Bug 27302 - libproxy new security issue CVE-2020-25219
Summary: libproxy new security issue CVE-2020-25219
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-09-22 19:45 CEST by David Walser
Modified: 2020-09-27 22:07 CEST (History)
4 users (show)

See Also:
Source RPM: libproxy-0.4.15-4.mga7.src.rpm
CVE: CVE-2020-25219
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-09-22 19:45:52 CEST 
Debian-LTS has issued an advisory on September 12:
https://www.debian.org/lts/security/2020/dla-2372

Mageia 7 is also affected.
David Walser 2020-09-22 19:46:01 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-09-22 20:22:44 CEST 
Ubuntu has issued an advisory for this on September 17:
https://ubuntu.com/security/notices/USN-4514-1
Comment 2 Lewis Smith 2020-09-22 20:55:19 CEST 
No registered nor evident maintainer for this, so having to assign it globally.

Assignee: bugsquad => pkg-bugs

Comment 3 David Walser 2020-09-23 22:26:34 CEST 
Fedora has issued an advisory for this today (September 23):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CNID6EZVOVH7EZB7KFU2EON54CFDIVUR/
David Walser 2020-09-23 22:26:53 CEST

Severity: major => critical

Comment 4 Nicolas Salguero 2020-09-25 11:06:09 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

url::recvline in url.cpp in libproxy 0.4.x through 0.4.15 allows a remote HTTP server to trigger uncontrolled recursion via a response composed of an infinite stream that lacks a newline character. This leads to stack exhaustion. (CVE-2020-25219)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25219
https://www.debian.org/lts/security/2020/dla-2372
https://ubuntu.com/security/notices/USN-4514-1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CNID6EZVOVH7EZB7KFU2EON54CFDIVUR/
========================

Updated packages in core/updates_testing:
========================
lib(64)proxy1-0.4.15-4.1.mga7
libproxy-utils-0.4.15-4.1.mga7
python2-libproxy-0.4.15-4.1.mga7
python3-libproxy-0.4.15-4.1.mga7
libproxy-perl-0.4.15-4.1.mga7
libproxy-gxsettings-0.4.15-4.1.mga7
lib(64)proxy-gnome-0.4.15-4.1.mga7
lib(64)proxy-kde-0.4.15-4.1.mga7
lib(64)proxy-networkmanager-0.4.15-4.1.mga7
lib(64)proxy-webkit-0.4.15-4.1.mga7
libproxy-pacrunner-0.4.15-4.1.mga7
lib(64)proxy-devel-0.4.15-4.1.mga7

from SRPM:
libproxy-0.4.15-4.1.mga7.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
CVE: (none) => CVE-2020-25219
CC: (none) => nicolas.salguero
Source RPM: libproxy-0.4.15-9.mga8.src.rpm => libproxy-0.4.15-4.mga7.src.rpm
Assignee: pkg-bugs => qa-bugs

Comment 5 Herman Viaene 2020-09-25 22:20:02 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 7887 Comment 2, create python.py file as in the cat command, and aalso tried command as in Comment 4
So at CLI:
$ python python.py
direct://

$  proxy http://google.com
direct://

Looks OK to me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 6 Aurelien Oudelet 2020-09-27 19:42:55 CEST 
Validating update
Adv and SRPM in comment 4.

CC: (none) => ouaurelien

Aurelien Oudelet 2020-09-27 19:45:44 CEST

CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 7 Mageia Robot 2020-09-27 22:07:57 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0373.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.