Acknowledgement sent
to Simon McVittie <smcv@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Thu, 13 Aug 2020 15:39:03 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libproxy#126: buffer overflow when PAC is enabled
Date: Thu, 13 Aug 2020 16:36:59 +0100
Source: libproxy
Version: 0.4.14-2
Severity: grave
Justification: user security hole
Tags: security upstream
Forwarded: https://github.com/libproxy/libproxy/pull/126
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
Li Fei (@lifeibiren on Github) reported that if the server serving a PAC
file sends more than 102400 bytes without a Content-Length present,
libproxy can overflow its buffer by PAC_HTTP_BLOCK_SIZE (512) bytes.
This PR is said to fix it, although I have not reviewed it in detail, and
it would be better if someone who knows C++ better than me did the review:
https://github.com/libproxy/libproxy/pull/126
Thanks to Michael Catanzaro for highlighting this as likely to be a
security vulnerability during a more general conversation about libproxy.
(Please reduce severity as desired if this is succesfully mitigated by
some security measure - I'm assuming stack smashing is arbitrary code
execution, but maybe it's just DoS.)
From source code inspection, versions >= 0.4.14-2 in stretch appear
to be vulnerable. 0.4.11-4 in jessie does not appear to be vulnerable,
because it assumes absence of Content-Length means a length of 0 (which
is a bug, but not a security bug). Intermediate versions between jessie
and stretch not checked.
smcv
Changed Bug title to 'libproxy: CVE-2020-26154: buffer overflow when PAC is enabled' from 'libproxy#126: buffer overflow when PAC is enabled'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 30 Sep 2020 04:09:02 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Thu, 12 Nov 2020 17:21:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>: Bug#968366; Package src:libproxy.
(Sat, 14 Nov 2020 16:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Sat, 14 Nov 2020 16:24:03 GMT) (full text, mbox, link).
To: Simon McVittie <smcv@debian.org>, 968366@bugs.debian.org
Subject: Re: Bug#968366: libproxy#126: buffer overflow when PAC is enabled
Date: Sat, 14 Nov 2020 17:21:37 +0100
Control: tags -1 + fixed-upstream
Hi,
On Thu, Aug 13, 2020 at 04:36:59PM +0100, Simon McVittie wrote:
> Source: libproxy
> Version: 0.4.14-2
> Severity: grave
> Justification: user security hole
> Tags: security upstream
> Forwarded: https://github.com/libproxy/libproxy/pull/126
> X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
>
> Li Fei (@lifeibiren on Github) reported that if the server serving a PAC
> file sends more than 102400 bytes without a Content-Length present,
> libproxy can overflow its buffer by PAC_HTTP_BLOCK_SIZE (512) bytes.
>
> This PR is said to fix it, although I have not reviewed it in detail, and
> it would be better if someone who knows C++ better than me did the review:
>
> https://github.com/libproxy/libproxy/pull/126
FTWIW, the fix has been merged upstream.
Regards,
Salvatore
Message sent on
to Simon McVittie <smcv@debian.org>:
Bug#968366.
(Sun, 15 Nov 2020 12:42:07 GMT) (full text, mbox, link).
Control: tag -1 pending
Hello,
Bug #968366 in libproxy reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/gnome-team/libproxy/-/commit/46563a1096dd388c08fb33e93979b98bf9bfd0aa
------------------------------------------------------------------------
Fix buffer overflow when PAC is enabled (CVE-2020-26154)
Closes: #968366
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/968366
Added tag(s) pending.
Request was from Simon McVittie <noreply@salsa.debian.org>
to 968366-submitter@bugs.debian.org.
(Sun, 15 Nov 2020 12:42:07 GMT) (full text, mbox, link).
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Mon, 16 Nov 2020 19:09:11 GMT) (full text, mbox, link).
Notification sent
to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer.
(Mon, 16 Nov 2020 19:09:11 GMT) (full text, mbox, link).
Source: libproxy
Source-Version: 0.4.15-15
Done: Simon McVittie <smcv@debian.org>
We believe that the bug you reported is fixed in the latest version of
libproxy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 968366@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated libproxy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 16 Nov 2020 16:37:55 +0000
Source: libproxy
Architecture: source
Version: 0.4.15-15
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 959030968363968366971394
Changes:
libproxy (0.4.15-15) unstable; urgency=medium
.
* Team upload
.
