1869639 – (CVE-2020-26154) CVE-2020-26154 libproxy: sending more than 102400 bytes in PAC without a Content-Length present could result in buffer overflow

Bug 1869639 (CVE-2020-26154) - CVE-2020-26154 libproxy: sending more than 102400 bytes in PAC without a Content-Length present could result in buffer overflow

Summary: CVE-2020-26154 libproxy: sending more than 102400 bytes in PAC without a Cont...

Keywords:
Status:	NEW
Alias:	CVE-2020-26154
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1883584 1884639
Blocks:	1869641
TreeView+	depends on / blocked

Reported:	2020-08-18 12:20 UTC by Michael Kaplan
Modified:	2025-05-01 19:12 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:6205	0	None	None	None	2024-09-03 16:10:26 UTC

Description Michael Kaplan 2020-08-18 12:20:23 UTC

It was found that if the server serving a PAC file sends more than 102400 bytes without a Content-Length present, libproxy can overflow its buffer by PAC_HTTP_BLOCK_SIZE (512) bytes.

References:

https://github.com/libproxy/libproxy/pull/126
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968366

Comment 2 Stefan Cornelius 2020-09-29 15:55:02 UTC

Created libproxy tracking bugs for this issue:

Affects: fedora-all [bug 1883584]

Comment 7 Nick Boldt 2022-07-21 19:03:45 UTC

Is this issue ever going to be fixed in RHEL8 ?

Asking because I got asked to fix this in our RHEL8 based containers back on 2020/10/13 in https://issues.redhat.com/browse/CRW-1290 but as of UBI 8.6 the latest RPM is still 

libproxy-0.4.15-5.2.el8

But according to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968366 we need 0.4.15-15

Since we depend on RHEL8 / UBI8 containers for our image builds, this isn't something we can fix downstream... instead it needs a RHEL RPM fix, which we can then inherit.

Comment 10 Michael Catanzaro 2024-07-31 15:54:14 UTC

(In reply to Nick Boldt from comment #7)
> But according to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968366 we
> need 0.4.15-15

It's fixed in revision -15 of the *Debian* package. That's meaningless for RHEL. When it's fixed in RHEL, the revision will surely be different.

Comment 11 errata-xmlrpc 2024-09-03 16:10:25 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:6205 https://access.redhat.com/errata/RHSA-2024:6205

Note You need to log in before you can comment on or make changes to this bug.