Bugzilla – Bug 791086
VUL-0: CVE-2012-5580: libproxy: format string vulnerability
Last modified: 2015-03-06 10:11:36 UTC
While looking in libproxy, I have noticed that there is a format string issue:
88 print_proxies(char **proxies)
90 for (int j = 0; proxies[j] ; j++)
92 printf(proxies[j]); // !
93 if (proxies[j+1])
94 printf(" ");
If an attacker can control the content of the PAC file this could easily turn
into a remote vulnerability, I guess.
As far as I can see, this function is used only in the 'proxy' binary of the libproxy-tools package, which is not shipped on any SLE release.
Yes, I should have mentioned this. It's only being used in the (demo) tools,
but I don't know where we ship this.
It's shipped only in some versions of openSUSE and Moblin, according to /mounts/schnell/INDEX.gz and /mounts/mirror/SuSE/Find-ls.gz. So I guess we can ignore this at least for the SLE update that's currently running.
is_maintained libproxy-tools ... empty, so not on SLE ...
Also FORTIFY_SOURCE triggers:
leo:~ # http_proxy=http://foo%n.suse.de/ proxy http://foo.bar.de
*** %n in writable segment detected ***
I think the openSUSE variants might already be fixed.
I took a glance at the latest version( 0.4.10) of libproxy. It seem doesn't have this issue now. There's the FORTIFY_SOURCE mem protection. It's hard to exp though.
It's certainly harder to exploit, yes. Nevertheless this does not necessarily
mean it's not a bug then. It should be fixed with the next round of libproxy.
The affected version is 0.3.1, just to note.
not maintained in SLES, fixed in current openSUSE versions