[ Salvatore Bonaccorso ]
* Add patch from upstream to fix buffer overflow when PAC is enabled
(CVE-2020-26154) (Closes: #968366)
* Add patch from upstream rewriting url::recvline to be nonrecursive
(CVE-2020-25219) (Closes: #971394)
.
[ Simon McVittie ]
* Add additional bug-fix patches from upstream git
- Fix memory leaks in the WebKit backend
- Make sure mtime is initialized in the KDE backend
- Correctly encode/decode Python Unicode strings (Closes: #959030)
- Cope with settings larger than will fit in a single read() in the
GSettings (GNOME 3) backend
- Remove crash-prone proxy factory caching (Closes: #968363)
- Make sure new/delete and new[]/delete[] are correctly paired
- Disable mozjs backend by default
- Never use a system copy of libmodman, even if one exists
- Small performance optimizations (without which later patches
won't apply)
- Avoid deprecated C++ dynamic exception specifications
* d/tests/mozjs: Remove obsolete test.
We no longer compile the backend that this is responsible for testing.
* d/tests: Remove flaky annotations.
With the fixes I've imported from upstream git, these should hopefully
all be reliable.
* d/tests: Test default python3 version and all python3 versions
separately.
Add a missing dependency on python3-all for the python3-all test:
during a transition between supported Python versions, we need both
the old and the new version installed.
Checksums-Sha1:
9297a7ee032285afc8ddd2d8940be8feda119732 3072 libproxy_0.4.15-15.dsc
0b9920f07a6424adb5785588d89b4d94d83e7cf2 25016 libproxy_0.4.15-15.debian.tar.xz
058a4ba45b2c9e3516be88e1c4220e5d346802f6 15420 libproxy_0.4.15-15_source.buildinfo
Checksums-Sha256:
ebcc69af1d0aa79374ebab2f26063a9c9c12e898bbcc2125a47a10a7c87f553e 3072 libproxy_0.4.15-15.dsc
4f8722f30ef01f0eea5697910fe5dc1b7f2ef88ba315a5c64b1118d27a4f85a4 25016 libproxy_0.4.15-15.debian.tar.xz
5c01fe72adfd25889e8cd30e1e49ef7fc2721650f4d23b4665c720c6ad0189ef 15420 libproxy_0.4.15-15_source.buildinfo
Files:
efaaa351e69ef84dc26095b393194401 3072 libs optional libproxy_0.4.15-15.dsc
d7b64190e57f81ff9d3989701e4adf64 25016 libs optional libproxy_0.4.15-15.debian.tar.xz
4064b40e5ceee8f848f75861fe70f6b7 15420 libs optional libproxy_0.4.15-15_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAl+yx8sACgkQ4FrhR4+B
TE9hRA/+I6vtteLciYUr/VGsN+XsH9Lg+L5D55Q6eBMuBCjVYBBUeF49ac3YPqUK
XDEdng98nj90wLnItU9nBhjbUF1rMqO8CRL2uqDI1USSVVorqKY5wFmJNVwtfqUX
5eRlhgC1eUg7c90HmDRGTc/kOaa+TCq4WYNaHl+dw4Nn7X8esD9JhZY6xWleOx6i
kfbeasCN5a/PRc41eVN+Nq7zXUeg89O20PseFKKteIlAD8WUKoeBWfIkwNr/dk3r
UZOlHglMezccrP/zJO+Pr4iWeUeaLuvXLPidESp41b1OxQsReJAtNWZStjRc2AbM
W/TraeT+do8Po5/xMkuoLRMAYgTpViTWKN/fhmZkFnGsX8d/Lw7nJcqXNDrk8Ngu
azOo4F68+BcnWbh4VALVQcDuha8FYXGflmFYus6XkuEUP3zTMZfxdbnkqAeo4sAC
MCU/EwqZG9HFuTElSPBvovAfVKKVAPmnE9dA93PXjQIi1pXpvscqvKBZZM1rEdOc
gLVvajGF0e4kQby1f4i/aTjoVm7IKpCvBqUWUBBpxF82xIu87bzZhTdthsPgLkEK
y/XGK9tJ/sJV207wAw1lkylGb0qIZcus4pTlj35u5t2520nXfwXF1gbqb98v4xXu
ljZ8TK9NWNVWwCrkhzb8+pSl70R1uF0+HX1JhyBQNYD70xSrexo=
=0bsl
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 28 Nov 2020 22:06:03 GMT) (full text, mbox, link).
Notification sent
to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer.
(Sat, 28 Nov 2020 22:06:03 GMT) (full text, mbox, link).
