FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

squidclamav -- Denial of Service

Affected packages
squidclamav < 5.7_1
6.0 <= squidclamav < 6.7

Details

VuXML ID 8defa0f9-ee8a-11e1-8bd8-0022156e8794
Discovery 2012-07-24
Entry 2012-08-25
Modified 2012-09-04

SquidClamav developers report:

Add a workaround for a squidGuard bug that unescape the URL and send it back unescaped. This result in garbage staying into pipe of the system command call and could crash squidclamav on next read or return false information. This is specially true with URL containing the %0D or %0A character.

This vulnerability can be triggered only in configurations where external chained URL checker is configured via "squidguard" directive.

References

CVE Name CVE-2012-3501
URL http://squidclamav.darold.net/news.html