3proxy: Buffer overflow — GLSA 200704-17

A vulnerability has been discovered in 3proxy allowing for the remote execution of arbitrary code.

Affected packages

net-proxy/3proxy on all architectures
Affected versions < 0.5.3h
Unaffected versions >= 0.5.3h

Background

3proxy is a multi-protocol proxy, including HTTP/HTTPS/FTP and SOCKS support.

Description

The 3proxy development team reported a buffer overflow in the logurl() function when processing overly long requests.

Impact

A remote attacker could send a specially crafted transparent request to the proxy, resulting in the execution of arbitrary code with privileges of the user running 3proxy.

Workaround

There is no known workaround at this time.

Resolution

All 3proxy users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-proxy/3proxy-0.5.3h"

References

Release date
April 22, 2007

Latest revision
April 22, 2007: 01

Severity
high

Exploitable
remote

Bugzilla entries