Bugzilla – Bug 1160668
VUL-1: CVE-2020-6750: glib2: GSocketClient may occasionally connect directly to a target address instead of connecting via a proxy server
Last modified: 2022-10-20 02:20:19 UTC
CVE-2020-6750 GSocketClient in GNOME GLib through 2.62.4 may occasionally connect directly to a target address instead of connecting via a proxy server when configured to do so, because the proxy_addr field is mishandled. This bug is timing-dependent and may occur only sporadically depending on network delays. The greatest security relevance is in use cases where a proxy is used to help with privacy/anonymity, even though there is no technical barrier to a direct connection. NOTE: versions before 2.60 are unaffected. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-6750 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6750 https://gitlab.gnome.org/GNOME/glib/issues/1989
This issue seems related to the Happy Eyeball (RFC 8305) implementation which introduced to glib in version 2.59.1 [1]. Upstream mentions that versions before 2.60.0 are not affected [2]. The newest version that we ship is in SLE15 (version 2.54.3). Only TW is affected. Please upgrade when a newer version is released. Since Happy Eyeball implementation introduces regressions, there is also a tracker issue upstream [3] that tracks all the bugs regarding it. Normally, the changes log mentions Fixed Happy Eyeball implementation and the issue number in parenthesis. [1] https://gitlab.gnome.org/GNOME/glib/blob/2.59.1/gio/gsocketclient.c [2] https://gitlab.gnome.org/GNOME/glib/issues/1989#note_679825 [3] https://gitlab.gnome.org/GNOME/glib/issues/1995
Cleaning up GNOME CVE backlog. A newer version is in Factory. Assign back to security team.