Candidate: CVE-2012-5580
PublicDate: 2014-10-27 22:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5580
Description:
 Format string vulnerability in the print_proxies function in bin/proxy.c in
 libproxy 0.3.1 might allow context-dependent attackers to cause a denial of
 service (crash) and possibly execute arbitrary code via format string
 specifiers in a proxy name, as demonstrated using the http_proxy
 environment variable or a PAC file.
Ubuntu-Description:
Notes:
 mdeslaur> only used in "proxy" tool in libproxy-tools package, and
 mdeslaur> caught by FORTIFY_SOURCE. Reproducer from SUSE bug:
 mdeslaur> http_proxy=http://foo%n.suse.de/ proxy http://foo.bar.de
Bugs:
 https://bugzilla.novell.com/show_bug.cgi?id=791086
Priority: low
Discovered-by:
Assigned-to:
CVSS: 

Patches_libproxy:
 upstream: https://code.google.com/p/libproxy/source/detail?r=475
Tags_libproxy: fortify-source
upstream_libproxy: released (0.3.1-5.1)
hardy_libproxy: DNE
lucid_libproxy: ignored (reached end-of-life)
oneiric_libproxy: ignored (reached end-of-life)
precise_libproxy: not-affected (0.4.7-0ubuntu4.1)
quantal_libproxy: not-affected (0.4.7-0ubuntu6)
raring_libproxy: not-affected (0.4.10-0ubuntu1)
devel_libproxy: not-affected (0.4.10-0ubuntu1)