Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2019-12527

An issue was discovered in Squid 4.0.23 through 4.7. When checking Basic Authentication with HttpHeader::getAuth, Squid uses a global buffer to store the decoded data. Squid does not check that the decoded length isn't greater than the buffer, leading to a heap-based buffer overflow with user controlled data.

Related bugs and status

CVE-2019-12527 (Candidate) is related to these bugs:

Bug #1835831: FTBFS: gcc9 stringop-truncation and others

Summary				In	Importance	Status
	1835831	FTBFS: gcc9 stringop-truncation and others		squid (Ubuntu)	High	Fix Released
	1835831	FTBFS: gcc9 stringop-truncation and others		Squid	Unknown	Unknown

See the

CVE page on Mitre.org for more details.

References

CONFIRM: http://www.squid-cache...
CONFIRM: http://www.squid-cache...
CONFIRM: https://github.com/squ...
BID: 109143
UBUNTU: USN-4065-1
FEDORA: FEDORA-2019-cb50bcc189
DEBIAN: DSA-4507
BUGTRAQ: 20190825 [SECURITY] [D...
REDHAT: RHSA-2019:2593
SUSE: openSUSE-SU-2019:2540
SUSE: openSUSE-SU-2019:2541