Candidate: CVE-2020-6750
PublicDate: 2020-01-09 20:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6750
Description:
 GSocketClient in GNOME GLib through 2.62.4 may occasionally connect
 directly to a target address instead of connecting via a proxy server when
 configured to do so, because the proxy_addr field is mishandled. This bug
 is timing-dependent and may occur only sporadically depending on network
 delays. The greatest security relevance is in use cases where a proxy is
 used to help with privacy/anonymity, even though there is no technical
 barrier to a direct connection. NOTE: versions before 2.60 are unaffected.
Ubuntu-Description:
Notes:
 mdeslaur> issue introduced in 2.60
Mitigation:
Bugs:
 https://gitlab.gnome.org/GNOME/glib/issues/1989
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948554
 https://bugzilla.suse.com/show_bug.cgi?id=1160668
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [5.9 MEDIUM]


Patches_glib2.0:
 upstream: https://gitlab.gnome.org/GNOME/glib/commit/2722620e3291b930a3a228100d7c0e07b69534e3 (master)
 upstream: https://gitlab.gnome.org/GNOME/glib/-/commit/08677ed5244162024851d27a5bebaf6fe64b0763 (2.62)
 upstream: https://gitlab.gnome.org/GNOME/glib/-/commit/2722620e3291b930a3a228100d7c0e07b69534e3 (2.63)
upstream_glib2.0: released (2.62.5,2.63.6)
precise/esm_glib2.0: not-affected
trusty_glib2.0: ignored (out of standard support)
trusty/esm_glib2.0: not-affected
xenial_glib2.0: not-affected (2.48.2-0ubuntu4.4)
esm-infra/xenial_glib2.0: not-affected (2.48.2-0ubuntu4.4)
bionic_glib2.0: not-affected (2.56.4-0ubuntu0.18.04.4)
disco_glib2.0: ignored (reached end-of-life)
eoan_glib2.0: ignored (reached end-of-life)
focal_glib2.0: not-affected (2.64.1-1)
devel_glib2.0: not-affected (2.64.1-1)