CVE-2020-25219: url::recvline in url.cpp in libproxy 0.4.x through 0.4.15 allows a remote HTTP server to trigger uncontrolled recursion via a response composed of an infinite stream that lacks a newline character. This leads to stack exhaustion. Issue: https://github.com/libproxy/libproxy/issues/134 Patch: https://github.com/libproxy/libproxy/commit/836c10b60c65e947ff1e10eb02fbcc676d909ffa
CVE-2020-26154 url.cpp in libproxy through 0.4.15 is prone to a buffer overflow when PAC is enabled, as demonstrated by a large PAC file that is delivered without a Content-length header. PR (not yet merged): https://github.com/libproxy/libproxy/pull/126
(In reply to Sam James from comment #1) > CVE-2020-26154 > > url.cpp in libproxy through 0.4.15 is prone to a buffer overflow when PAC is > enabled, as demonstrated by a large PAC file that is delivered without a > Content-length header. > > PR (not yet merged): https://github.com/libproxy/libproxy/pull/126 Merged: https://github.com/libproxy/libproxy/commit/6d342b50366a048d3d543952e2be271b5742c5f8 Maintainer(s), let's take a snapshot?
(In reply to Sam James from comment #2) > (In reply to Sam James from comment #1) > > CVE-2020-26154 > > > > url.cpp in libproxy through 0.4.15 is prone to a buffer overflow when PAC is > > enabled, as demonstrated by a large PAC file that is delivered without a > > Content-length header. > > > > PR (not yet merged): https://github.com/libproxy/libproxy/pull/126 > > Merged: > https://github.com/libproxy/libproxy/commit/ > 6d342b50366a048d3d543952e2be271b5742c5f8 > > Maintainer(s), let's take a snapshot? Thoughts?
Even better. 0.4.16 is out with these fixes.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=60e59f03b62e262dc5056d77fadb9cfe321e06c6 commit 60e59f03b62e262dc5056d77fadb9cfe321e06c6 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-12-15 04:50:17 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-12-15 04:50:17 +0000 net-libs/libproxy: security bump to 0.4.16 Bug: https://bugs.gentoo.org/741538 Package-Manager: Portage-3.0.9, Repoman-3.0.2 Signed-off-by: Sam James <sam@gentoo.org> net-libs/libproxy/Manifest | 1 + .../files/libproxy-0.4.16-avoid-nm-build-dep.patch | 85 ++++++++++++++++++++++ net-libs/libproxy/libproxy-0.4.16.ebuild | 81 +++++++++++++++++++++ 3 files changed, 167 insertions(+)
arm64 done
arm done
amd64 done
ppc64 stable
ppc stable
x86 stable
sparc stable
GLSA vote: no
Unable to check for sanity: > no match for package: net-libs/libproxy-0.4.16
Sanity check failed: > net-libs/libproxy-0.4.16-r1 > depend hppa stable profile default/linux/hppa/17.0 (3 total) > dev-lang/spidermonkey:68 > rdepend hppa stable profile default/linux/hppa/17.0 (3 total) > dev-lang/spidermonkey:68
hppa -> ~hppa all arches done
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=010d992874cfb87e8f32d610f4ea18f1a169eb13 commit 010d992874cfb87e8f32d610f4ea18f1a169eb13 Author: John Helmert III <jchelmert3@posteo.net> AuthorDate: 2020-12-31 18:15:34 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-01-01 00:21:50 +0000 net-libs/libproxy: security cleanup (drop <0.4.16) Bug: https://bugs.gentoo.org/741538 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: John Helmert III <jchelmert3@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/18889 Signed-off-by: Sam James <sam@gentoo.org> net-libs/libproxy/Manifest | 1 - .../libproxy/files/libproxy-0.4.15-gcc-11.patch | 118 --------------------- .../files/libproxy-0.4.15-mozjs-52-1.patch | 101 ------------------ .../files/libproxy-0.4.15-mozjs-52-2.patch | 23 ---- .../files/libproxy-0.4.15-python-3.7.patch | 23 ---- net-libs/libproxy/libproxy-0.4.15-r1.ebuild | 85 --------------- net-libs/libproxy/libproxy-0.4.15-r2.ebuild | 86 --------------- 7 files changed, 437 deletions(-)
Tree is clean, noglsa, all done.
