Bug 883100 - (CVE-2012-5580) CVE-2012-5580 libproxy: format string flaw in bin/proxy
CVE-2012-5580 libproxy: format string flaw in bin/proxy
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Reopened, Security
Depends On:
  Show dependency treegraph
Reported: 2012-12-03 14:09 EST by Vincent Danen
Modified: 2013-08-15 05:10 EDT (History)
3 users (show)

See Also:
Fixed In Version: libproxy 0.4.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-08-15 05:10:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-12-03 14:09:34 EST
A format string flaw was reported [1] in libproxy's proxy commandline tool (bin/proxy).  This was corrected upstream [2] and is included in the 0.4.0 release.

FORTIFY_SOURCE turns this into a harmless crash:

% http_proxy=http://foo%n.example.com/ proxy http://example.com
*** %n in writable segment detected ***
http://foozsh: abort (core dumped)  http_proxy=http://foo%n.example.com/ proxy http://example.com

NOTE: this flaw exists solely in the proxy tool, not the library.

[1] https://bugzilla.novell.com/show_bug.cgi?id=791086
[2] https://code.google.com/p/libproxy/source/detail?r=475
Comment 1 Vincent Danen 2012-12-03 14:11:56 EST
Fedora has libproxy 0.4.10 in -testing for Fedora 16; Fedora 17 and newer already have version 0.4.10.
Comment 2 Fedora Update System 2013-01-11 20:04:55 EST
libproxy-0.4.11-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2013-03-09 20:01:30 EST
libproxy-0.4.11-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Nicolas Chauvet (kwizart) 2013-03-13 11:42:03 EDT
This should be fixed in current release
Comment 5 Tomas Hoger 2013-03-14 05:37:37 EDT
Leaving open for non-Fedora.
Comment 6 Tomas Hoger 2013-08-15 05:10:06 EDT
As noted in comment #0, this is bug in the proxy example / test application and not libproxy library.  Problem is also mitigated to the use of FORTIFY_SOURCE to a harmless application crash.  Hence there is currently no plan to fix this in Red Hat Enterprise Linux 6.  Issue will be fixed in future product versions if they include libproxy.


The Red Hat Security Response Team has rated this issue as having low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.