; + +@@ -416,7
Bug#685281: denial of service via many headers
On Sun, Aug 19, 2012 at 11:42:57AM +0200, Thijs Kinkhorst wrote: > A Denial of Service attack has been reported against tinyproxy: > https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985 > https://banu.com/bugzilla/show_bug.cgi?id=110#c2 > > Can you please see to it that this gets addressed in unstable > (and by extension wheezy)? > > Please use CVE-2012-3505 to refer to this issue. Will try to get something done ASAP. Should I do something about stable too? The codebase should be really similar. -- Jordi Mallach PĂ©rez -- Debian developer http://www.debian.org/ jo...@sindominio.net jo...@debian.org http://www.sindominio.net/ GnuPG public key information available at http://oskuro.net/ signature.asc Description: Digital signature
Bug#685281: denial of service via many headers
Package: tinyproxy Severity: serious Tags: security patch Hi Jordi, A Denial of Service attack has been reported against tinyproxy: https://bugs.launchpad.net/ubuntu/+source/tinyproxy/+bug/1036985 https://banu.com/bugzilla/show_bug.cgi?id=110#c2 Can you please see to it that this gets addressed in unstable (and by extension wheezy)? Please use CVE-2012-3505 to refer to this issue. Thanks, Thijs -- System Information: Debian Release: 6.0.5 APT prefers stable APT policy: (500, 'stable'), (400, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org