=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN432
_____________________________________________________________________

DATE                      : 23/10/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running squidGuard version 1.3, 1.4.

======================================================================
http://www.squidguard.org/Downloads/Patches/1.4/Readme.Patch-20091015
http://www.squidguard.org/Downloads/Patches/1.4/Readme.Patch-20091019
______________________________________________________________________

###############################################################################
#                                                                             #
#               Patch 20091015 for squidGuard version 1.3 and 1.4             #
#                                                                             #
###############################################################################


Introduction:
=============

This patch fixes one buffer overflow problem in sgLog.c when overlong URLs
are requested. SquidGuard will then go into emergency mode were no blocking
occurs. This is not required in this situation.
The URLs must be build with a overlong sequence of slashes (/).

ATTENTION:  While squidGuard will no longer go into emergeny mode when one
overlong URL is passed to it, it is possible to use the overlong URL to
bypass the filter. This vulnerability is not fixed by this patch!
You can check if this vulnerability is actually exploited on your system
by checking the logfile squidGuard.log for the following warning (provided
you have not used the option --with-nolog=yes with configure before compiling
squidguard):

Warning: Possible bypass attempt. Found multiple slashes where only one is expected:



Patch installation:
===================

Unpack the gzipped tarfile into the directory where your original squidGuard
sources are located. The tarfile consists of the modified source file sgLog.c
and the Readme file you are currently reading.
Recompile your squidGuard with the patched source. Before installing test if
the new version complies to your requirements. To be on the safe side you may
want to back up your old squidGuard binary before installing the freshly com-
piled version.


Contact information:
====================

Please send bug reports to sg-bugs (at) squidguard.org.

____________________________________________________________________________

###############################################################################
#                                                                             #
#               Patch 20091019 for squidGuard version 1.4                     #
#                                                                             #
###############################################################################


Introduction:
=============

This patch fixes two bypass problems with URLs which length is close to the
limit defined by MAX_BUF (default: 4096) in squidGuard and MAX_URL (default:
4096 in squid 2.x and 8192 in squid 3.x) in squid. For this kind of URLs the
proxy request exceeds MAX_BUF causing squidGuard to complain about not being
able to parse the squid request. Increasing the buffer limit to be higher than
the one defined in MAX_URL solves the issue.

The second problem, too, is related to the definition of these buffer limits.
Once squidGuard finds the parsed URL to be candidate for blocking it return
the block URL defined in the squidGuard configuration. The bypass occurs when
the redirect URL shall contain the information about the original URL. With
URLs close to MAX_URL the final URL exceeds this limit because of this addi-
tional information. The fix truncates the originally requested URL to 2048
bytes.


Patch installation:
===================

Unpack the gzipped tarfile into the src directory where your original squid-
Guard sources are located. The tarfile consists of the patched source file
sg.h.in, sgDiv.c.in and the Readme file you are currently reading.

Run "configure" with your prefered options and recompile your squidGuard with
the patched source. Before installing test if the new version complies to your
requirements. To be on the safe side you may want to back up your old squidGuard
binary before installing the freshly compiled version.


Contact information:
====================

Please send bug reports to sg-bugs (at) squidguard.org.

Credits:
========
Thanks to Matthieu BOUTHORS for bringing this issue to our attention.



======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================