Re: Re: CVE Request -- Polipo -- Assertion failure by processing certain HTTP POST / PUT requests

[Julien Cristau <jcristau () debian org>]

On Fri, Oct  7, 2011 at 10:11:10 -0600, Vincent Danen wrote:

> * [2011-10-06 18:37:01 +0200] Juliusz Chroboczek wrote:
>
> > >  a denial of service flaw was found in the way Polipo, a lightweight
> > > caching web proxy, processed certain HTTP POST / PUT requests. If
> > > polipo was configured to allow remote client connections and particular
> > > host was allowed to connect to polipo server instance, a remote
> > > attacker could use this flaw to cause denial of service (polipo daemon
> > > abort due to assertion failure) via specially-crafted HTTP POST / PUT
> > > request.
> >
> > Yes, this is a known bug with Polipo 1.0.4 and 1.0.4.1.  I believe that
> > it is fixed in the Git trunk, which is unfortunately not ready to be
> > released (and might never be unless a maintainer is found).
>
> Do you have a link to the commit, or a commit id?  I can't see anything
> on github that looks relevant or recent.
>
> We do ship this in Fedora, so it would be nice to have the patch that we
> could apply to what we are already shipping if no releases are
> forthcoming.
git bisect using the PoC from the RH bug suggests that was fixed by
https://gitweb.torproject.org/chrisd/polipo.git/commitdiff/0e2b44af619e46e365971ea52b97457bc0778cd3

Cheers,
Julien

Attachment: signature.asc
Description: Digital signature