svn commit: r406302 - head/security/vuxml
Raphael Kubo da Costa
rakuco at FreeBSD.org
Sun Jan 17 11:33:12 UTC 2016
Author: rakuco
Date: Sun Jan 17 11:33:10 2016
New Revision: 406302
URL: https://svnweb.freebsd.org/changeset/ports/406302
Log:
Document CVE-2012-4504 in net/libproxy and its slave ports.
Security: CVE-2012-4504
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Sun Jan 17 11:18:31 2016 (r406301)
+++ head/security/vuxml/vuln.xml Sun Jan 17 11:33:10 2016 (r406302)
@@ -58,6 +58,65 @@ Notes:
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="3b5c2362-bd07-11e5-b7ef-5453ed2e2b49">
+ <topic>libproxy -- stack-based buffer overflow</topic>
+ <affects>
+ <!-- libproxy-python is not affected. It only installs a .py file that
+ dlopen()s libproxy.so. -->
+ <package>
+ <name>libproxy</name>
+ <range><ge>0.4.0</ge></range>
+ <range><lt>0.4.6_1</lt></range>
+ </package>
+ <package>
+ <name>libproxy-gnome</name>
+ <range><ge>0.4.0</ge></range>
+ <range><lt>0.4.6_2</lt></range>
+ </package>
+ <package>
+ <name>libproxy-kde</name>
+ <range><ge>0.4.0</ge></range>
+ <range><lt>0.4.6_6</lt></range>
+ </package>
+ <package>
+ <name>libproxy-perl</name>
+ <range><ge>0.4.0</ge></range>
+ <range><lt>0.4.6_3</lt></range>
+ </package>
+ <package>
+ <name>libproxy-webkit</name>
+ <range><ge>0.4.0</ge></range>
+ <range><lt>0.4.6_4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Tomas Hoger reports:</p>
+ <blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=864417#c0">
+ <p>A buffer overflow flaw was discovered in the libproxy's
+ url::get_pac() used to download proxy.pac proxy auto-configuration
+ file. A malicious host hosting proxy.pac, or a man in the middle
+ attacker, could use this flaw to trigger a stack-based buffer
+ overflow in an application using libproxy, if proxy configuration
+ instructed it to download proxy.pac file from a remote HTTP
+ server.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2012-4504</cvename>
+ <url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4504</url>
+ <mlist>http://www.openwall.com/lists/oss-security/2012/10/12/1</mlist>
+ <url>https://github.com/libproxy/libproxy/commit/c440553c12836664afd24a24fb3a4d10a2facd2c</url>
+ <url>https://bugzilla.redhat.com/show_bug.cgi?id=864417</url>
+ <mlist>https://groups.google.com/forum/?fromgroups=#!topic/libproxy/VxZ8No7mT0E</mlist>
+ </references>
+ <dates>
+ <discovery>2012-10-10</discovery>
+ <entry>2016-01-17</entry>
+ </dates>
+ </vuln>
+
<vuln vid="046fedd1-bd01-11e5-bbf4-5404a68ad561">
<topic>ffmpeg -- remote attacker can access local files</topic>
<affects>
More information about the svn-ports-head
mailing list