Debian Bug report logs - #627503
Validate Port directive value

version graph

Package: tinyproxy; Maintainer for tinyproxy is Ed Boraas <ed@debian.org>; Source for tinyproxy is src:tinyproxy.

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Sat, 21 May 2011 09:48:02 UTC

Severity: important

Fixed in versions tinyproxy/1.8.2-2, tinyproxy/1.8.3-1, tinyproxy/1.8.2-1squeeze2

Done: Jordi Mallach <jordi@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ed Boraas <ed@debian.org>:
Bug#627503; Package tinyproxy. (Sat, 21 May 2011 09:48:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ed Boraas <ed@debian.org>. (Sat, 21 May 2011 09:48:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2011-1843
Date: Sat, 21 May 2011 11:46:16 +0200
Package: tinyproxy
Severity: grave
Tags: security

Hi,
please following vulnerability has been reported in tinyproxy:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1843

https://banu.com/bugzilla/show_bug.cgi?id=90
https://banu.com/cgit/tinyproxy/diff/?id=97b9984484299b2ce72f8f4fc3706dab8a3a8439

Cheers,
        Moritz

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Information forwarded to debian-bugs-dist@lists.debian.org, Ed Boraas <ed@debian.org>:
Bug#627503; Package tinyproxy. (Sat, 21 May 2011 16:36:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jordi Mallach <jordi@debian.org>:
Extra info received and forwarded to list. Copy sent to Ed Boraas <ed@debian.org>. (Sat, 21 May 2011 16:36:02 GMT) Full text and rfc822 format available.

Message #10 received at 627503@bugs.debian.org (full text, mbox):

From: Jordi Mallach <jordi@debian.org>
To: Moritz Muehlenhoff <jmm@debian.org>, 627503@bugs.debian.org
Subject: Re: Bug#627503: CVE-2011-1843
Date: Sat, 21 May 2011 18:26:34 +0200
Hi Moritz,

I can see
https://banu.com/cgit/tinyproxy/diff/?id=e8426f6662dc467bd1d827100481b95d9a4a23e4
fixing a security issue, which we fixed in DSA 2222, but I can't see how the other issue,

> https://banu.com/cgit/tinyproxy/diff/?id=97b9984484299b2ce72f8f4fc3706dab8a3a8439

regarding a bug in the handling of port numbers, should be marked as "security".

What's your opinion?

https://banu.com/bugzilla/show_bug.cgi?id=90 does mention this commit, but
it's treated as a "sub issue" uncovered by the reporter.

In short, my view is that if you set an invalid port in the config, TP
does not do the right thing, but that does not warrant a DSA or a CVE. I
think there's some confusion with CVE-2011-1843.

Jordi
-- 
Jordi Mallach Pérez  --  Debian developer     http://www.debian.org/
jordi@sindominio.net     jordi@debian.org     http://www.sindominio.net/
GnuPG public key information available at http://oskuro.net/




Bug Marked as fixed in versions tinyproxy/1.8.2-2. Request was from Jordi Mallach <jordi@debian.org> to control@bugs.debian.org. (Tue, 03 Jan 2012 08:33:03 GMT) Full text and rfc822 format available.

Bug Marked as fixed in versions tinyproxy/1.8.3-1. Request was from Jordi Mallach <jordi@debian.org> to control@bugs.debian.org. (Tue, 03 Jan 2012 08:33:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Ed Boraas <ed@debian.org>:
Bug#627503; Package tinyproxy. (Tue, 03 Jan 2012 08:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jordi Mallach <jordi@debian.org>:
Extra info received and forwarded to list. Copy sent to Ed Boraas <ed@debian.org>. (Tue, 03 Jan 2012 08:54:03 GMT) Full text and rfc822 format available.

Message #19 received at 627503@bugs.debian.org (full text, mbox):

From: Jordi Mallach <jordi@debian.org>
To: 627503@bugs.debian.org
Subject: Downgrading/untagging
Date: Tue, 3 Jan 2012 09:50:46 +0100
[Message part 1 (text/plain, inline)]
severity 627503 important
tag 627503 - security
retitle 627503 Validate Port directive value
thanks

A small summary of what's going on with this:

- The Debian security team does not consider this to be a security issue
  as tinyproxy's configuration file is under the control of the admin, and
  an exploit needs changing the Port value to something that can trigger a
  buffer overflow.

- This was fixed anyway in a Debian patch in 1.8.2-2, which is currently
  in testing and unstable.

- 1.8.3-1, recently uploaded to unstable, is the first upstream release to
  officially include this fix.

- We're uploading 1.8.2squeeze2 to stable so the fix appears in the next
  point release anyway, via the normal t-p-u path.

Thanks,
Jordi
-- 
Jordi Mallach Pérez  --  Debian developer     http://www.debian.org/
jordi@sindominio.net     jordi@debian.org     http://www.sindominio.net/
GnuPG public key information available at http://oskuro.net/
[signature.asc (application/pgp-signature, inline)]

Severity set to 'important' from 'grave' Request was from Jordi Mallach <jordi@debian.org> to control@bugs.debian.org. (Tue, 03 Jan 2012 08:54:05 GMT) Full text and rfc822 format available.

