Bug 791086 - VUL-0: CVE-2012-5580: libproxy: format string vulnerability
VUL-0: CVE-2012-5580: libproxy: format string vulnerability
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P2 - High : Major
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2012-11-24 10:36 UTC by Matthias Weckbecker
Modified: 2015-03-06 10:11 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2012-11-24 10:36:31 UTC
While looking in libproxy, I have noticed that there is a format string issue:

 87 void
 88 print_proxies(char **proxies)
 89 {
 90         for (int j = 0; proxies[j] ; j++)
 91         {
 92                 printf(proxies[j]); // !
 93                 if (proxies[j+1])
 94                         printf(" ");
 95                 else
 96                         printf("\n");
 97                 free(proxies[j]);
 98         }
 99         free(proxies);
100 }

If an attacker can control the content of the PAC file this could easily turn
into a remote vulnerability, I guess.

Comment 1 Leonardo Chiquitto 2012-11-26 12:34:16 UTC
As far as I can see, this function is used only in the 'proxy' binary of the libproxy-tools package, which is not shipped on any SLE release.
Comment 2 Matthias Weckbecker 2012-11-26 12:36:22 UTC
Yes, I should have mentioned this. It's only being used in the (demo) tools,
but I don't know where we ship this.
Comment 3 Leonardo Chiquitto 2012-11-26 12:43:08 UTC
It's shipped only in some versions of openSUSE and Moblin, according to /mounts/schnell/INDEX.gz and /mounts/mirror/SuSE/Find-ls.gz. So I guess we can ignore this at least for the SLE update that's currently running.
Comment 4 Marcus Meissner 2012-11-26 14:03:54 UTC
is_maintained libproxy-tools   ... empty, so not on SLE ...

Also FORTIFY_SOURCE triggers:

leo:~ # http_proxy=http://foo%n.suse.de/ proxy http://foo.bar.de
*** %n in writable segment detected ***

I think the openSUSE variants might already be fixed.
Comment 5 Shawn Chang 2012-11-27 01:42:44 UTC
I took a glance at the latest version( 0.4.10) of libproxy. It seem doesn't have this issue now. There's the FORTIFY_SOURCE mem protection. It's hard to exp though.
Comment 6 Matthias Weckbecker 2012-11-27 08:17:15 UTC
It's certainly harder to exploit, yes. Nevertheless this does not necessarily
mean it's not a bug then. It should be fixed with the next round of libproxy.
Comment 7 Matthias Weckbecker 2012-11-27 10:20:28 UTC
The affected version is 0.3.1, just to note.
Comment 8 Sebastian Krahmer 2012-11-28 08:01:06 UTC
Comment 9 Johannes Segitz 2014-06-12 13:12:29 UTC
not maintained in SLES, fixed in current openSUSE versions