CVE-2020-6750: GSocketClient sometimes ignores proxy settings


It was discovered that GLib's GSocketClient, since GLib 2.60, will sporadically ignore its configured proxy settings and improperly connect directly to the target server, bypassing the configured proxy server [1]. This has been assigned CVE-2020-6750. Credit to lovetox for the discovery.

This affects GLib 2.60 and 2.62. GLib versions 2.58 and earlier are unaffected. A patch fixing this and related issues is available at [2].

Because GSocketClient is widely used by Linux desktop applications, including applications that use it only indirectly via libraries like libsoup or GStreamer, the number of affected applications is likely large.

This bug may be difficult to notice because it is timing-dependent and does not occur under favorable network conditions. That is, if users test to ensure a network proxy is properly configured, it is likely to work properly during testing, but nonetheless still sporadically fail at other times, leaving users with a false sense of security.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]