2 files changed, 99 insertions, 0 deletions
diff --git a/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch b/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch
new file mode 100644
index 0000000000..0ccb99da81
--- /dev/null
+++ b/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch
@@ -0,0 +1,98 @@
+From 4411b523545b22022b4be7d0cac25aa170ae1d3e Mon Sep 17 00:00:00 2001
+From: Fei Li <lifeibiren@gmail.com>
+Date: Fri, 17 Jul 2020 02:18:37 +0800
+Subject: [PATCH] Fix buffer overflow when PAC is enabled
+The bug was found on Windows 10 (MINGW64) when PAC is enabled. It turned
+out to be the large PAC file (more than 102400 bytes) returned by a
+local proxy program with no content-length present.
+Upstream-Status: Backport [https://github.com/libproxy/libproxy/commit/6d342b50366a048d3d543952e2be271b5742c5f8]
+CVE: CVE-2020-26154
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ libproxy/url.cpp | 44 +++++++++++++++++++++++++++++++-------------
+ 1 file changed, 31 insertions(+), 13 deletions(-)
+diff --git a/libproxy/url.cpp b/libproxy/url.cpp
+index ee776b2..8684086 100644
+--- a/libproxy/url.cpp
+++ b/libproxy/url.cpp
+@@ -54,7 +54,7 @@ using namespace std;
+ #define PAC_MIME_TYPE_FB "text/plain"
+ 
+ // This is the maximum pac size (to avoid memory attacks)
+-#define PAC_MAX_SIZE 102400
+#define PAC_MAX_SIZE 0x800000
+ // This is the default block size to use when receiving via HTTP
+ #define PAC_HTTP_BLOCK_SIZE 512
+ 
+@@ -478,15 +478,13 @@ char* url::get_pac() {
+                }
+ 
+                // Get content
+-               unsigned int recvd = 0;
+-               buffer = new char[PAC_MAX_SIZE];
+-               memset(buffer, 0, PAC_MAX_SIZE);
+               std::vector<char> dynamic_buffer;
+                do {
+                        unsigned int chunk_length;
+ 
+                        if (chunked) {
+                                // Discard the empty line if we received a previous chunk
+-                               if (recvd > 0) recvline(sock);
+                               if (!dynamic_buffer.empty()) recvline(sock);
+ 
+                                // Get the chunk-length line as an integer
+                                if (sscanf(recvline(sock).c_str(), "%x", &chunk_length) != 1 || chunk_length == 0) break;
+@@ -498,21 +496,41 @@ char* url::get_pac() {
+ 
+                        if (content_length >= PAC_MAX_SIZE) break;
+ 
+-                       while (content_length == 0 || recvd != content_length) {
+-                               int r = recv(sock, buffer + recvd,
+-                                            content_length == 0 ? PAC_HTTP_BLOCK_SIZE
+-                                                                : content_length - recvd, 0);
+                       while (content_length == 0 || dynamic_buffer.size() != content_length) {
+                               // Calculate length to recv
+                               unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE;
+                               if (content_length > 0)
+                                       length_to_read = content_length - dynamic_buffer.size();
+
+                               // Prepare buffer
+                               dynamic_buffer.resize(dynamic_buffer.size() + length_to_read);
+
+                               int r = recv(sock, dynamic_buffer.data() + dynamic_buffer.size() - length_to_read, length_to_read, 0);
+
+                               // Shrink buffer to fit
+                               if (r >= 0)
+                                       dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r);
+
+                               // PAC size too large, discard
+                               if (dynamic_buffer.size() >= PAC_MAX_SIZE) {
+                                       chunked = false;
+                                       dynamic_buffer.clear();
+                                       break;
+                               }
+
+                                if (r <= 0) {
+                                        chunked = false;
+                                        break;
+                                }
+-                               recvd += r;
+                        }
+                } while (chunked);
+ 
+-               if (content_length != 0 && string(buffer).size() != content_length) {
+-                       delete[] buffer;
+-                       buffer = NULL;
+               if (content_length == 0 || content_length == dynamic_buffer.size()) {
+                       buffer = new char[dynamic_buffer.size() + 1];
+                       if (!dynamic_buffer.empty()) {
+                               memcpy(buffer, dynamic_buffer.data(), dynamic_buffer.size());
+                       }
+                       buffer[dynamic_buffer.size()] = '\0';
+                }
+        }
+ 
diff --git a/meta/recipes-support/libproxy/libproxy_0.4.15.bb b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
index a14c358cc2..6f704d7a91 100644
--- a/meta/recipes-support/libproxy/libproxy_0.4.15.bb
+++ b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
@@ -11,6 +11,7 @@ DEPENDS = "glib-2.0"
 SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \
           file://0001-get-pac-test-Fix-build-with-clang-libc.patch \
           file://CVE-2020-25219.patch \
+           file://CVE-2020-26154.patch \
          "
 SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152"
 SRC_URI[sha256sum] = "654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f"

diff --git a/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch b/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch new file mode 100644 index 0000000000..0ccb99da81 --- /dev/null +++ b/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch
@@ -0,0 +1,98 @@
		1	From 4411b523545b22022b4be7d0cac25aa170ae1d3e Mon Sep 17 00:00:00 2001
		2	From: Fei Li <lifeibiren@gmail.com>
		3	Date: Fri, 17 Jul 2020 02:18:37 +0800
		4	Subject: [PATCH] Fix buffer overflow when PAC is enabled
		5
		6	The bug was found on Windows 10 (MINGW64) when PAC is enabled. It turned
		7	out to be the large PAC file (more than 102400 bytes) returned by a
		8	local proxy program with no content-length present.
