Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 710514 (CVE-2020-6750) - <dev-libs/glib-2.60.7-r2: Mishandling of proxy_addr field in GSocketClient may lead to proxy being ignored (CVE-2020-6750)
Summary: <dev-libs/glib-2.60.7-r2: Mishandling of proxy_addr field in GSocketClient ma...
Status: RESOLVED FIXED
Alias: CVE-2020-6750
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-22 18:27 UTC by Mart Raudsepp
Modified: 2020-05-04 01:24 UTC (History)
1 user (show)

See Also:
Package list:
dev-libs/glib-2.60.7-r2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mart Raudsepp gentoo-dev 2020-02-22 18:27:00 UTC
Copy-paste from distributor-list from 7th Feb:

Sender:	Michael Catanzaro <mcatanzaro@gnome.org>
To:	distributor-list@gnome.org, oss-security@lists.openwall.com
Subject:	 CVE-2020-6750: GSocketClient sometimes ignores proxy settings
Date:	Fri, 07 Feb 2020 14:33:09 -0600 (07.02.2020 22:33:09)

Hi,

It was discovered that GLib's GSocketClient, since GLib 2.60, will 
sporadically ignore its configured proxy settings and improperly 
connect directly to the target server, bypassing the configured proxy 
server [1]. This has been assigned CVE-2020-6750. Credit to lovetox for 
the discovery.

This affects GLib 2.60 and 2.62. GLib versions 2.58 and earlier are 
unaffected. A patch fixing this and related issues is available at [2].

Because GSocketClient is widely used by Linux desktop applications, 
including applications that use it only indirectly via libraries like 
libsoup or GStreamer, the number of affected applications is likely 
large.

This bug may be difficult to notice because it is timing-dependent and 
does not occur under favorable network conditions. That is, if users 
test to ensure a network proxy is properly configured, it is likely to 
work properly during testing, but nonetheless still sporadically fail 
at other times, leaving users with a false sense of security.

Michael

[1] https://gitlab.gnome.org/GNOME/glib/issues/1989
[2] https://gitlab.gnome.org/GNOME/glib/merge_requests/1339.patch
Comment 1 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-02-23 12:19:23 UTC
amd64 stable
Comment 2 Agostino Sarubbo gentoo-dev 2020-02-24 09:02:58 UTC
s390 stable
Comment 3 Agostino Sarubbo gentoo-dev 2020-02-24 10:05:03 UTC
sparc stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-02-24 11:28:24 UTC
ia64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-02-24 11:32:55 UTC
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-02-24 11:44:16 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-02-24 12:50:45 UTC
x86 stable
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2020-02-25 00:10:44 UTC
CVE-2020-6750 (https://nvd.nist.gov/vuln/detail/CVE-2020-6750):
  GSocketClient in GNOME GLib through 2.62.4 may occasionally connect directly
  to a target address instead of connecting via a proxy server when configured
  to do so, because the proxy_addr field is mishandled. This bug is
  timing-dependent and may occur only sporadically depending on network
  delays. The greatest security relevance is in use cases where a proxy is
  used to help with privacy/anonymity, even though there is no technical
  barrier to a direct connection. NOTE: versions before 2.60 are unaffected.
Comment 9 Agostino Sarubbo gentoo-dev 2020-03-05 12:49:41 UTC
arm stable
Comment 10 Mart Raudsepp gentoo-dev 2020-03-12 14:12:09 UTC
arm64 stable
Comment 11 Rolf Eike Beer 2020-04-16 19:24:56 UTC
hppa stable
Comment 12 Sam James gentoo-dev Security 2020-04-16 19:26:04 UTC
@maintainer(s), please cleanup