summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLee Chee Yang <chee.yang.lee@intel.com>2020-10-14 17:22:09 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-10-17 12:34:29 +0100
commit458b7e9369dba71cda7623f906b4b2d3caeb9caa (patch)
tree23160717ce58c89771b17608bb64206c93042458
parentd4ecc90268438900ccbef6020cdb15c054fb4027 (diff)
downloadpoky-458b7e9369dba71cda7623f906b4b2d3caeb9caa.tar.gz
libproxy: fix CVE-2020-25219
(From OE-Core rev: 3b1701a8e6bbeb51d2415a7a361efdadaae29b0b) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch61
-rw-r--r--meta/recipes-support/libproxy/libproxy_0.4.15.bb1
2 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch b/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch
new file mode 100644
index 0000000000..3ef7f85451
--- /dev/null
+++ b/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch
@@ -0,0 +1,61 @@
1From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001
2From: Michael Catanzaro <mcatanzaro@gnome.org>
3Date: Wed, 9 Sep 2020 11:12:02 -0500
4Subject: [PATCH] Rewrite url::recvline to be nonrecursive
5
6This function processes network input. It's semi-trusted, because the
7PAC ought to be trusted. But we still shouldn't allow it to control how
8far we recurse. A malicious PAC can cause us to overflow the stack by
9sending a sufficiently-long line without any '\n' character.
10
11Also, this function failed to properly handle EINTR, so let's fix that
12too, for good measure.
13
14Fixes #134
15
16Upstream-Status: Backport [https://github.com/libproxy/libproxy/commit/836c10b60c65e947ff1e10eb02fbcc676d909ffa]
17CVE: CVE-2020-25219
18Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
19---
20 libproxy/url.cpp | 28 ++++++++++++++++++----------
21 1 file changed, 18 insertions(+), 10 deletions(-)
22
23diff --git a/libproxy/url.cpp b/libproxy/url.cpp
24index ee776b2..68d69cd 100644
25--- a/libproxy/url.cpp
26+++ b/libproxy/url.cpp
27@@ -388,16 +388,24 @@ string url::to_string() const {
28 return m_orig;
29 }
30
31-static inline string recvline(int fd) {
32- // Read a character.
33- // If we don't get a character, return empty string.
34- // If we are at the end of the line, return empty string.
35- char c = '\0';
36-
37- if (recv(fd, &c, 1, 0) != 1 || c == '\n')
38- return "";
39-
40- return string(1, c) + recvline(fd);
41+static string recvline(int fd) {
42+ string line;
43+ int ret;
44+
45+ // Reserve arbitrary amount of space to avoid small memory reallocations.
46+ line.reserve(128);
47+
48+ do {
49+ char c;
50+ ret = recv(fd, &c, 1, 0);
51+ if (ret == 1) {
52+ if (c == '\n')
53+ return line;
54+ line += c;
55+ }
56+ } while (ret == 1 || (ret == -1 && errno == EINTR));
57+
58+ return line;
59 }
60
61 char* url::get_pac() {
diff --git a/meta/recipes-support/libproxy/libproxy_0.4.15.bb b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
index 19dddebd44..a14c358cc2 100644
--- a/meta/recipes-support/libproxy/libproxy_0.4.15.bb
+++ b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
@@ -10,6 +10,7 @@ DEPENDS = "glib-2.0"
10 10
11SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \ 11SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \
12 file://0001-get-pac-test-Fix-build-with-clang-libc.patch \ 12 file://0001-get-pac-test-Fix-build-with-clang-libc.patch \
13 file://CVE-2020-25219.patch \
13 " 14 "
14SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152" 15SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152"
15SRC_URI[sha256sum] = "654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f" 16SRC_URI[sha256sum] = "654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f"