33206 – tinyproxy new security issues CVE-2022-40468 and CVE-2023-49606

Bug 33206 - tinyproxy new security issues CVE-2022-40468 and CVE-2023-49606

Summary: tinyproxy new security issues CVE-2022-40468 and CVE-2023-49606

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-05-13 15:51 CEST by Nicolas Salguero
Modified:	2025-01-10 20:55 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	tinyproxy-1.10.0-3.mga9.src.rpm
CVE:	CVE-2022-40468, CVE-2023-49606
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-05-13 15:51:27 CEST

CVE-2023-49606, CVE-2023-40533 were announced here:
https://www.openwall.com/lists/oss-security/2024/05/07/1

openSUSE has released an advisory on May 10:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/OM62U7F2OTTTTR4PTM6RV3UAOCUHRC75/

Mageia 9 is also affected.

The problems were fixed in version 1.11.2.

Nicolas Salguero 2024-05-13 15:52:23 CEST

CVE: (none) => CVE-2022-40468, CVE-2023-40533, CVE-2023-49606
Source RPM: (none) => tinyproxy-1.11.1-1.mga10.src.rpm
Status comment: (none) => Fixed upstream in 1.11.2
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2024-05-16 20:54:01 CEST

Astraight version update. Assigning globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David GEIGER 2024-05-17 16:00:29 CEST

Assigning to the registered maintainer!

Assignee: pkg-bugs => cooker
CC: (none) => geiger.david68210

Comment 3 David GEIGER 2024-05-18 07:51:14 CEST

Cauldron was fixed!

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)

Nicolas Salguero 2024-05-29 16:01:35 CEST

Source RPM: tinyproxy-1.11.1-1.mga10.src.rpm => tinyproxy-1.10.0-3.mga9.src.rpm

Comment 4 Nicolas Salguero 2024-09-19 14:46:54 CEST

Debian has issued an advisory on September 18:
https://lwn.net/Articles/990818/

CVE-2023-40533 is an duplicate of CVE-2022-40468.

Status comment: Fixed upstream in 1.11.2 => Patches available from Debian
Summary: tinyproxy new security issues CVE-2022-40468, CVE-2023-40533 and CVE-2023-49606 => tinyproxy new security issues CVE-2022-40468 and CVE-2023-49606
CVE: CVE-2022-40468, CVE-2023-40533, CVE-2023-49606 => CVE-2022-40468, CVE-2023-49606

Comment 5 Nicolas Salguero 2024-12-09 15:58:46 CET

Ubuntu has issued an advisory for CVE-2022-40468 on December 9:
https://ubuntu.com/security/notices/USN-7140-1

Patch in https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/tinyproxy/1.10.0-4ubuntu0.1/tinyproxy_1.10.0-4ubuntu0.1.debian.tar.xz

Comment 6 Nicolas Salguero 2025-01-08 16:04:01 CET

Ubuntu has issued an advisory for CVE-2023-49606 on January 8:
https://ubuntu.com/security/notices/USN-7190-1

Patch in https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/tinyproxy/1.10.0-4ubuntu0.2/tinyproxy_1.10.0-4ubuntu0.2.debian.tar.xz

Comment 7 Nicolas Salguero 2025-01-08 16:14:26 CET

Suggested advisory:
========================

The updated package fixes security vulnerabilities:

Potential leak of left-over heap data if custom error page templates containing special non-standard variables are used. Tinyproxy commit 84f203f and earlier use uninitialized buffers in process_request() function.. (CVE-2022-40468)

A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability. (CVE-2023-49606)

References:
https://www.openwall.com/lists/oss-security/2024/05/07/1
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/OM62U7F2OTTTTR4PTM6RV3UAOCUHRC75/
https://lwn.net/Articles/990818/
https://ubuntu.com/security/notices/USN-7140-1
https://ubuntu.com/security/notices/USN-7190-1
========================

Updated package in core/updates_testing:
========================
tinyproxy-1.10.0-3.1.mga9

from SRPM:
tinyproxy-1.10.0-3.1.mga9.src.rpm

Assignee: cooker => qa-bugs
Status comment: Patches available from Debian => (none)
Status: NEW => ASSIGNED

katnatek 2025-01-08 17:16:55 CET

Keywords: (none) => advisory

Comment 8 Herman Viaene 2025-01-09 12:04:30 CET

MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 7898 for testing, and found same rather erratic behavior:
Start command hangs whether using service start or systemctl
Stus says loaded and activating (not activated), and after some time there is a time-out.
But putting firefox to  proxy localhost port 8888, works OK.
Give the stop command, and firefox continues to connect.
Use ps -aux and see processes tinyproxy  running.
Kill the first process (main for the other ones), and firefox cannot connect anymore.
So basically, this is the same behavior as described in bug 7898, so no regression, good (well not really IMHO) to go, unless someone else can contradict me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 9 Thomas Andrews 2025-01-09 22:01:06 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 10 Mageia Robot 2025-01-10 20:55:14 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0003.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.