Subject: Bug#968366: fixed in libproxy 0.4.15-5+deb10u1
Date: Sat, 28 Nov 2020 22:02:08 +0000
Source: libproxy
Source-Version: 0.4.15-5+deb10u1
Done: Salvatore Bonaccorso <carnil@debian.org>
We believe that the bug you reported is fixed in the latest version of
libproxy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 968366@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libproxy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 14 Nov 2020 19:12:59 +0100
Source: libproxy
Architecture: source
Version: 0.4.15-5+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 968366971394
Changes:
libproxy (0.4.15-5+deb10u1) buster-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix buffer overflow when PAC is enabled (CVE-2020-26154) (Closes: #968366)
* Rewrite url::recvline to be nonrecursive (CVE-2020-25219)
(Closes: #971394)
Checksums-Sha1:
0df4f99c6fc0dfe7164368f4e2b6e9b6711e1fb9 3780 libproxy_0.4.15-5+deb10u1.dsc
2dc0fc31cad78ce3d7a5ceb8fa8df07010f5c13e 93084 libproxy_0.4.15.orig.tar.gz
e8b79ee2fc6586a1c64e700c75f35a0bebf3db75 13420 libproxy_0.4.15-5+deb10u1.debian.tar.xz
178f1c9990127ef52bd1580ebac6fef8e86c59e1 6825 libproxy_0.4.15-5+deb10u1_source.buildinfo
Checksums-Sha256:
37f6507bbdb7048836668d4a568403bd01a4d9d76332c0914a278e7bb4a9a3ec 3780 libproxy_0.4.15-5+deb10u1.dsc
18f58b0a0043b6881774187427ead158d310127fc46a1c668ad6d207fb28b4e0 93084 libproxy_0.4.15.orig.tar.gz
fb030935e8761becfb715d8b60c6c4de82158b1382dafa90d87e6bbb43d4d466 13420 libproxy_0.4.15-5+deb10u1.debian.tar.xz
e5bf01ff41e3385773cfcf73f5f4a77333e85d9d115f86572e4e2544e87a92de 6825 libproxy_0.4.15-5+deb10u1_source.buildinfo
Files:
3d3a0b00e6a078785a292b14d6dbc9c4 3780 libs optional libproxy_0.4.15-5+deb10u1.dsc
21ebe5b4ea2a04f5f468bf5d08c40d2c 93084 libs optional libproxy_0.4.15.orig.tar.gz
deb09eb1610f04f52d07d6ca5c1c0bf3 13420 libs optional libproxy_0.4.15-5+deb10u1.debian.tar.xz
a49355e4ea65e65bbdaa258a0289aae9 6825 libs optional libproxy_0.4.15-5+deb10u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl+wHrJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ERMwP/1Gbu0N/ZlC7mTESNeJrghbxht+Oiq4T
Sjg+xcFYHPdWJkdXrSi+0uzQE7m1TFm8ETSXnaRyNB7s2XAEcwJ93Uz5HClGDexJ
E2Y7dU7XzYnrI9RImjtnorq5qyHfYqnUYAnQUs11XG7ApTsYqvlA44N7uJgKN5iA
cjq5BnWN1k4b4VWYUt37w3bPZYwYLXFHLC7EH7Y8uSuSL2ISlByUiMGj1m0R5bUd
4mi+SaYTCuwPPOIPrJVzjzGQoNDjkLbAFVzncgmsD2Y3KH2hVppfGREJhYv20Voc
4IIyiuCQDujsWrFXyw+Ve3cdMDKtos5AHi8DaGNYVR6eNPWpQvUn0/JgBH3y/adY
j2p0pVkia4aEG3k5Mb3OeVCdYGw4dR1O2UYw+pnKn1xzHCnNND1uiNwNSpLW2/mU
NWUUgY/awyUiGuTPcuclGPGEpekuIjcQfWbGl33oOijZCRI3cuQOIRpGYrPAZkSy
9B0tmDl/7X494Z4qkVoj77+XeVLm47RJIUPZnOrxg5damL5QpQuTpQ/s4MIgCis2
ef/WC6jcRtAs+gQM3SVO25GKpuqSqAC+aZDpIXL+EVDVvWPJOJYZ8ixl1gm7xmyF
lwGv553CoYZCFqJl30rvwPc2/ztWqhK+k/nYvuiXhWBRWz6WVO2hK+lqaEj7m9xr
fdbJsb8Ijbxg
=WIfj
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 03 Jan 2021 07:31:17 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.