CVE-2020-6750

Published: 09 January 2020

GSocketClient in GNOME GLib through 2.62.4 may occasionally connect directly to a target address instead of connecting via a proxy server when configured to do so, because the proxy_addr field is mishandled. This bug is timing-dependent and may occur only sporadically depending on network delays. The greatest security relevance is in use cases where a proxy is used to help with privacy/anonymity, even though there is no technical barrier to a direct connection. NOTE: versions before 2.60 are unaffected.

Priority

Low

CVSS 3 base score: 5.9

Status

Package Release Status
glib2.0
Launchpad, Ubuntu, Debian
Upstream
Released (2.62.5,2.63.6)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(2.64.1-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(2.56.4-0ubuntu0.18.04.4)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(2.48.2-0ubuntu4.4)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable

Patches:
Upstream: https://gitlab.gnome.org/GNOME/glib/commit/2722620e3291b930a3a228100d7c0e07b69534e3 (master)
Upstream: https://gitlab.gnome.org/GNOME/glib/-/commit/08677ed5244162024851d27a5bebaf6fe64b0763 (2.62)
Upstream: https://gitlab.gnome.org/GNOME/glib/-/commit/2722620e3291b930a3a228100d7c0e07b69534e3 (2.63)