diff options
Diffstat (limited to 'meta/recipes-support')
-rw-r--r-- | meta/recipes-support/libproxy/libproxy/0001-get-pac-test-Fix-build-with-clang-libc.patch | 31 | ||||
-rw-r--r-- | meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch | 61 | ||||
-rw-r--r-- | meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch | 98 | ||||
-rw-r--r-- | meta/recipes-support/libproxy/libproxy_0.4.17.bb (renamed from meta/recipes-support/libproxy/libproxy_0.4.15.bb) | 9 |
4 files changed, 2 insertions, 197 deletions
diff --git a/meta/recipes-support/libproxy/libproxy/0001-get-pac-test-Fix-build-with-clang-libc.patch b/meta/recipes-support/libproxy/libproxy/0001-get-pac-test-Fix-build-with-clang-libc.patch deleted file mode 100644 index fedda9dd95..0000000000 --- a/meta/recipes-support/libproxy/libproxy/0001-get-pac-test-Fix-build-with-clang-libc.patch +++ /dev/null | |||
@@ -1,31 +0,0 @@ | |||
1 | From 2d73469c7a17ebfe4330ac6643b0c8abdc125d05 Mon Sep 17 00:00:00 2001 | ||
2 | From: Khem Raj <raj.khem@gmail.com> | ||
3 | Date: Wed, 30 Jan 2019 09:29:44 -0800 | ||
4 | Subject: [PATCH] get-pac-test: Fix build with clang/libc++ | ||
5 | |||
6 | get-pac-test.cpp:55:10: error: assigning to 'int' from incompatible type '__bind<int &, sockaddr *, unsigned int>' | ||
7 | ret = bind(m_sock, (sockaddr*)&addr, sizeof (struct sockaddr_in)); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
8 | |||
9 | Upstream-Status: Submitted [https://github.com/libproxy/libproxy/pull/97] | ||
10 | |||
11 | Signed-off-by: Khem Raj <raj.khem@gmail.com> | ||
12 | --- | ||
13 | libproxy/test/get-pac-test.cpp | 2 +- | ||
14 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
15 | |||
16 | diff --git a/libproxy/test/get-pac-test.cpp b/libproxy/test/get-pac-test.cpp | ||
17 | index 0059dfb..911f296 100644 | ||
18 | --- a/libproxy/test/get-pac-test.cpp | ||
19 | +++ b/libproxy/test/get-pac-test.cpp | ||
20 | @@ -52,7 +52,7 @@ class TestServer { | ||
21 | |||
22 | setsockopt(m_sock, SOL_SOCKET, SO_REUSEADDR, &i, sizeof(i)); | ||
23 | |||
24 | - ret = bind(m_sock, (sockaddr*)&addr, sizeof (struct sockaddr_in)); | ||
25 | + ret = ::bind(m_sock, (sockaddr*)&addr, sizeof (struct sockaddr_in)); | ||
26 | assert(!ret); | ||
27 | |||
28 | ret = listen(m_sock, 1); | ||
29 | -- | ||
30 | 2.20.1 | ||
31 | |||
diff --git a/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch b/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch deleted file mode 100644 index 3ef7f85451..0000000000 --- a/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch +++ /dev/null | |||
@@ -1,61 +0,0 @@ | |||
1 | From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michael Catanzaro <mcatanzaro@gnome.org> | ||
3 | Date: Wed, 9 Sep 2020 11:12:02 -0500 | ||
4 | Subject: [PATCH] Rewrite url::recvline to be nonrecursive | ||
5 | |||
6 | This function processes network input. It's semi-trusted, because the | ||
7 | PAC ought to be trusted. But we still shouldn't allow it to control how | ||
8 | far we recurse. A malicious PAC can cause us to overflow the stack by | ||
9 | sending a sufficiently-long line without any '\n' character. | ||
10 | |||
11 | Also, this function failed to properly handle EINTR, so let's fix that | ||
12 | too, for good measure. | ||
13 | |||
14 | Fixes #134 | ||
15 | |||
16 | Upstream-Status: Backport [https://github.com/libproxy/libproxy/commit/836c10b60c65e947ff1e10eb02fbcc676d909ffa] | ||
17 | CVE: CVE-2020-25219 | ||
