Bug 883100 (CVE-2012-5580)

Summary: CVE-2012-5580 libproxy: format string flaw in bin/proxy
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: danw, kwizart, nathaniel
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libproxy 0.4.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-15 09:10:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Danen 2012-12-03 19:09:34 UTC 
A format string flaw was reported [1] in libproxy's proxy commandline tool (bin/proxy).  This was corrected upstream [2] and is included in the 0.4.0 release.

FORTIFY_SOURCE turns this into a harmless crash:

% http_proxy=http://foo%n.example.com/ proxy http://example.com
*** %n in writable segment detected ***
http://foozsh: abort (core dumped)  http_proxy=http://foo%n.example.com/ proxy http://example.com

NOTE: this flaw exists solely in the proxy tool, not the library.

[1] https://bugzilla.novell.com/show_bug.cgi?id=791086
[2] https://code.google.com/p/libproxy/source/detail?r=475
Comment 1 Vincent Danen 2012-12-03 19:11:56 UTC 
Fedora has libproxy 0.4.10 in -testing for Fedora 16; Fedora 17 and newer already have version 0.4.10.
Comment 2 Fedora Update System 2013-01-12 01:04:55 UTC 
libproxy-0.4.11-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2013-03-10 01:01:30 UTC 
libproxy-0.4.11-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Nicolas Chauvet (kwizart) 2013-03-13 15:42:03 UTC 
This should be fixed in current release
Comment 5 Tomas Hoger 2013-03-14 09:37:37 UTC 
Leaving open for non-Fedora.
Comment 6 Tomas Hoger 2013-08-15 09:10:06 UTC 
As noted in comment #0, this is bug in the proxy example / test application and not libproxy library.  Problem is also mitigated to the use of FORTIFY_SOURCE to a harmless application crash.  Hence there is currently no plan to fix this in Red Hat Enterprise Linux 6.  Issue will be fixed in future product versions if they include libproxy.

Statement:

The Red Hat Security Response Team has rated this issue as having low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.