Removed tag(s) security. Request was from Jordi Mallach <jordi@debian.org> to control@bugs.debian.org. (Tue, 03 Jan 2012 08:54:05 GMT) Full text and rfc822 format available.

Changed Bug title to 'Validate Port directive value' from 'CVE-2011-1843' Request was from Jordi Mallach <jordi@debian.org> to control@bugs.debian.org. (Tue, 03 Jan 2012 08:54:07 GMT) Full text and rfc822 format available.

Reply sent to Jordi Mallach <jordi@debian.org>:
You have taken responsibility. (Wed, 11 Jan 2012 21:51:10 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Wed, 11 Jan 2012 21:51:10 GMT) Full text and rfc822 format available.

Message #30 received at 627503-close@bugs.debian.org (full text, mbox):

From: Jordi Mallach <jordi@debian.org>
To: 627503-close@bugs.debian.org
Subject: Bug#627503: fixed in tinyproxy 1.8.2-1squeeze2
Date: Wed, 11 Jan 2012 21:49:54 +0000
Source: tinyproxy
Source-Version: 1.8.2-1squeeze2

We believe that the bug you reported is fixed in the latest version of
tinyproxy, which is due to be installed in the Debian FTP archive:

tinyproxy_1.8.2-1squeeze2.debian.tar.bz2
  to main/t/tinyproxy/tinyproxy_1.8.2-1squeeze2.debian.tar.bz2
tinyproxy_1.8.2-1squeeze2.dsc
  to main/t/tinyproxy/tinyproxy_1.8.2-1squeeze2.dsc
tinyproxy_1.8.2-1squeeze2_amd64.deb
  to main/t/tinyproxy/tinyproxy_1.8.2-1squeeze2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 627503@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jordi Mallach <jordi@debian.org> (supplier of updated tinyproxy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 02 Jan 2012 15:05:27 +0100
Source: tinyproxy
Binary: tinyproxy
Architecture: source amd64
Version: 1.8.2-1squeeze2
Distribution: stable
Urgency: low
Maintainer: Ed Boraas <ed@debian.org>
Changed-By: Jordi Mallach <jordi@debian.org>
Description: 
 tinyproxy  - A lightweight, non-caching, optionally anonymizing http proxy
Closes: 627503
Changes: 
 tinyproxy (1.8.2-1squeeze2) stable; urgency=low
 .
   * Add validate_port_number.patch: validate port number specified in Port
     directive, to avoid possible buffer overflows that could allow for
     access restriction bypasses [CVE-2011-1843] (closes: #627503).
     As the configuration file is under the control of the admin, this is
     not considered a security issue.
Checksums-Sha1: 
 45dcc74d167571562fd98b386ca1dd34819b523e 1295 tinyproxy_1.8.2-1squeeze2.dsc
 6e1ce865e82ad07e540be89d5e6c6bc75489d42b 202931 tinyproxy_1.8.2.orig.tar.bz2
 74a3c69ff9da5347ab209f316bfcc445ecc3c116 12930 tinyproxy_1.8.2-1squeeze2.debian.tar.bz2
 96d92578c98e59332d873aae444733f794bf28c2 86704 tinyproxy_1.8.2-1squeeze2_amd64.deb
Checksums-Sha256: 
 5dea0b59ea7e49430c32a40b4a30539236eb46b74c1ea987a3e8d9e9939a4036 1295 tinyproxy_1.8.2-1squeeze2.dsc
 7e9b831f40c4497db114c4edbf3300976e66ab7a47c2f42de8345c103c92f838 202931 tinyproxy_1.8.2.orig.tar.bz2
 b7882ccbbaebfc35a8fb7af333aed08237a26b765f95aa52bc5ff273f08acd96 12930 tinyproxy_1.8.2-1squeeze2.debian.tar.bz2
 1ef361de21227232eb2bdb2483ea9145b2583f74548b7b0380976982e387c3e1 86704 tinyproxy_1.8.2-1squeeze2_amd64.deb
Files: 
 ed746e7426134ff147edef13ae2e9db5 1295 web optional tinyproxy_1.8.2-1squeeze2.dsc
 edc8502193cfed4974d6a770da173755 202931 web optional tinyproxy_1.8.2.orig.tar.bz2
 242676d1d2a3a263c8a16e99b8052c1f 12930 web optional tinyproxy_1.8.2-1squeeze2.debian.tar.bz2
 5fbd0c3187f7a45e9bece518995a4fad 86704 web optional tinyproxy_1.8.2-1squeeze2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk8F3z8ACgkQJYSUupF6Il5HYACg7rKMzewNoywP4SnM+I2JxY2d
trEAoKv/fFIy0IsbMwsYDc+zrKURm7O5
=KDHn
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 09 Feb 2012 07:34:02 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 05:18:16 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.