NVD Vulnerability Detail

CVE-2012-3501

Summary	The squidclamav_check_preview_handler function in squidclamav.c in SquidClamav 5.x before 5.8 and 6.x before 6.7 passes an unescaped URL to a system command call, which allows remote attackers to cause a denial of service (daemon crash) via a URL with certain characters, as demonstrated using %0D or %0A.
Publication Date	Aug. 25, 2012, 7:29 p.m.
Registration Date	Jan. 28, 2021, 3 p.m.
Last Update	Nov. 21, 2024, 10:41 a.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	http://freecode.com/projects/squidclamav/releases/346722
2	http://freecode.com/projects/squidclamav/releases/346722
3	http://secunia.com/advisories/49057	Vendor Advisory
4	http://secunia.com/advisories/49057	Vendor Advisory
5	http://squidclamav.darold.net/news.html	Vendor Advisory
6	http://squidclamav.darold.net/news.html	Vendor Advisory
7	http://www.openwall.com/lists/oss-security/2012/08/16/2
8	http://www.openwall.com/lists/oss-security/2012/08/16/2
9	http://www.openwall.com/lists/oss-security/2012/08/16/4
10	http://www.openwall.com/lists/oss-security/2012/08/16/4
11	http://www.osvdb.org/84138
12	http://www.osvdb.org/84138
13	http://www.securityfocus.com/bid/54663
14	http://www.securityfocus.com/bid/54663
15	https://bugs.gentoo.org/show_bug.cgi?id=428778
16	https://bugs.gentoo.org/show_bug.cgi?id=428778
17	https://github.com/darold/squidclamav/commit/80f74451f628264d1d9a1f1c0bbcebc932ba5e00	Exploit Patch
18	https://github.com/darold/squidclamav/commit/80f74451f628264d1d9a1f1c0bbcebc932ba5e00	Exploit Patch

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-119	バッファエラー	https://cwe.mitre.org/data/definitions/118.html

JVN Vulnerability Information

SquidClamav の squidclamav.c におけるサービス運用妨害 (デーモンクラッシュ) の脆弱性

Title	SquidClamav の squidclamav.c におけるサービス運用妨害 (デーモンクラッシュ) の脆弱性
Summary	SquidClamav の squidclamav.c 内の squidclamav_check_preview_handler 関数は、システムコマンドの呼び出しにエスケープされない URL を渡すため、サービス運用妨害 (デーモンクラッシュ) 状態となる脆弱性が存在します。
Possible impacts	第三者により、特定の文字を含む URL を介した、サービス運用妨害 (デーモンクラッシュ) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Aug. 25, 2012, midnight
Registration Date	Aug. 28, 2012, 3:34 p.m.
Last Update	Aug. 28, 2012, 3:34 p.m.

Affected System

Gilles Darold

SquidClamav 5.8 未満の 5.x

SquidClamav 6.7 未満の 6.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2012-3501	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3501
National Vulnerability Database (NVD)
2	CVE-2012-3501	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3501

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-119	https://jvndb.jvn.jp/ja/cwe/CWE-119.html

ベンダー情報

No	Name	URL
freecode
1	Version 5.8 of SquidClamAv	http://freecode.com/projects/squidclamav/releases/346722
Gentoo's Bugzilla
2	Bug 428778	https://bugs.gentoo.org/show_bug.cgi?id=428778
GitHub
3	Add a workaround for a squidGuard bug that unescape the URL and send …	https://github.com/darold/squidclamav/commit/80f74451f628264d1d9a1f1c0bbcebc932ba5e00
SquidClamav
4	News	http://squidclamav.darold.net/news.html
5	Top Page	http://squidclamav.darold.net/

Change Log

No	Changed Details	Date of change
0	[2012年08月28日] 掲載	Feb. 17, 2018, 10:37 a.m.