You are here
Home > Preporuke > Sigurnosni propust programske biblioteke libproxy

Sigurnosni propust programske biblioteke libproxy

by ncert - 0

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Gentoo Linux Security Advisory GLSA 201404-02
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
http://security.gentoo.org/
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Severity: Normal
Title: libproxy: User-assisted execution of arbitrary code
Date: April 07, 2014
Bugs: #438146
ID: 201404-02

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Synopsis
========

A buffer overflow in libproxy might allow remote attackers to execute
arbitrary code.

Background
==========

libproxy is a library for automatic proxy configuration management.

Affected packages
=================

——————————————————————-
Package / Vulnerable / Unaffected
——————————————————————-
1 net-libs/libproxy < 0.4.10 >= 0.4.10

Description
===========

A boundary error when processing the proxy.pac file could cause a
stack-based buffer overflow.

Impact
======

A man-in-the-middle attacker could provide a specially crafted
proxy.pac file on a remote server, possibly resulting in execution of
arbitrary code with the privileges of the process or a Denial of
Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All libproxy users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=net-libs/libproxy-0.4.10”

References
==========

[ 1 ] CVE-2012-4504
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4504

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201404-02.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


Mikle Kolyada
Gentoo Linux Developer

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird – http://www.enigmail.net/

iJwEAQECAAYFAlNC+UIACgkQG9wOWsQutdbu0wP/Xtl4KMQhZg72jZAnFaXbvzCT
7JS1Hl7yU4WCXy7uM7r2z96kT1fpXDzEXi6xqmIFYks2kAGD5MHioY7qtjTNAd7P
TeNPCWQqmohS3jtWW05/yYiB6YolkkJgqKOxRBaSc46tYFrqe1Qs0B840YAEQH8D
qeBu9BblUdr79DZf4O4=
=JXEw
—–END PGP SIGNATURE—–

ncert
Top
More in Preporuke
Sigurnosni propust programskog paketa php5

Ustanovljen je sigurnosni propust programskog paketa php5 na Ubuntu izazvan neispravnim upravljanjem izvršnih PE datoteka umetnom libmagic bibliotekom. Propust bi...

Close