18 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
19 | --- | ||
20 | libproxy/url.cpp | 28 ++++++++++++++++++---------- | ||
21 | 1 file changed, 18 insertions(+), 10 deletions(-) | ||
22 | |||
23 | diff --git a/libproxy/url.cpp b/libproxy/url.cpp | ||
24 | index ee776b2..68d69cd 100644 | ||
25 | --- a/libproxy/url.cpp | ||
26 | +++ b/libproxy/url.cpp | ||
27 | @@ -388,16 +388,24 @@ string url::to_string() const { | ||
28 | return m_orig; | ||
29 | } | ||
30 | |||
31 | -static inline string recvline(int fd) { | ||
32 | - // Read a character. | ||
33 | - // If we don't get a character, return empty string. | ||
34 | - // If we are at the end of the line, return empty string. | ||
35 | - char c = '\0'; | ||
36 | - | ||
37 | - if (recv(fd, &c, 1, 0) != 1 || c == '\n') | ||
38 | - return ""; | ||
39 | - | ||
40 | - return string(1, c) + recvline(fd); | ||
41 | +static string recvline(int fd) { | ||
42 | + string line; | ||
43 | + int ret; | ||
44 | + | ||
45 | + // Reserve arbitrary amount of space to avoid small memory reallocations. | ||
46 | + line.reserve(128); | ||
47 | + | ||
48 | + do { | ||
49 | + char c; | ||
50 | + ret = recv(fd, &c, 1, 0); | ||
51 | + if (ret == 1) { | ||
52 | + if (c == '\n') | ||
53 | + return line; | ||
54 | + line += c; | ||
55 | + } | ||
56 | + } while (ret == 1 || (ret == -1 && errno == EINTR)); | ||
57 | + | ||
58 | + return line; | ||
59 | } | ||
60 | |||
61 | char* url::get_pac() { | ||
diff --git a/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch b/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch deleted file mode 100644 index 0ccb99da81..0000000000 --- a/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch +++ /dev/null | |||
@@ -1,98 +0,0 @@ | |||
1 | From 4411b523545b22022b4be7d0cac25aa170ae1d3e Mon Sep 17 00:00:00 2001 | ||
2 | From: Fei Li <lifeibiren@gmail.com> | ||
3 | Date: Fri, 17 Jul 2020 02:18:37 +0800 | ||
4 | Subject: [PATCH] Fix buffer overflow when PAC is enabled | ||
5 | |||
6 | The bug was found on Windows 10 (MINGW64) when PAC is enabled. It turned | ||
7 | out to be the large PAC file (more than 102400 bytes) returned by a | ||
8 | local proxy program with no content-length present. | ||
9 | |||
10 | Upstream-Status: Backport [https://github.com/libproxy/libproxy/commit/6d342b50366a048d3d543952e2be271b5742c5f8] | ||
11 | CVE: CVE-2020-26154 | ||
12 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
13 | |||
14 | --- | ||
15 | libproxy/url.cpp | 44 +++++++++++++++++++++++++++++++------------- | ||
16 | 1 file changed, 31 insertions(+), 13 deletions(-) | ||
17 | |||
18 | diff --git a/libproxy/url.cpp b/libproxy/url.cpp | ||
19 | index ee776b2..8684086 100644 | ||
20 | --- a/libproxy/url.cpp | ||
21 | +++ b/libproxy/url.cpp | ||
22 | @@ -54,7 +54,7 @@ using namespace std; | ||
23 | #define PAC_MIME_TYPE_FB "text/plain" | ||
24 | |||
25 | // This is the maximum pac size (to avoid memory attacks) | ||
26 | -#define PAC_MAX_SIZE 102400 | ||
27 | +#define PAC_MAX_SIZE 0x800000 | ||
28 | // This is the default block size to use when receiving via HTTP | ||
29 | #define PAC_HTTP_BLOCK_SIZE 512 | ||
30 | |||
31 | @@ -478,15 +478,13 @@ char* url::get_pac() { | ||
32 | } | ||
33 | |||
34 | // Get content | ||
35 | - unsigned int recvd = 0; | ||
36 | - buffer = new char[PAC_MAX_SIZE]; | ||
37 | - memset(buffer, 0, PAC_MAX_SIZE); | ||
38 | + std::vector<char> dynamic_buffer; | ||
39 | do { | ||
40 | unsigned int chunk_length; | ||
41 | |||
42 | if (chunked) { | ||
