OpenSuSE has issued an advisory on October 22: http://lists.opensuse.org/opensuse-updates/2012-10/msg00065.html Mageia 1 and 2 are affected, Cauldron as not as it was fixed upstream in 0.4.10. Patched packages uploaded for Mageia 1 and Mageia 2. Note that the CVE-2012-4505 referenced in the OpenSuSE advisory only affects libproxy 0.3.x and should have not been referenced in their advisory. Advisory: ======================== Updated libproxy packages fix security vulnerability: A buffer overflow flaw was discovered in the libproxy's url::get_pac() used to download proxy.pac proxy auto-configuration file. A malicious host hosting proxy.pac, or a man in the middle attacker, could use this flaw to trigger a stack-based buffer overflow in an application using libproxy, if proxy configuration instructed it to download proxy.pac file from a remote HTTP server (CVE-2012-4504). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4504 https://bugzilla.redhat.com/show_bug.cgi?id=864417 http://lists.opensuse.org/opensuse-updates/2012-10/msg00065.html ======================== Updated packages in core/updates_testing: ======================== libproxy1-0.4.6-8.1.mga1 libmodman1-0.4.6-8.1.mga1 libproxy-utils-0.4.6-8.1.mga1 python-libproxy-0.4.6-8.1.mga1 libproxy-perl-0.4.6-8.1.mga1 libproxy-gnome-0.4.6-8.1.mga1 libproxy-kde-0.4.6-8.1.mga1 libproxy-mozjs-0.4.6-8.1.mga1 libproxy-webkit-0.4.6-8.1.mga1 libproxy-devel-0.4.6-8.1.mga1 libproxy1-0.4.7-6.1.mga2 libproxy-utils-0.4.7-6.1.mga2 python-libproxy-0.4.7-6.1.mga2 libproxy-perl-0.4.7-6.1.mga2 libproxy-gxsettings-0.4.7-6.1.mga2 libproxy-gnome-0.4.7-6.1.mga2 libproxy-kde-0.4.7-6.1.mga2 libproxy-networkmanager-0.4.7-6.1.mga2 libproxy-mozjs-0.4.7-6.1.mga2 libproxy-webkit-0.4.7-6.1.mga2 libproxy-devel-0.4.7-6.1.mga2 from SRPMS: libproxy-0.4.6-8.1.mga1.src.rpm libproxy-0.4.7-6.1.mga2.src.rpm
Whiteboard: (none) => MGA1TOO
Any idea on how to test this?
CC: (none) => goetz.waschk
firefox, iceape, vlc-plugin-common and python-libproxy use libproxy1 python-libproxy can be tested as below $ python python.py direct:// $ cat python.py import libproxy URL = "http://www.google.com" pf = libproxy.ProxyFactory() for proxy in pf.getProxies(URL): # Do something with the proxy print proxy libproxy-perl looks as if it should be able to use the example here but it fails for me: http://search.cpan.org/~goneri/Net-Libproxy-0.03/lib/Net/Libproxy.pm Also, should it be called perl-Net-Libproxy to fit with our perl module naming scheme? libproxy-gnome is required by gnome-control-center, are there proxy settings there? The other rpm's are not required by anything so showing the things above are Ok should be enough.
With the update candidate your example works as expected in mga2 x86_64.
Additionally libproxy-utils has /usr/bin/proxy which takes a URL as an arguement and returns the proxies. $ proxy http://google.com direct://
Thanks for testing Götz and welcome to Mageia btw
Whiteboard: MGA1TOO => MGA1TOO has_procedure
CC: (none) => sander.lepikHardware: i586 => AllWhiteboard: MGA1TOO has_procedure => MGA1TOO has_procedure MGA2-64-OK
Testing complete on Mageia 2 i586, Mageia 1 i586, and Mageia 1 x86-64. Could someone from the sysadmin team push the srpm libproxy-0.4.7-6.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm libproxy-0.4.6-8.1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates Advisory: Updated libproxy packages fix security vulnerability: A buffer overflow flaw was discovered in the libproxy's url::get_pac() used to download proxy.pac proxy auto-configuration file. A malicious host hosting proxy.pac, or a man in the middle attacker, could use this flaw to trigger a stack-based buffer overflow in an application using libproxy, if proxy configuration instructed it to download proxy.pac file from a remote HTTP server (CVE-2012-4504). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4504 https://bugzilla.redhat.com/show_bug.cgi?id=864417 http://lists.opensuse.org/opensuse-updates/2012-10/msg00065.html https://bugs.mageia.org/show_bug.cgi?id=7887
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: MGA1TOO has_procedure MGA2-64-OK => MGA1TOO has_procedure MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK
update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0309
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED