CVE-2012-4505: Buffer Overflow
First published: Tue Oct 09 2012(Updated: )
An insufficient input validation flaw, leading to a heap-based buffer overflow was found in libproxy 0.3.x in the px_pac_reload() function. libproxy allocates a memory to store downloaded proxy.pac proxy auto-configuration file content using the Content-Length size from the remote server's HTTP response header. Allocation size is content length + 1. A malicious host hosting proxy.pac, or a man in the middle attacker, could use this flaw to make libproxy allocate insufficient amount of memory and subsequently overflow a heap-based buffer. <a href="http://code.google.com/p/libproxy/source/browse/tags/libproxy-0.3.1/src/lib/pac.c#165">http://code.google.com/p/libproxy/source/browse/tags/libproxy-0.3.1/src/lib/pac.c#165</a> 165 self->cache = px_malloc0(content_length+1); 166 for (int recvd=0 ; recvd != content_length ; ) 167 recvd += recv(sock, self->cache + recvd, content_length - recvd, 0); This issue was confirmed with libproxy 0.3.x. Earlier 0.2.x versions seems to be affected too. It does not affect 0.4.x versions, where fixed size buffer is used.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/libproxy | <0.4 | 0.4 |
| Libproxy Project Libproxy | =0.2.3 | |
| Libproxy Project Libproxy | =0.3.0 | |
| Libproxy Project Libproxy | =0.3.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://code.google.com/p/libproxy/source/browse/tags/libproxy-0.3.1/src/lib/pac.c#165
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=864612#c0
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=864417
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=625842&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=625842&action=edit
- https://access.redhat.com/security/cve/CVE-2012-4504
- https://groups.google.com/forum/?fromgroups=#!topic/libproxy/VxZ8No7mT0E
- https://rhn.redhat.com/errata/RHSA-2012-1461.html
- https://bugzilla.redhat.com/show_bug.cgi?id=864612
- http://lists.opensuse.org/opensuse-updates/2012-10/msg00065.html
- http://rhn.redhat.com/errata/RHSA-2012-1461.html
- http://secunia.com/advisories/51048
- http://secunia.com/advisories/51180
- http://secunia.com/advisories/51308
- http://www.debian.org/security/2012/dsa-2571
- http://www.openwall.com/lists/oss-security/2012/10/12/1
- http://www.openwall.com/lists/oss-security/2012/10/12/5
- http://www.openwall.com/lists/oss-security/2012/10/16/3
- http://www.securityfocus.com/bid/55910
- http://www.ubuntu.com/usn/USN-1629-1
- collector/redhat-bugzilla
- alias/CVE-2012-4505
- collector/nvd-index
- agent/type
- agent/event
- agent/description
- agent/softwarecombine
- package-manager/redhat
- vendor/libproxy project
- canonical/libproxy project libproxy
- version/libproxy project libproxy/0.2.3
- version/libproxy project libproxy/0.3.0
- version/libproxy project libproxy/0.3.1