Bug 883100 (CVE-2012-5580) - CVE-2012-5580 libproxy: format string flaw in bin/proxy
Summary: CVE-2012-5580 libproxy: format string flaw in bin/proxy
Keywords:
Status: CLOSED NEXTRELEASE
Alias: CVE-2012-5580
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-03 19:09 UTC by Vincent Danen
Modified: 2019-09-29 12:58 UTC (History)
3 users (show)

Fixed In Version: libproxy 0.4.0
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-08-15 09:10:06 UTC


Attachments (Terms of Use)

Description Vincent Danen 2012-12-03 19:09:34 UTC
A format string flaw was reported [1] in libproxy's proxy commandline tool (bin/proxy).  This was corrected upstream [2] and is included in the 0.4.0 release.

FORTIFY_SOURCE turns this into a harmless crash:

% http_proxy=http://foo%n.example.com/ proxy http://example.com
*** %n in writable segment detected ***
http://foozsh: abort (core dumped)  http_proxy=http://foo%n.example.com/ proxy http://example.com

NOTE: this flaw exists solely in the proxy tool, not the library.

[1] https://bugzilla.novell.com/show_bug.cgi?id=791086
[2] https://code.google.com/p/libproxy/source/detail?r=475

Comment 1 Vincent Danen 2012-12-03 19:11:56 UTC
Fedora has libproxy 0.4.10 in -testing for Fedora 16; Fedora 17 and newer already have version 0.4.10.

Comment 2 Fedora Update System 2013-01-12 01:04:55 UTC
libproxy-0.4.11-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 3 Fedora Update System 2013-03-10 01:01:30 UTC
libproxy-0.4.11-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Nicolas Chauvet (kwizart) 2013-03-13 15:42:03 UTC
This should be fixed in current release

Comment 5 Tomas Hoger 2013-03-14 09:37:37 UTC
Leaving open for non-Fedora.

Comment 6 Tomas Hoger 2013-08-15 09:10:06 UTC
As noted in comment #0, this is bug in the proxy example / test application and not libproxy library.  Problem is also mitigated to the use of FORTIFY_SOURCE to a harmless application crash.  Hence there is currently no plan to fix this in Red Hat Enterprise Linux 6.  Issue will be fixed in future product versions if they include libproxy.

Statement:

The Red Hat Security Response Team has rated this issue as having low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.