libproxy: pac server can trigger unbounded recursion in url.cpp recvline() (CVE-2020-25219)

url::recvline in url.cpp in libproxy 0.4.x through 0.4.15 allows a remote HTTP server to trigger uncontrolled recursion via a response composed of an infinite stream that lacks a newline character. This leads to stack exhaustion.

References:

https://github.com/libproxy/libproxy/issues/134
https://nvd.nist.gov/vuln/detail/CVE-2020-25219

Affected branches:

master
3.12-stable

Edited Sep 15, 2020 by Leo

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information