		9
		10	Upstream-Status: Backport [https://github.com/libproxy/libproxy/commit/6d342b50366a048d3d543952e2be271b5742c5f8]
		11	CVE: CVE-2020-26154
		12	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
		13
		14	---
		15	libproxy/url.cpp \| 44 +++++++++++++++++++++++++++++++-------------
		16	1 file changed, 31 insertions(+), 13 deletions(-)
		17
		18	diff --git a/libproxy/url.cpp b/libproxy/url.cpp
		19	index ee776b2..8684086 100644
		20	--- a/libproxy/url.cpp
		21	+++ b/libproxy/url.cpp
		22	@@ -54,7 +54,7 @@ using namespace std;
		23	#define PAC_MIME_TYPE_FB "text/plain"
		24
		25	// This is the maximum pac size (to avoid memory attacks)
		26	-#define PAC_MAX_SIZE 102400
		27	+#define PAC_MAX_SIZE 0x800000
		28	// This is the default block size to use when receiving via HTTP
		29	#define PAC_HTTP_BLOCK_SIZE 512
		30
		31	@@ -478,15 +478,13 @@ char* url::get_pac() {
		32	}
		33
		34	// Get content
		35	- unsigned int recvd = 0;
		36	- buffer = new char[PAC_MAX_SIZE];
		37	- memset(buffer, 0, PAC_MAX_SIZE);
		38	+ std::vector<char> dynamic_buffer;
		39	do {
		40	unsigned int chunk_length;
		41
		42	if (chunked) {
		43	// Discard the empty line if we received a previous chunk
		44	- if (recvd > 0) recvline(sock);
		45	+ if (!dynamic_buffer.empty()) recvline(sock);
		46
		47	// Get the chunk-length line as an integer
		48	if (sscanf(recvline(sock).c_str(), "%x", &chunk_length) != 1 \|\| chunk_length == 0) break;
		49	@@ -498,21 +496,41 @@ char* url::get_pac() {
		50
		51	if (content_length >= PAC_MAX_SIZE) break;
		52
		53	- while (content_length == 0 \|\| recvd != content_length) {
		54	- int r = recv(sock, buffer + recvd,
		55	- content_length == 0 ? PAC_HTTP_BLOCK_SIZE
		56	- : content_length - recvd, 0);
		57	+ while (content_length == 0 \|\| dynamic_buffer.size() != content_length) {
		58	+ // Calculate length to recv
		59	+ unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE;
		60	+ if (content_length > 0)
		61	+ length_to_read = content_length - dynamic_buffer.size();
		62	+
		63	+ // Prepare buffer
		64	+ dynamic_buffer.resize(dynamic_buffer.size() + length_to_read);
		65	+
		66	+ int r = recv(sock, dynamic_buffer.data() + dynamic_buffer.size() - length_to_read, length_to_read, 0);
		67	+
		68	+ // Shrink buffer to fit
		69	+ if (r >= 0)
		70	+ dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r);
		71	+
		72	+ // PAC size too large, discard
		73	+ if (dynamic_buffer.size() >= PAC_MAX_SIZE) {
		74	+ chunked = false;
		75	+ dynamic_buffer.clear();
		76	+ break;
		77	+ }
		78	+
		79	if (r <= 0) {
		80	chunked = false;
		81	break;
		82	}
		83	- recvd += r;
		84	}
		85	} while (chunked);
		86
		87	- if (content_length != 0 && string(buffer).size() != content_length) {
		88	- delete[] buffer;
		89	- buffer = NULL;
		90	+ if (content_length == 0 \|\| content_length == dynamic_buffer.size()) {
		91	+ buffer = new char[dynamic_buffer.size() + 1];
		92	+ if (!dynamic_buffer.empty()) {
		93	+ memcpy(buffer, dynamic_buffer.data(), dynamic_buffer.size());
		94	+ }
		95	+ buffer[dynamic_buffer.size()] = '\0';
		96	}
		97	}
		98


diff --git a/meta/recipes-support/libproxy/libproxy_0.4.15.bb b/meta/recipes-support/libproxy/libproxy_0.4.15.bb index a14c358cc2..6f704d7a91 100644 --- a/meta/recipes-support/libproxy/libproxy_0.4.15.bb +++ b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
@@ -11,6 +11,7 @@ DEPENDS = "glib-2.0"
11	SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \	11	SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \
12	file://0001-get-pac-test-Fix-build-with-clang-libc.patch \	12	file://0001-get-pac-test-Fix-build-with-clang-libc.patch \
13	file://CVE-2020-25219.patch \	13	file://CVE-2020-25219.patch \
		14	file://CVE-2020-26154.patch \
14	"	15	"
15	SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152"	16	SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152"
16	SRC_URI[sha256sum] = "654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f"	17	SRC_URI[sha256sum] = "654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f"