710514 – (CVE-2020-6750) <dev-libs/glib-2.60.7-r2: Mishandling of proxy_addr field in GSocketClient may lead to proxy being ignored (CVE-2020-6750)

Bug 710514 (CVE-2020-6750) - <dev-libs/glib-2.60.7-r2: Mishandling of proxy_addr field in GSocketClient may lead to proxy being ignored (CVE-2020-6750)

Summary: <dev-libs/glib-2.60.7-r2: Mishandling of proxy_addr field in GSocketClient ma...

Status:	RESOLVED FIXED

Alias:	CVE-2020-6750

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2020-02-22 18:27 UTC by Mart Raudsepp
Modified:	2020-05-04 01:24 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	dev-libs/glib-2.60.7-r2
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mart Raudsepp gentoo-dev

2020-02-22 18:27:00 UTC

Copy-paste from distributor-list from 7th Feb:

Sender:	Michael Catanzaro <mcatanzaro@gnome.org>
To:	distributor-list@gnome.org, oss-security@lists.openwall.com
Subject:	 CVE-2020-6750: GSocketClient sometimes ignores proxy settings
Date:	Fri, 07 Feb 2020 14:33:09 -0600 (07.02.2020 22:33:09)

Hi,

It was discovered that GLib's GSocketClient, since GLib 2.60, will 
sporadically ignore its configured proxy settings and improperly 
connect directly to the target server, bypassing the configured proxy 
server [1]. This has been assigned CVE-2020-6750. Credit to lovetox for 
the discovery.

This affects GLib 2.60 and 2.62. GLib versions 2.58 and earlier are 
unaffected. A patch fixing this and related issues is available at [2].

Because GSocketClient is widely used by Linux desktop applications, 
including applications that use it only indirectly via libraries like 
libsoup or GStreamer, the number of affected applications is likely 
large.

This bug may be difficult to notice because it is timing-dependent and 
does not occur under favorable network conditions. That is, if users 
test to ensure a network proxy is properly configured, it is likely to 
work properly during testing, but nonetheless still sporadically fail 
at other times, leaving users with a false sense of security.

Michael

[1] https://gitlab.gnome.org/GNOME/glib/issues/1989
[2] https://gitlab.gnome.org/GNOME/glib/merge_requests/1339.patch

Comment 1 Mikle Kolyada (RETIRED) archtester

2020-02-23 12:19:23 UTC

amd64 stable

Comment 2 Agostino Sarubbo gentoo-dev

2020-02-24 09:02:58 UTC

s390 stable

Comment 3 Agostino Sarubbo gentoo-dev

2020-02-24 10:05:03 UTC

sparc stable

Comment 4 Agostino Sarubbo gentoo-dev

2020-02-24 11:28:24 UTC

ia64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2020-02-24 11:32:55 UTC

ppc64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2020-02-24 11:44:16 UTC

ppc stable

Comment 7 Agostino Sarubbo gentoo-dev

2020-02-24 12:50:45 UTC

x86 stable

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2020-02-25 00:10:44 UTC

CVE-2020-6750 (https://nvd.nist.gov/vuln/detail/CVE-2020-6750):
  GSocketClient in GNOME GLib through 2.62.4 may occasionally connect directly
  to a target address instead of connecting via a proxy server when configured
  to do so, because the proxy_addr field is mishandled. This bug is
  timing-dependent and may occur only sporadically depending on network
  delays. The greatest security relevance is in use cases where a proxy is
  used to help with privacy/anonymity, even though there is no technical
  barrier to a direct connection. NOTE: versions before 2.60 are unaffected.

Comment 9 Agostino Sarubbo gentoo-dev

2020-03-05 12:49:41 UTC

arm stable

Comment 10 Mart Raudsepp gentoo-dev

2020-03-12 14:12:09 UTC

arm64 stable

Comment 11 Rolf Eike Beer archtester

2020-04-16 19:24:56 UTC

hppa stable

Comment 12 Sam James archtester

2020-04-16 19:26:04 UTC

@maintainer(s), please cleanup