43 | // Discard the empty line if we received a previous chunk | ||
44 | - if (recvd > 0) recvline(sock); | ||
45 | + if (!dynamic_buffer.empty()) recvline(sock); | ||
46 | |||
47 | // Get the chunk-length line as an integer | ||
48 | if (sscanf(recvline(sock).c_str(), "%x", &chunk_length) != 1 || chunk_length == 0) break; | ||
49 | @@ -498,21 +496,41 @@ char* url::get_pac() { | ||
50 | |||
51 | if (content_length >= PAC_MAX_SIZE) break; | ||
52 | |||
53 | - while (content_length == 0 || recvd != content_length) { | ||
54 | - int r = recv(sock, buffer + recvd, | ||
55 | - content_length == 0 ? PAC_HTTP_BLOCK_SIZE | ||
56 | - : content_length - recvd, 0); | ||
57 | + while (content_length == 0 || dynamic_buffer.size() != content_length) { | ||
58 | + // Calculate length to recv | ||
59 | + unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE; | ||
60 | + if (content_length > 0) | ||
61 | + length_to_read = content_length - dynamic_buffer.size(); | ||
62 | + | ||
63 | + // Prepare buffer | ||
64 | + dynamic_buffer.resize(dynamic_buffer.size() + length_to_read); | ||
65 | + | ||
66 | + int r = recv(sock, dynamic_buffer.data() + dynamic_buffer.size() - length_to_read, length_to_read, 0); | ||
67 | + | ||
68 | + // Shrink buffer to fit | ||
69 | + if (r >= 0) | ||
70 | + dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r); | ||
71 | + | ||
72 | + // PAC size too large, discard | ||
73 | + if (dynamic_buffer.size() >= PAC_MAX_SIZE) { | ||
74 | + chunked = false; | ||
75 | + dynamic_buffer.clear(); | ||
76 | + break; | ||
77 | + } | ||
78 | + | ||
79 | if (r <= 0) { | ||
80 | chunked = false; | ||
81 | break; | ||
82 | } | ||
83 | - recvd += r; | ||
84 | } | ||
85 | } while (chunked); | ||
86 | |||
87 | - if (content_length != 0 && string(buffer).size() != content_length) { | ||
88 | - delete[] buffer; | ||
89 | - buffer = NULL; | ||
90 | + if (content_length == 0 || content_length == dynamic_buffer.size()) { | ||
91 | + buffer = new char[dynamic_buffer.size() + 1]; | ||
92 | + if (!dynamic_buffer.empty()) { | ||
93 | + memcpy(buffer, dynamic_buffer.data(), dynamic_buffer.size()); | ||
94 | + } | ||
95 | + buffer[dynamic_buffer.size()] = '\0'; | ||
96 | } | ||
97 | } | ||
98 | |||
diff --git a/meta/recipes-support/libproxy/libproxy_0.4.15.bb b/meta/recipes-support/libproxy/libproxy_0.4.17.bb index 6f704d7a91..ad81cccf52 100644 --- a/meta/recipes-support/libproxy/libproxy_0.4.15.bb +++ b/meta/recipes-support/libproxy/libproxy_0.4.17.bb | |||
@@ -8,13 +8,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \ | |||
8 | 8 | ||
9 | DEPENDS = "glib-2.0" | 9 | DEPENDS = "glib-2.0" |
10 | 10 | ||
11 | SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \ | 11 | SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz" |
12 | file://0001-get-pac-test-Fix-build-with-clang-libc.patch \ | 12 | SRC_URI[sha256sum] = "bc89f842f654ee1985a31c0ba56dc7e2ce8044a0264ddca84e650f46cd7f8b05" |
13 | file://CVE-2020-25219.patch \ | ||
14 | file://CVE-2020-26154.patch \ | ||
15 | " | ||
16 | SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152" | ||
17 | SRC_URI[sha256sum] = "654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f" | ||
18 | 13 | ||
19 | UPSTREAM_CHECK_URI = "https://github.com/libproxy/libproxy/releases" | 14 | UPSTREAM_CHECK_URI = "https://github.com/libproxy/libproxy/releases" |
20 | UPSTREAM_CHECK_REGEX = "libproxy-(?P<pver>.*)\.tar" | 15 | UPSTREAM_CHECK_REGEX = "libproxy-(?P<pver>.*)\.tar" |