Thoughts on CVE-2020-15049/squid3?

To: debian-lts@lists.debian.org
Subject: Thoughts on CVE-2020-15049/squid3?
From: Roberto C. Sánchez <roberto@debian.org>
Date: Fri, 25 Sep 2020 15:25:09 -0400
Message-id: <[🔎] 20200925192509.GB3179@connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org

Hello fellow LTS people,

I am working on an update for the squid3 package.  At this time there
are 4 open CVEs, of which 3 have patches that apply with little or no
change required.  However, the patch for CVE-2020-15049 does not apply
at all.

Based on the commit message and an examination of the content of the
patch, it does not appear feasible to fix CVE-2020-15049.  Here is a
bullet-formatted summary of my findings:

- The patch (upstream commit ea12a34) indicates that the change
  essentially completes a fix that was begun in an earlier commit
  (upstream commit a1b9ec2)
- The prior commit referenced in the patch (upstream commit a1b9ec2)
  itself refactors a substantial amount of code; the associated commit
  message indicates that the change fixed numerous defects with regards
  to squid's handling of invalid Content-Length header values
- There are changes between a1b9ec2 and ea12a34 which would necessitate
  adapting ea12a34 to some degree
- The changes introduced in a1b9ec2 also depend on code which was itself
  introduced in an earlier commit as a refactor of yet a previous
  version of said code
- By my reckoning, the state of the code in the current squid3 package
  (based on upstream version 3.5.23) has undergone at least 4
  substantial changes leading to the fix for CVE-2020-15049
- An alternate approach would be to develop an entirely new fix for
  CVE-2020-15049 based on the current state of the squid3 package; given
  the history of the code this will likely leave many exploitable
  vulnerabilities related to Content-Length handling

Based on the above findings, I am inclined to triage CVE-2020-15049 as
<ignored>:

[stretch] - squid3 <ignored> (complete fix is too invasive to backport)

There appears to be precedent for taking this approach when a fix is far
too invasive and where there does not appear to be an alternate approach
to address the vulnerability.

Unless there are any serious objections in the next few days I will
proceed with uploading the update I have prepared and will update the
security tracker entry as I have described.  (Note: the same applies
both for the package in stretch LTS and in jessie ELTS.)

Regards,

-Roberto

-- 
Roberto C. Sánchez

Reply to:

Follow-Ups:
- Re: Thoughts on CVE-2020-15049/squid3?
  - From: Markus Koschany <apo@debian.org>

Prev by Date: Re: rails update
Next by Date: Re: Thoughts on CVE-2020-15049/squid3?
Previous by thread: Re: rails update
Next by thread: Re: Thoughts on CVE-2020-15049/squid3?
Index(es):
- Date
- Thread