oss-sec mailing list archives

Re: CVE Request -- Polipo -- Assertion failure by processing certain HTTP POST / PUT requests

From: Juliusz Chroboczek <jch () pps jussieu fr>
Date: Thu, 06 Oct 2011 18:37:01 +0200

  a denial of service flaw was found in the way Polipo, a lightweight
caching web proxy, processed certain HTTP POST / PUT requests. If
polipo was configured to allow remote client connections and particular
host was allowed to connect to polipo server instance, a remote
attacker could use this flaw to cause denial of service (polipo daemon
abort due to assertion failure) via specially-crafted HTTP POST / PUT
request.


Yes, this is a known bug with Polipo 1.0.4 and 1.0.4.1.  I believe that
it is fixed in the Git trunk, which is unfortunately not ready to be
released (and might never be unless a maintainer is found).

At any rate, I do not recommend running Polipo as a publicly accessible
proxy.  While I have made reasonable efforts to ensure that this is
safe, Polipo was not designed for that.

Regards,

-- Juliusz

Current thread:

CVE Request -- Polipo -- Assertion failure by processing certain HTTP POST / PUT requests Jan Lieskovsky (Oct 03)
- Re: CVE Request -- Polipo -- Assertion failure by processing certain HTTP POST / PUT requests Josh Bressers (Oct 04)
- Re: CVE Request -- Polipo -- Assertion failure by processing certain HTTP POST / PUT requests Juliusz Chroboczek (Oct 06)
  - Re: Re: CVE Request -- Polipo -- Assertion failure by processing certain HTTP POST / PUT requests Vincent Danen (Oct 07)
    - Re: Re: CVE Request -- Polipo -- Assertion failure by processing certain HTTP POST / PUT requests Julien Cristau (Oct 07)
    - Re: Re: CVE Request -- Polipo -- Assertion failure by processing certain HTTP POST / PUT requests Julien Cristau (Oct 07)