An insufficient input validation flaw, leading to a heap-based buffer overflow was found in libproxy 0.3.x in the px_pac_reload() function. libproxy allocates a memory to store downloaded proxy.pac proxy auto-configuration file content using the Content-Length size from the remote server's HTTP response header. Allocation size is content length + 1. A malicious host hosting proxy.pac, or a man in the middle attacker, could use this flaw to make libproxy allocate insufficient amount of memory and subsequently overflow a heap-based buffer. http://code.google.com/p/libproxy/source/browse/tags/libproxy-0.3.1/src/lib/pac.c#165 165 self->cache = px_malloc0(content_length+1); 166 for (int recvd=0 ; recvd != content_length ; ) 167 recvd += recv(sock, self->cache + recvd, content_length - recvd, 0); This issue was confirmed with libproxy 0.3.x. Earlier 0.2.x versions seems to be affected too. It does not affect 0.4.x versions, where fixed size buffer is used.
(In reply to comment #0) > It does not affect 0.4.x versions, where fixed size buffer is used. 0.4.x versions were affected by a different overflow in the PAC loading code, see bug 864417. This problem was discovered while investigating the 0.4.x issue.
Acknowledgment: This issue was discovered by the Red Hat Security Response Team.
Created attachment 625842 [details] libproxy 0.3 patch Proposed patch for libproxy 0.3.x. It introduces the same PAC_MAX_SIZE as used in 0.4 (102400) and uses it as the maximum acceptable proxy.pac file size, avoiding integer wraparound on +1. It also adds recv return value checks.
Semi-public now via upstream announcement of the 0.4.9 version, which fixes similar CVE-2012-4504 which affected 0.4.x versions: https://groups.google.com/forum/?fromgroups=#!topic/libproxy/VxZ8No7mT0E Making bug public.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1461 https://rhn.redhat.com/errata/RHSA-2012-1461.html