Bug 7887 - libproxy new security issue CVE-2012-4504
Summary: libproxy new security issue CVE-2012-4504
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/520759/
Whiteboard: MGA1TOO has_procedure MGA2-64-OK MGA2...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-10-23 17:46 CEST by David Walser
Modified: 2012-10-29 00:55 CET (History)
5 users (show)

See Also:
Source RPM: libproxy-0.4.7-6.mga2.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-10-23 17:46:03 CEST 
OpenSuSE has issued an advisory on October 22:
http://lists.opensuse.org/opensuse-updates/2012-10/msg00065.html

Mageia 1 and 2 are affected, Cauldron as not as it was fixed upstream in 0.4.10.

Patched packages uploaded for Mageia 1 and Mageia 2.

Note that the CVE-2012-4505 referenced in the OpenSuSE advisory only affects libproxy 0.3.x and should have not been referenced in their advisory.

Advisory:
========================

Updated libproxy packages fix security vulnerability:

A buffer overflow flaw was discovered in the libproxy's url::get_pac() used
to download proxy.pac proxy auto-configuration file.  A malicious host
hosting proxy.pac, or a man in the middle attacker, could use this flaw to
trigger a stack-based buffer overflow in an application using libproxy, if
proxy configuration instructed it to download proxy.pac file from a remote
HTTP server (CVE-2012-4504).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4504
https://bugzilla.redhat.com/show_bug.cgi?id=864417
http://lists.opensuse.org/opensuse-updates/2012-10/msg00065.html
========================

Updated packages in core/updates_testing:
========================
libproxy1-0.4.6-8.1.mga1
libmodman1-0.4.6-8.1.mga1
libproxy-utils-0.4.6-8.1.mga1
python-libproxy-0.4.6-8.1.mga1
libproxy-perl-0.4.6-8.1.mga1
libproxy-gnome-0.4.6-8.1.mga1
libproxy-kde-0.4.6-8.1.mga1
libproxy-mozjs-0.4.6-8.1.mga1
libproxy-webkit-0.4.6-8.1.mga1
libproxy-devel-0.4.6-8.1.mga1
libproxy1-0.4.7-6.1.mga2
libproxy-utils-0.4.7-6.1.mga2
python-libproxy-0.4.7-6.1.mga2
libproxy-perl-0.4.7-6.1.mga2
libproxy-gxsettings-0.4.7-6.1.mga2
libproxy-gnome-0.4.7-6.1.mga2
libproxy-kde-0.4.7-6.1.mga2
libproxy-networkmanager-0.4.7-6.1.mga2
libproxy-mozjs-0.4.7-6.1.mga2
libproxy-webkit-0.4.7-6.1.mga2
libproxy-devel-0.4.7-6.1.mga2

from SRPMS:
libproxy-0.4.6-8.1.mga1.src.rpm
libproxy-0.4.7-6.1.mga2.src.rpm
David Walser 2012-10-23 17:46:30 CEST

Whiteboard: (none) => MGA1TOO

Comment 1 Götz Waschk 2012-10-24 10:00:05 CEST 
Any idea on how to test this?

CC: (none) => goetz.waschk

Comment 2 claire robinson 2012-10-24 11:04:11 CEST 
firefox, iceape, vlc-plugin-common and python-libproxy use libproxy1

python-libproxy can be tested as below

$ python python.py
direct://

$ cat python.py
import libproxy

URL = "http://www.google.com"

pf = libproxy.ProxyFactory()
for proxy in pf.getProxies(URL):
  # Do something with the proxy
  print proxy

libproxy-perl looks as if it should be able to use the example here but it fails for me:
http://search.cpan.org/~goneri/Net-Libproxy-0.03/lib/Net/Libproxy.pm

Also, should it be called perl-Net-Libproxy to fit with our perl module naming scheme?

libproxy-gnome is required by gnome-control-center, are there proxy settings there?

The other rpm's are not required by anything so showing the things above are Ok should be enough.
Comment 3 Götz Waschk 2012-10-24 11:12:17 CEST 
With the update candidate your example works as expected in mga2 x86_64.
Comment 4 claire robinson 2012-10-24 11:13:35 CEST 
Additionally libproxy-utils has /usr/bin/proxy which takes a URL as an arguement and returns the proxies.

$ proxy http://google.com
direct://
Comment 5 claire robinson 2012-10-24 11:15:04 CEST 
Thanks for testing Götz and welcome to Mageia btw
claire robinson 2012-10-24 11:15:35 CEST

Whiteboard: MGA1TOO => MGA1TOO has_procedure

Sander Lepik 2012-10-24 11:24:57 CEST

CC: (none) => sander.lepik
Hardware: i586 => All
Whiteboard: MGA1TOO has_procedure => MGA1TOO has_procedure MGA2-64-OK

Comment 6 Dave Hodgins 2012-10-26 03:58:27 CEST 
Testing complete on Mageia 2 i586, Mageia 1 i586, and Mageia 1 x86-64.

Could someone from the sysadmin team push the srpm
libproxy-0.4.7-6.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
libproxy-0.4.6-8.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates

Advisory: Updated libproxy packages fix security vulnerability:

A buffer overflow flaw was discovered in the libproxy's url::get_pac() used
to download proxy.pac proxy auto-configuration file.  A malicious host
hosting proxy.pac, or a man in the middle attacker, could use this flaw to
trigger a stack-based buffer overflow in an application using libproxy, if
proxy configuration instructed it to download proxy.pac file from a remote
HTTP server (CVE-2012-4504).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4504
https://bugzilla.redhat.com/show_bug.cgi?id=864417
http://lists.opensuse.org/opensuse-updates/2012-10/msg00065.html

https://bugs.mageia.org/show_bug.cgi?id=7887

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: MGA1TOO has_procedure MGA2-64-OK => MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK

Comment 7 Thomas Backlund 2012-10-29 00:55:12 CET 
update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0309

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.