Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 741538 (CVE-2020-25219, CVE-2020-26154) - <net-libs/libproxy-0.4.16: Multiple vulnerabilities (CVE-2020-{25219,26154})
Summary: <net-libs/libproxy-0.4.16: Multiple vulnerabilities (CVE-2020-{25219,26154})
Status: RESOLVED FIXED
Alias: CVE-2020-25219, CVE-2020-26154
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/libproxy/libproxy/...
Whiteboard: B3 [noglsa cve]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2020-09-10 16:30 UTC by John Helmert III
Modified: 2021-01-01 00:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2020-09-10 16:30:20 UTC
CVE-2020-25219:

url::recvline in url.cpp in libproxy 0.4.x through 0.4.15 allows a remote HTTP server to trigger uncontrolled recursion via a response composed of an infinite stream that lacks a newline character. This leads to stack exhaustion.


Issue: https://github.com/libproxy/libproxy/issues/134
Patch: https://github.com/libproxy/libproxy/commit/836c10b60c65e947ff1e10eb02fbcc676d909ffa
Comment 1 Sam James archtester gentoo-dev Security 2020-09-30 19:28:06 UTC
CVE-2020-26154

url.cpp in libproxy through 0.4.15 is prone to a buffer overflow when PAC is enabled, as demonstrated by a large PAC file that is delivered without a Content-length header.

PR (not yet merged): https://github.com/libproxy/libproxy/pull/126
Comment 2 Sam James archtester gentoo-dev Security 2020-11-16 18:51:32 UTC
(In reply to Sam James from comment #1)
> CVE-2020-26154
> 
> url.cpp in libproxy through 0.4.15 is prone to a buffer overflow when PAC is
> enabled, as demonstrated by a large PAC file that is delivered without a
> Content-length header.
> 
> PR (not yet merged): https://github.com/libproxy/libproxy/pull/126

Merged: https://github.com/libproxy/libproxy/commit/6d342b50366a048d3d543952e2be271b5742c5f8

Maintainer(s), let's take a snapshot?
Comment 3 Sam James archtester gentoo-dev Security 2020-11-24 10:36:33 UTC
(In reply to Sam James from comment #2)
> (In reply to Sam James from comment #1)
> > CVE-2020-26154
> > 
> > url.cpp in libproxy through 0.4.15 is prone to a buffer overflow when PAC is
> > enabled, as demonstrated by a large PAC file that is delivered without a
> > Content-length header.
> > 
> > PR (not yet merged): https://github.com/libproxy/libproxy/pull/126
> 
> Merged:
> https://github.com/libproxy/libproxy/commit/
> 6d342b50366a048d3d543952e2be271b5742c5f8
> 
> Maintainer(s), let's take a snapshot?

Thoughts?
Comment 4 Sam James archtester gentoo-dev Security 2020-12-04 14:24:00 UTC
Even better. 0.4.16 is out with these fixes.
Comment 5 Larry the Git Cow gentoo-dev 2020-12-15 04:50:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=60e59f03b62e262dc5056d77fadb9cfe321e06c6

commit 60e59f03b62e262dc5056d77fadb9cfe321e06c6
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-12-15 04:50:17 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-12-15 04:50:17 +0000

    net-libs/libproxy: security bump to 0.4.16
    
    Bug: https://bugs.gentoo.org/741538
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/libproxy/Manifest                         |  1 +
 .../files/libproxy-0.4.16-avoid-nm-build-dep.patch | 85 ++++++++++++++++++++++
 net-libs/libproxy/libproxy-0.4.16.ebuild           | 81 +++++++++++++++++++++
 3 files changed, 167 insertions(+)
Comment 6 Sam James archtester gentoo-dev Security 2020-12-17 07:59:13 UTC
arm64 done
Comment 7 Sam James archtester gentoo-dev Security 2020-12-17 11:41:21 UTC
arm done
Comment 8 Sam James archtester gentoo-dev Security 2020-12-17 11:54:25 UTC
amd64 done
Comment 9 Sergei Trofimovich gentoo-dev 2020-12-18 10:40:57 UTC
ppc64 stable
Comment 10 Sergei Trofimovich gentoo-dev 2020-12-18 10:48:42 UTC
ppc stable
Comment 11 Thomas Deutschmann gentoo-dev Security 2020-12-20 16:41:20 UTC
x86 stable
Comment 12 Sergei Trofimovich gentoo-dev 2020-12-22 20:04:29 UTC
sparc stable
Comment 13 Thomas Deutschmann gentoo-dev Security 2020-12-23 01:08:10 UTC
GLSA vote: no
Comment 14 NATTkA bot gentoo-dev 2020-12-31 01:41:05 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2020-12-31 01:53:02 UTC
Sanity check failed:

> net-libs/libproxy-0.4.16-r1
>   depend hppa stable profile default/linux/hppa/17.0 (3 total)
>     dev-lang/spidermonkey:68
>   rdepend hppa stable profile default/linux/hppa/17.0 (3 total)
>     dev-lang/spidermonkey:68
Comment 16 Matt Turner gentoo-dev 2020-12-31 16:52:13 UTC
hppa -> ~hppa

all arches done
Comment 17 John Helmert III gentoo-dev Security 2020-12-31 18:07:53 UTC
Please cleanup.
Comment 18 Larry the Git Cow gentoo-dev 2021-01-01 00:22:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=010d992874cfb87e8f32d610f4ea18f1a169eb13

commit 010d992874cfb87e8f32d610f4ea18f1a169eb13
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-12-31 18:15:34 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-01 00:21:50 +0000

    net-libs/libproxy: security cleanup (drop <0.4.16)
    
    Bug: https://bugs.gentoo.org/741538
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/18889
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/libproxy/Manifest                         |   1 -
 .../libproxy/files/libproxy-0.4.15-gcc-11.patch    | 118 ---------------------
 .../files/libproxy-0.4.15-mozjs-52-1.patch         | 101 ------------------
 .../files/libproxy-0.4.15-mozjs-52-2.patch         |  23 ----
 .../files/libproxy-0.4.15-python-3.7.patch         |  23 ----
 net-libs/libproxy/libproxy-0.4.15-r1.ebuild        |  85 ---------------
 net-libs/libproxy/libproxy-0.4.15-r2.ebuild        |  86 ---------------
 7 files changed, 437 deletions(-)
Comment 19 John Helmert III gentoo-dev Security 2021-01-01 00:38:58 UTC
Tree is clean, noglsa, all done.