squid-2066

Version:

2.6.STABLE13 (fixed in 2.6.STABLE1r)

Bug link:

http://bugs.squid-cache.org/show_bug.cgi?id=2066

How it is diagnosed (reproduced or source analysis)?

We did not reproduce the failure. Only analyzed the source code and patch.

Symptom:

Did not call chdir after chroot. Leaving a security hole that can allow an attacker to break-out of the chroot jail.

FYI: http://www.linuxsecurity.com/content/view/117632/49/

Root cause:

--- squid-2.6.STABLE14/src/main.c.bak        2007-08-04 11:38:54.457763000 +0300

+++ squid-2.6.STABLE14/src/main.c        2007-08-30 23:38:51.533754967 +0300

@@ -522,7 +522,7 @@ static void

mainInitialize(void)

{

    /* chroot if configured to run inside chroot */

-    if (Config.chroot_dir && chroot(Config.chroot_dir)) {

+    if (Config.chroot_dir && (chroot(Config.chroot_dir) || chdir("/"))) {

        fatal("failed to chroot");

    }

    if (opt_catch_signals) {

Is there any error msg?

No.

Can developers/Errlog anticipate an error msg?

No.