Bug 27302

Summary: libproxy new security issue CVE-2020-25219
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: herman.viaene, nicolas.salguero, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: libproxy-0.4.15-4.mga7.src.rpm CVE: CVE-2020-25219
Status comment:

Description David Walser 2020-09-22 19:45:52 CEST 
Debian-LTS has issued an advisory on September 12:
https://www.debian.org/lts/security/2020/dla-2372

Mageia 7 is also affected.
David Walser 2020-09-22 19:46:01 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-09-22 20:22:44 CEST 
Ubuntu has issued an advisory for this on September 17:
https://ubuntu.com/security/notices/USN-4514-1
Comment 2 Lewis Smith 2020-09-22 20:55:19 CEST 
No registered nor evident maintainer for this, so having to assign it globally.

Assignee: bugsquad => pkg-bugs

Comment 3 David Walser 2020-09-23 22:26:34 CEST 
Fedora has issued an advisory for this today (September 23):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CNID6EZVOVH7EZB7KFU2EON54CFDIVUR/
David Walser 2020-09-23 22:26:53 CEST

Severity: major => critical

Comment 4 Nicolas Salguero 2020-09-25 11:06:09 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

url::recvline in url.cpp in libproxy 0.4.x through 0.4.15 allows a remote HTTP server to trigger uncontrolled recursion via a response composed of an infinite stream that lacks a newline character. This leads to stack exhaustion. (CVE-2020-25219)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25219
https://www.debian.org/lts/security/2020/dla-2372
https://ubuntu.com/security/notices/USN-4514-1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CNID6EZVOVH7EZB7KFU2EON54CFDIVUR/
========================

Updated packages in core/updates_testing:
========================
lib(64)proxy1-0.4.15-4.1.mga7
libproxy-utils-0.4.15-4.1.mga7
python2-libproxy-0.4.15-4.1.mga7
python3-libproxy-0.4.15-4.1.mga7
libproxy-perl-0.4.15-4.1.mga7
libproxy-gxsettings-0.4.15-4.1.mga7
lib(64)proxy-gnome-0.4.15-4.1.mga7
lib(64)proxy-kde-0.4.15-4.1.mga7
lib(64)proxy-networkmanager-0.4.15-4.1.mga7
lib(64)proxy-webkit-0.4.15-4.1.mga7
libproxy-pacrunner-0.4.15-4.1.mga7
lib(64)proxy-devel-0.4.15-4.1.mga7

from SRPM:
libproxy-0.4.15-4.1.mga7.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
CVE: (none) => CVE-2020-25219
CC: (none) => nicolas.salguero
Source RPM: libproxy-0.4.15-9.mga8.src.rpm => libproxy-0.4.15-4.mga7.src.rpm
Assignee: pkg-bugs => qa-bugs

Comment 5 Herman Viaene 2020-09-25 22:20:02 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 7887 Comment 2, create python.py file as in the cat command, and aalso tried command as in Comment 4
So at CLI:
$ python python.py
direct://

$  proxy http://google.com
direct://

Looks OK to me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 6 Aurelien Oudelet 2020-09-27 19:42:55 CEST 
Validating update
Adv and SRPM in comment 4.

CC: (none) => ouaurelien

Aurelien Oudelet 2020-09-27 19:45:44 CEST

CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 7 Mageia Robot 2020-09-27 22:07:57 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0373.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED