Out-of-Bounds Affecting squid-debuginfo package, versions <7:3.5.20-17.amzn2.7.10


Severity

Recommended
critical

Based on Amazon Linux security rating.

Threat Intelligence

EPSS
0.54% (78th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-AMZN2-SQUIDDEBUGINFO-6037078
  • published27 Oct 2023
  • disclosed11 Jul 2019

Introduced: 11 Jul 2019

CVE-2019-12529  (opens in a new tab)
CWE-119  (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2 squid-debuginfo to version 7:3.5.20-17.amzn2.7.10 or higher.
This issue was patched in ALAS2-2023-2318.

NVD Description

Note: Versions mentioned in the description apply only to the upstream squid-debuginfo package and not the squid-debuginfo package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checking its table. The length is then used to start decoding the string. There are no checks to ensure that the length it calculates isn't greater than the input buffer. This leads to adjacent memory being decoded as well. An attacker would not be able to retrieve the decoded data unless the Squid maintainer had configured the display of usernames on error pages.

CVSS Scores

version 3.1