Bug 27411 - libproxy new security issue CVE-2020-26154
Summary: libproxy new security issue CVE-2020-26154
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-10-13 20:14 CEST by David Walser
Modified: 2020-11-08 15:15 CET (History)
4 users (show)

See Also:
Source RPM: libproxy-0.4.15-4.1.mga7.src.rpm
CVE: CVE-2020-26154
Status comment:


Attachments

Description David Walser 2020-10-13 20:14:30 CEST
SUSE has issued an advisory today (October 13):
https://lists.suse.com/pipermail/sle-security-updates/2020-October/007540.html

Mageia 7 is also affected.
David Walser 2020-10-13 20:14:46 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-10-13 20:52:42 CEST
Fedora has issued an advisory for this on October 2:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3BID3HVHAF6DA3YJOFDBSAZSMR3ODNIW/
Comment 2 Aurelien Oudelet 2020-10-14 18:46:34 CEST
Hi, thanks for reporting this bug.
Assigned to all package maintainer, as no registered one.
CC'ed recent commiter.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => nicolas.salguero
Keywords: (none) => Triaged
Assignee: bugsquad => pkg-bugs

Comment 3 Nicolas Salguero 2020-10-15 12:02:51 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

url.cpp in libproxy through 0.4.15 is prone to a buffer overflow when PAC is enabled, as demonstrated by a large PAC file that is delivered without a Content-length header. (CVE-2020-26154)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26154
https://lists.suse.com/pipermail/sle-security-updates/2020-October/007540.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3BID3HVHAF6DA3YJOFDBSAZSMR3ODNIW/
========================

Updated packages in core/updates_testing:
========================
lib(64)proxy1-0.4.15-4.2.mga7
libproxy-utils-0.4.15-4.2.mga7
python2-libproxy-0.4.15-4.2.mga7
python3-libproxy-0.4.15-4.2.mga7
libproxy-perl-0.4.15-4.2.mga7
libproxy-gxsettings-0.4.15-4.2.mga7
lib(64)proxy-gnome-0.4.15-4.2.mga7
lib(64)proxy-kde-0.4.15-4.2.mga7
lib(64)proxy-networkmanager-0.4.15-4.2.mga7
lib(64)proxy-webkit-0.4.15-4.2.mga7
libproxy-pacrunner-0.4.15-4.2.mga7
lib(64)proxy-devel-0.4.15-4.2.mga7

from SRPM:
libproxy-0.4.15-4.2.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs
Keywords: Triaged => (none)
Status: NEW => ASSIGNED
CVE: (none) => CVE-2020-26154
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Source RPM: libproxy-0.4.15-10.mga8.src.rpm => libproxy-0.4.15-4.1.mga7.src.rpm

Comment 4 Brian Rockwell 2020-11-03 19:33:58 CET
$ uname -a
Linux linux.local 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

The following 6 packages are going to be installed:

- lib64proxy-gnome-0.4.15-4.2.mga7.x86_64
- lib64proxy-networkmanager-0.4.15-4.2.mga7.x86_64
- lib64proxy-webkit-0.4.15-4.2.mga7.x86_64
- lib64proxy1-0.4.15-4.2.mga7.x86_64
- libproxy-gxsettings-0.4.15-4.2.mga7.x86_64
- libproxy-utils-0.4.15-4.2.mga7.x86_64

19KB of additional disk space will be used.

--note I'm updating the already installed modules from 4.1 to 4.2


REbooted

Utilities seem to be working and no network connection issues.

CC: (none) => brtians1

Comment 5 Aurelien Oudelet 2020-11-08 11:11:33 CET
(In reply to Brian Rockwell from comment #4)
> $ uname -a
> Linux linux.local 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020
> x86_64 x86_64 x86_64 GNU/Linux
> 
> The following 6 packages are going to be installed:
> 
> - lib64proxy-gnome-0.4.15-4.2.mga7.x86_64
> - lib64proxy-networkmanager-0.4.15-4.2.mga7.x86_64
> - lib64proxy-webkit-0.4.15-4.2.mga7.x86_64
> - lib64proxy1-0.4.15-4.2.mga7.x86_64
> - libproxy-gxsettings-0.4.15-4.2.mga7.x86_64
> - libproxy-utils-0.4.15-4.2.mga7.x86_64
> 
> 19KB of additional disk space will be used.
> 
> --note I'm updating the already installed modules from 4.1 to 4.2
> 
> 
> REbooted
> 
> Utilities seem to be working and no network connection issues.

Does your system use a proxy on your network to go online?
I don't see this on your above comment.

Meanwhile, using a squid server on my M7 system listening to my private network (on 198.168.1.254).
Redirecting network from an other M7 system updated (1982.168.1.2), to this server under Plasma Systemsettings and /etc/resolv.conf to ask DNS to gateway/proxy (192.168.1.254):
HTTP goes through squid and correctly logged.

MGA7-64-OK

Validating update.
Advisory pushed to SVN.

CC: (none) => ouaurelien, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => advisory, validated_update

Comment 6 Mageia Robot 2020-11-08 15:15:51 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0399.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.