SB2019123152 - Out-of-bounds read in squid (Alpine package)

Description

This security bulletin contains information about 1 vulnerability.

1) Out-of-bounds read (CVE-ID: CVE-2019-12529)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when parsing username in the Proxy-Authorization header during HTTP Basic authentication. A remote attacker can send specially crafted request to the Squid proxy server and retrieve parts of memory contents, if the Squid maintainer had configured the display of usernames on error pages.

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=a2e4a10786598b2f40879a608a3090b4f1242065
• https://git.alpinelinux.org/aports/commit/?id=5939764637ce88b8d0018618969d3a1180a40316