FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

libproxy -- stack-based buffer overflow

Affected packages
0.4.0 <= libproxy < 0.4.6_1
0.4.0 <= libproxy-gnome < 0.4.6_2
0.4.0 <= libproxy-kde < 0.4.6_6
0.4.0 <= libproxy-perl < 0.4.6_3
0.4.0 <= libproxy-webkit < 0.4.6_4

Details

VuXML ID 3b5c2362-bd07-11e5-b7ef-5453ed2e2b49
Discovery 2012-10-10
Entry 2016-01-17
Modified 2016-01-18

Tomas Hoger reports:

A buffer overflow flaw was discovered in the libproxy's url::get_pac() used to download proxy.pac proxy auto-configuration file. A malicious host hosting proxy.pac, or a man in the middle attacker, could use this flaw to trigger a stack-based buffer overflow in an application using libproxy, if proxy configuration instructed it to download proxy.pac file from a remote HTTP server.

References

CVE Name CVE-2012-4504
Message http://www.openwall.com/lists/oss-security/2012/10/12/1
Message https://groups.google.com/forum/?fromgroups=#!topic/libproxy/VxZ8No7mT0E
URL https://bugzilla.redhat.com/show_bug.cgi?id=864417
URL https://github.com/libproxy/libproxy/commit/c440553c12836664afd24a24fb3a4d10a2facd2c
URL https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4504