diff options
author | Lee Chee Yang <chee.yang.lee@intel.com> | 2020-10-14 17:22:09 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-10-17 12:34:29 +0100 |
commit | 458b7e9369dba71cda7623f906b4b2d3caeb9caa (patch) | |
tree | 23160717ce58c89771b17608bb64206c93042458 /meta/recipes-support/libproxy | |
parent | d4ecc90268438900ccbef6020cdb15c054fb4027 (diff) | |
download | poky-458b7e9369dba71cda7623f906b4b2d3caeb9caa.tar.gz |
libproxy: fix CVE-2020-25219
(From OE-Core rev: 3b1701a8e6bbeb51d2415a7a361efdadaae29b0b)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support/libproxy')
-rw-r--r-- | meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch | 61 | ||||
-rw-r--r-- | meta/recipes-support/libproxy/libproxy_0.4.15.bb | 1 |
2 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch b/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch new file mode 100644 index 0000000000..3ef7f85451 --- /dev/null +++ b/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch | |||
@@ -0,0 +1,61 @@ | |||
1 | From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Catanzaro <mcatanzaro@gnome.org> | ||
3 | Date: Wed, 9 Sep 2020 11:12:02 -0500 | ||
4 | Subject: [PATCH] Rewrite url::recvline to be nonrecursive | ||
5 | |||
6 | This function processes network input. It's semi-trusted, because the | ||
7 | PAC ought to be trusted. But we still shouldn't allow it to control how | ||
8 | far we recurse. A malicious PAC can cause us to overflow the stack by | ||
9 | sending a sufficiently-long line without any '\n' character. | ||
10 | |||
11 | Also, this function failed to properly handle EINTR, so let's fix that | ||
12 | too, for good measure. | ||
13 | |||
14 | Fixes #134 | ||
15 | |||
16 | Upstream-Status: Backport [https://github.com/libproxy/libproxy/commit/836c10b60c65e947ff1e10eb02fbcc676d909ffa] | ||
17 | CVE: CVE-2020-25219 | ||
18 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
19 | --- | ||
20 | libproxy/url.cpp | 28 ++++++++++++++++++---------- | ||
21 | 1 file changed, 18 insertions(+), 10 deletions(-) | ||
22 | |||
23 | diff --git a/libproxy/url.cpp b/libproxy/url.cpp | ||
24 | index ee776b2..68d69cd 100644 | ||
25 | --- a/libproxy/url.cpp | ||
26 | +++ b/libproxy/url.cpp | ||
27 | @@ -388,16 +388,24 @@ string url::to_string() const { | ||
28 | return m_orig; | ||
29 | } | ||
30 | |||
31 | -static inline string recvline(int fd) { | ||
32 | - // Read a character. | ||
33 | - // If we don't get a character, return empty string. | ||
34 | - // If we are at the end of the line, return empty string. | ||
35 | - char c = '\0'; | ||
36 | - | ||
37 | - if (recv(fd, &c, 1, 0) != 1 || c == '\n') | ||
38 | - return ""; | ||
39 | - | ||
40 | - return string(1, c) + recvline(fd); | ||
41 | +static string recvline(int fd) { | ||
42 | + string line; | ||
43 | + int ret; | ||
44 | + | ||
45 | + // Reserve arbitrary amount of space to avoid small memory reallocations. | ||
46 | + line.reserve(128); | ||
47 | + | ||
48 | + do { | ||
49 | + char c; | ||
50 | + ret = recv(fd, &c, 1, 0); | ||
51 | + if (ret == 1) { | ||
52 | + if (c == '\n') | ||
53 | + return line; | ||
54 | + line += c; | ||
55 | + } | ||
56 | + } while (ret == 1 || (ret == -1 && errno == EINTR)); | ||
57 | + | ||
58 | + return line; | ||
59 | } | ||
60 | |||
61 | char* url::get_pac() { | ||
diff --git a/meta/recipes-support/libproxy/libproxy_0.4.15.bb b/meta/recipes-support/libproxy/libproxy_0.4.15.bb index 19dddebd44..a14c358cc2 100644 --- a/meta/recipes-support/libproxy/libproxy_0.4.15.bb +++ b/meta/recipes-support/libproxy/libproxy_0.4.15.bb | |||
@@ -10,6 +10,7 @@ DEPENDS = "glib-2.0" | |||
10 | 10 | ||
11 | SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \ | 11 | SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \ |
12 | file://0001-get-pac-test-Fix-build-with-clang-libc.patch \ | 12 | file://0001-get-pac-test-Fix-build-with-clang-libc.patch \ |
13 | file://CVE-2020-25219.patch \ | ||
13 | " | 14 | " |
14 | SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152" | 15 | SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152" |
15 | SRC_URI[sha256sum] = "654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f" | 16 | SRC_URI[sha256sum] = "654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f" |