CVE-2020-6750: GSocketClient sometimes ignores proxy settings
- From: Michael Catanzaro <mcatanzaro gnome org>
- To: distributor-list gnome org, oss-security lists openwall com
- Subject: CVE-2020-6750: GSocketClient sometimes ignores proxy settings
- Date: Fri, 07 Feb 2020 14:33:09 -0600
Hi,
It was discovered that GLib's GSocketClient, since GLib 2.60, will
sporadically ignore its configured proxy settings and improperly
connect directly to the target server, bypassing the configured proxy
server [1]. This has been assigned CVE-2020-6750. Credit to lovetox for
the discovery.
This affects GLib 2.60 and 2.62. GLib versions 2.58 and earlier are
unaffected. A patch fixing this and related issues is available at [2].
Because GSocketClient is widely used by Linux desktop applications,
including applications that use it only indirectly via libraries like
libsoup or GStreamer, the number of affected applications is likely
large.
This bug may be difficult to notice because it is timing-dependent and
does not occur under favorable network conditions. That is, if users
test to ensure a network proxy is properly configured, it is likely to
work properly during testing, but nonetheless still sporadically fail
at other times, leaving users with a false sense of security.
Michael
[1] https://gitlab.gnome.org/GNOME/glib/issues/1989
[2] https://gitlab.gnome.org/GNOME/glib/merge_requests/1339.patch
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
