Arbitrary Code Injection Affecting libproxy package, versions <0.3.1-4
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN9-LIBPROXY-277830
- published 27 Oct 2014
- disclosed 27 Oct 2014
Introduced: 27 Oct 2014
CVE-2012-5580 Open this link in a new tabHow to fix?
Upgrade Debian:9
libproxy
to version 0.3.1-4 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream libproxy
package and not the libproxy
package as distributed by Debian
.
See How to fix?
for Debian:9
relevant fixed versions and status.
Format string vulnerability in the print_proxies function in bin/proxy.c in libproxy 0.3.1 might allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in a proxy name, as demonstrated using the http_proxy environment variable or a PAC file.
References
- https://security-tracker.debian.org/tracker/CVE-2012-5580
- https://bugzilla.novell.com/show_bug.cgi?id=791086
- https://code.google.com/p/libproxy/source/detail?r=475
- https://bugzilla.redhat.com/show_bug.cgi?id=883100
- http://www.securityfocus.com/bid/56712
- https://exchange.xforce.ibmcloud.com/vulnerabilities/80340