summaryrefslogtreecommitdiffstats
path: root/meta/recipes-support
diff options
context:
space:
mode:
authorLee Chee Yang <chee.yang.lee@intel.com>2020-11-19 19:00:31 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-11-24 13:17:58 +0000
commitc0ca5c54fb41391068c1225aa6c8f925820aa002 (patch)
tree683c0c45ca851fb34e49f6ffb15e28f147411bd6 /meta/recipes-support
parent75997e9e80d8835b2b0bbfd6d223892cd47fb4ee (diff)
downloadpoky-c0ca5c54fb41391068c1225aa6c8f925820aa002.tar.gz
libproxy: fix CVE-2020-26154
(From OE-Core rev: 9b5ae61015637c1bf790a0700069da9e65bafefc) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support')
-rw-r--r--meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch98
-rw-r--r--meta/recipes-support/libproxy/libproxy_0.4.15.bb1
2 files changed, 99 insertions, 0 deletions
diff --git a/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch b/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch
new file mode 100644
index 0000000000..0ccb99da81
--- /dev/null
+++ b/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch
@@ -0,0 +1,98 @@
1From 4411b523545b22022b4be7d0cac25aa170ae1d3e Mon Sep 17 00:00:00 2001
2From: Fei Li <lifeibiren@gmail.com>
3Date: Fri, 17 Jul 2020 02:18:37 +0800
4Subject: [PATCH] Fix buffer overflow when PAC is enabled
5
6The bug was found on Windows 10 (MINGW64) when PAC is enabled. It turned
7out to be the large PAC file (more than 102400 bytes) returned by a
8local proxy program with no content-length present.
9
10Upstream-Status: Backport [https://github.com/libproxy/libproxy/commit/6d342b50366a048d3d543952e2be271b5742c5f8]
11CVE: CVE-2020-26154
12Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
13
14---
15 libproxy/url.cpp | 44 +++++++++++++++++++++++++++++++-------------
16 1 file changed, 31 insertions(+), 13 deletions(-)
17
18diff --git a/libproxy/url.cpp b/libproxy/url.cpp
19index ee776b2..8684086 100644
20--- a/libproxy/url.cpp
21+++ b/libproxy/url.cpp
22@@ -54,7 +54,7 @@ using namespace std;
23 #define PAC_MIME_TYPE_FB "text/plain"
24
25 // This is the maximum pac size (to avoid memory attacks)
26-#define PAC_MAX_SIZE 102400
27+#define PAC_MAX_SIZE 0x800000
28 // This is the default block size to use when receiving via HTTP
29 #define PAC_HTTP_BLOCK_SIZE 512
30
31@@ -478,15 +478,13 @@ char* url::get_pac() {
32 }
33
34 // Get content
35- unsigned int recvd = 0;
36- buffer = new char[PAC_MAX_SIZE];
37- memset(buffer, 0, PAC_MAX_SIZE);
38+ std::vector<char> dynamic_buffer;
39 do {
40 unsigned int chunk_length;
41
42 if (chunked) {
43 // Discard the empty line if we received a previous chunk
44- if (recvd > 0) recvline(sock);
45+ if (!dynamic_buffer.empty()) recvline(sock);
46
47 // Get the chunk-length line as an integer
48 if (sscanf(recvline(sock).c_str(), "%x", &chunk_length) != 1 || chunk_length == 0) break;
49@@ -498,21 +496,41 @@ char* url::get_pac() {
50
51 if (content_length >= PAC_MAX_SIZE) break;
52
53- while (content_length == 0 || recvd != content_length) {
54- int r = recv(sock, buffer + recvd,
55- content_length == 0 ? PAC_HTTP_BLOCK_SIZE
56- : content_length - recvd, 0);
57+ while (content_length == 0 || dynamic_buffer.size() != content_length) {
58+ // Calculate length to recv
59+ unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE;
60+ if (content_length > 0)
61+ length_to_read = content_length - dynamic_buffer.size();
62+
63+ // Prepare buffer
64+ dynamic_buffer.resize(dynamic_buffer.size() + length_to_read);
65+
66+ int r = recv(sock, dynamic_buffer.data() + dynamic_buffer.size() - length_to_read, length_to_read, 0);
67+
68+ // Shrink buffer to fit
69+ if (r >= 0)
70+ dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r);
71+
72+ // PAC size too large, discard
73+ if (dynamic_buffer.size() >= PAC_MAX_SIZE) {
74+ chunked = false;
75+ dynamic_buffer.clear();
76+ break;
77+ }
78+
79 if (r <= 0) {
80 chunked = false;
81 break;
82 }
83- recvd += r;
84 }
85 } while (chunked);
86
87- if (content_length != 0 && string(buffer).size() != content_length) {
88- delete[] buffer;
89- buffer = NULL;
90+ if (content_length == 0 || content_length == dynamic_buffer.size()) {
91+ buffer = new char[dynamic_buffer.size() + 1];
92+ if (!dynamic_buffer.empty()) {
93+ memcpy(buffer, dynamic_buffer.data(), dynamic_buffer.size());
94+ }
95+ buffer[dynamic_buffer.size()] = '\0';
96 }
97 }
98
diff --git a/meta/recipes-support/libproxy/libproxy_0.4.15.bb b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
index a14c358cc2..6f704d7a91 100644
--- a/meta/recipes-support/libproxy/libproxy_0.4.15.bb
+++ b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
@@ -11,6 +11,7 @@ DEPENDS = "glib-2.0"
11SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \ 11SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \
12 file://0001-get-pac-test-Fix-build-with-clang-libc.patch \ 12 file://0001-get-pac-test-Fix-build-with-clang-libc.patch \
13 file://CVE-2020-25219.patch \ 13 file://CVE-2020-25219.patch \
14 file://CVE-2020-26154.patch \
14 " 15 "
15SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152" 16SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152"
16SRC_URI[sha256sum] = "654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f" 17SRC_URI[sha256sum] = "654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f"