cbcvebase.
CVE-2011-3205
published 2011-09-06

CVE-2011-3205: Buffer overflow in the gopherToHTML function in gopher.cc in the Gopher reply parser in Squid 3.0 before 3.0.STABLE26, 3.1 before 3.1.15, and 3.2 before…

PriorityP341medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
27.45%
97.8th percentile
Buffer overflow in the gopherToHTML function in gopher.cc in the Gopher reply parser in Squid 3.0 before 3.0.STABLE26, 3.1 before 3.1.15, and 3.2 before 3.2.0.11 allows remote Gopher servers to cause a denial of service (memory corruption and daemon restart) or possibly have unspecified other impact via a long line in a response. NOTE: This issue exists because of a CVE-2005-0094 regression.

Affected

70 ranges· showing 25
VendorProductVersion rangeFixed in
debiansquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered by a Gopher server response containing a line longer than 4096 bytes, causing a buffer overflow in the gopherToHTML function in gopher.cc of Squid's Gopher reply parser.
  • An attacker can set up a rogue Gopher server and route traffic through Squid to exploit this; monitor for unusual Gopher protocol traffic (TCP port 70) being proxied through Squid.
  • The vulnerable code path is in the gopherToHTML function within gopher.cc; look for Squid daemon restarts (memory corruption crash) as an indicator of exploitation attempts.
  • The overflow occurs via the memcpy into gopherState->buf when a long line is split across large packets; the unsafe copy is: memcpy(gopherState->buf + gopherState->len, pos, llen) without adequate bounds checking.
  • ·Only Squid 3.x is vulnerable (3.0 before 3.0.STABLE26, 3.1 before 3.1.15, 3.2 before 3.2.0.11); Squid 2.x has a related parsing bug but does NOT have the buffer overflow due to a smaller read buffer size.
  • ·Red Hat Enterprise Linux 4 and 5 ship Squid 2.x and are NOT affected; only RHEL 6 (Squid 3.x) required patching.
  • ·The vulnerability is a regression of CVE-2005-0094 introduced in Squid 3.x due to an increased packet read buffer size (read_sz) in gopherReadReply.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.