FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2012-3501

This CVE name corresponds to:

Entered Topic
2012-08-25 squidclamav -- Denial of Service

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2012-3501 at cve.mitre.org

Details

Type Candidate
Name CVE-2012-3501
Phase Assigned(20120614)

Description

The squidclamav_check_preview_handler function in squidclamav.c in SquidClamav 5.x before 5.8 and 6.x before 6.7 passes an unescaped URL to a system command call, which allows remote attackers to cause a denial of service (daemon crash) via a URL with certain characters, as demonstrated using %0D or %0A.

References

Source Reference
MLIST [oss-security] 20120816 CVE Request: SquidClamav insufficient escaping flaws
MLIST [oss-security] 20120816 Re: CVE Request: SquidClamav insufficient escaping flaws
MISC https://bugs.gentoo.org/show_bug.cgi?id=428778
CONFIRM http://freecode.com/projects/squidclamav/releases/346722
CONFIRM http://squidclamav.darold.net/news.html
CONFIRM https://github.com/darold/squidclamav/commit/80f74451f628264d1d9a1f1c0bbcebc932ba5e00
BID 54663
OSVDB 84138
SECUNIA 49057

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.